Employees beware: Employers can really make a federal case out of computer tampering. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to knowingly access a protected computer without authorization and with intent to defraud. As Texas Lawyer states, every lawyer “should have a basic understanding of the federal [CFAA] and how to allege a loss under CFAA in a business case.”
The CFAA (18 USC §1030) is regularly invoked in cases involving unauthorized use of computers or data. It is commonly used in trade secret litigation, forming the basis for a claim for relief against those who access a business’s computer to damage the business, such as actions against current or former employees.
Although the CFAA was enacted in 1984 to address computer crimes, it has, not surprisingly, been amended to keep pace with advances in technology. The CFAA has been applied to address Internet-related conduct, such as spam (unsolicited commercial e-mail), automated tracking of website usage, and certain uses of e-mail by employees.
The CFAA is an anti-hacking statute; as the Ninth Circuit has recently held, this means it that prosecutors can’t use it to go after an employee who violates his or her employer’s computer policy or a website’s terms of service. See U.S. v Nosal (9th Cir, Apr. 10, 2012, 10-10038).
The CFAA defines a series of computer-related crimes, including intentionally accessing a computer without authorization (or exceeding authorized access) and thereby obtaining confidential information or anything of value, perpetrating a fraud, or causing other damage. See 18 USC §1030(a).
Under the CFAA, insiders who are authorized to access a computer face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage. In contrast, outside hackers who break into a computer can be punished for any intentional, reckless, or other damage they cause.
In addition to criminal penalties, the statute creates a private right of action for compensatory damages or injunctive relief for any person who suffers damages or loss from a violation of the Act. See 18 USC §1030(g). The statute defines damages as “any impairment to the integrity or availability of data, a program, a system, or information” that causes a loss aggregating up to $5000 within a 1-year period to one or more persons, impairment of medical care, physical injury, or that threatens public health or safety. 18 USC §1030(c)(4)(A), (e)(8).
A “loss” may include costs sustained for the discovery of the violator’s identity and the specific information that was accessed, if that information was protected. But “loss” doesn’t include revenue from license fees plaintiffs might have recouped but for the unauthorized access.
Employers have a strong weapon against angry employees who decide to mess with their employer’s computer in retaliation.
© The Regents of the University of California, 2012. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.