The Computer Fraud and Abuse Act (“CFAA”) is a cyber-security law that outlaws conduct that victimizes computer systems. The purpose of the CFAA is to protect computers from trespass, threats, damage, espionage, and from being corruptly used as instruments of fraud. The act applies to all computers in which the federal government has an interest, which includes all computers used in interstate commerce. In effect, almost every computer will be subject to the CFAA because almost all computing devices are used extensively to transmit, receive, and exchange data for personal or business use across state and country lines.
The CFAA provides for criminal penalties for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” or causes damage to the computer. Although the CFAA is a criminal statute, it also provides a civil remedy. Under the civil enforcement provision of the CFAA, any person who suffers damage because of a violation of the CFAA can sue the violator for damages, injunctive relief, or both.
Courts uniformly find an excess or lack of authorization to use a computer, even if some access was granted, whenever the use and access was contrary to the interests of the authorizing party. For example, in LVRC Holdings LLC v. Brekka, 581 F 3d 1127, 1135 (9th Cir. 2009), the court ruled that “A person uses a computer without authorization…when the person has not received permission to use the computer for any purpose…or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Similarly, in Patrick Patterson Custom Homes, Inc. v. Bach, 586 F. Supp.2d 1026, 1035 (N.D. Ill. 2008) , the court held that the employee’s access to the employer’s computer in a manner that exceeded her authority and her installation of data shredding software that caused permanent deletion of files on the computer were sufficient to state a cause of action under the CFAA.
Any impairment to the integrity or availability of data, a program, a system, or information constitutes damage under the CFAA. Additionally, loss under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Any damage or loss must meet the $5,000.00 minimum statutory threshold specified in the statute.
With regard to damage or impairment of a computer system, physical damage to a computer is not necessary to allege damage or loss. Any loss incurred from “securing or remedying” a computer system after an alleged CFAA violation constitutes loss, as does harm to the integrity of a victim’s data system. Courts have found that losses include the costs of seeking to identify evidence of the breach, assess any damage it may have caused, and determine whether any remedial measures were needed to rescue the network.
The penalties for CFAA violations can include federal imprisonment, forfeiture, or restitution, as well as civil liability.
Contact Oberheiden & McMurrey, LLP for a free case evaluation.