Computer Fraud and Abuse Act Update

The federal Computer Fraud and Abuse Act (CFAA) is most closely associated with criminal prosecutions brought by the Department of Justice. But the CFAA also provides for a civil cause of action for anyone who suffers damage or loss because of a violation of the statute. In light of the expansive reading that some courts have given to the law, victimized companies should give consideration to taking the civil route. A civil lawsuit gives the wronged party more control and may provide a quicker fix. By means of such a lawsuit, the victim can retrieve stolen data, enjoin illegal access to data, and even get compensatory damages for the theft and destruction of data.

The CFAA applies to all companies and all computers that are connected to the Internet. Potentially, there are multiple, distinct types of violation of the statute that could support a civil action. On a recurring issue in such cases- whether the defendant had authorization for his actions; the courts look at several factors:

-whether the defendant was an agent of the plaintiff’s, with particular powers;

-whether an employment contract, such as may have been embodied in company rules and policies, was breached; and

-whether the defendant’s use of the computer exceeded normal use that was expected by the plaintiff.

In recent court decisions, a real estate business was allowed to proceed with a civil action against a former employee for violations of the CFAA. In violation of his employment contract, the employee decided to quit and start a competing business. Before he returned the company’s laptop, he deleted all of the data in it, including data that would have revealed his misconduct. Knowing that “deleted” filed can be retrieved, he erased the incriminating data by loading into the laptop a secure erasure program.

All of this, if proven in court, violated the CFAA as “transmission” of a program that damaged the computer (defined to include files in the computer), and as intentionally accessing the computer without authorization. Although the employee had not yet left his job when he installed the program, by law any authorization he might have had evaporated as soon as he violated the duty of loyalty to his employer.

In another case brought under the CFAA, a tour company secured an injunction against a competing company run by one of its former employees. The ex employee improperly used confidential information from his former employer to enable his new company to glean pricing data from his former employer’s website, so that his new enterprise could effectively undercut those prices.

Although the website was open to anyone, the unauthorized use of the confidential information, combined with the use of a “scraper” software program, violated the CFAA. On top of the injunction, the plaintiff could recover, as compensable “loss” under the CFAA, the thousands of dollars it had paid in computer consultant fees for the diagnostic work after the defendant’s conduct was discovered.

Copyright (c) 2011 Scott Carlyon