Don’t Mess With Your Employer’s Computer

Employees beware: Employers can really make a federal case out of  computer tampering. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to knowingly access a protected computer without authorization and with intent to defraud. As Texas Lawyer states, every lawyer “should have a basic understanding of the federal [CFAA] and how to allege a loss under CFAA in a business case.”

The CFAA (18 USC §1030) is regularly invoked in cases involving unauthorized use of computers or data. It is commonly used in trade secret litigation, forming the basis for a claim for relief against those who access a business’s computer to damage the business, such as actions against current or former employees.

Although the CFAA was enacted in 1984 to address computer crimes, it has, not surprisingly, been amended to keep pace with advances in technology. The CFAA has been applied to address Internet-related conduct, such as spam (unsolicited commercial e-mail), automated tracking of website usage, and certain uses of e-mail by employees.

The CFAA is an anti-hacking statute; as the Ninth Circuit has recently held, this means it that prosecutors can’t use it to go after an employee who violates his or her employer’s computer policy or a website’s terms of service. See U.S. v Nosal (9th Cir, Apr. 10, 2012, 10-10038).

The CFAA defines a series of computer-related crimes, including intentionally accessing a computer without authorization (or exceeding authorized access) and thereby obtaining confidential information or anything of value, perpetrating a fraud, or causing other damage. See 18 USC §1030(a).

Under the CFAA, insiders who are authorized to access a computer face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage. In contrast, outside hackers who break into a computer can be punished for any intentional, reckless, or other damage they cause.

In addition to criminal penalties, the statute creates a private right of action for compensatory damages or injunctive relief for any person who suffers damages or loss from a violation of the Act. See 18 USC §1030(g). The statute defines damages as “any impairment to the integrity or availability of data, a program, a system, or information” that causes a loss aggregating up to $5000 within a 1-year period to one or more persons, impairment of medical care, physical injury, or that threatens public health or safety. 18 USC §1030(c)(4)(A), (e)(8).

A “loss” may include costs sustained for the discovery of the violator’s identity and the specific information that was accessed, if that information was protected. But “loss” doesn’t include revenue from license fees plaintiffs might have recouped but for the unauthorized access.

Employers have a strong weapon against angry employees who decide to mess with their employer’s computer in retaliation.

For complete coverage of the CFAA, turn to CEB’s Internet Law and Practice in California, Trade Secrets Practice in California, and Privacy Compliance and Litigation in California.

© The Regents of the University of California, 2012. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.

5 thoughts on “Don’t Mess With Your Employer’s Computer

  1. Good coverage of the law, however the way I read what you’re saying, damages or intent to cause damage has to be proven?

    I’m assuming that the same law couldn’t be used to enforce a company’s internal web policy, for example regularly using a proxy service to go around a firewall blocking facebook, twitter, etc.?

  2. When it comes to an insider (employee), then the CFAA requires proof of intent to cause damage. As far as using this law to enforce a company’s internal policy, it appears that the recent Ninth Circuit decision in Nosal clarified that the CFAA would not be applicable.

  3. The article states the requirement of “intent to defraud” in the first paragraph 1 and “intend to cause damage” in paragraph 6. These statements are inconsistent. Which statement is accurate?

  4. And remember all your computer data can be recovered by computer repair shops. Something else to think about — your search history is also retrievable. Lesson? Don’t do anything on your computer you want an employer or someone else to figure out.

Add your comment to the blog post

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s