As the Cybersecurity Information Sharing Act (CISA) is making its way through the Senate, it has stirred up more controversy with Senator Sheldon Whitehouse’s proposed amendment to the Computer Fraud and Abuse Act (CFAA), that he argues, would give law enforcement more tools to fight hackers. The Amendment would provide for increased sentences (up to 20 years) of those who harm computers connected to “critical infrastructure.”
In Land and Bay Gauging L.L.C. v. Shor, –Fed.Appx — (5th Cir. Aug. 21, 2015), the Fifth Circuit recently held that accessing a computer under the authority of a court order that authorizes the access is sufficient to render the access as being authorized, even if the order is later overturned. An essential element under a Computer Fraud and Abuse Act (CFAA) claim is that the defendant accessed the computer “without authorization” or “exceeds authorized access.” When there is such an access that is authorized by a court order–at the time of the access–the later overturning of that order will not then render the access as having been unauthorized and there will be no violation of the CFAA.
Additionally, the Rooker-Feldman Doctrine does not bar a Federal court from ruling on CFAA claims that stem from parties’ actions taken pursuant to a state court order where such claims do not attack the validity of the order itself, but instead, focus on the parties alleged violations of independent legal duties under the CFAA.
To have a valid CFAA claim, there must be an access to a computer.
The Computer Fraud and Abuse Act is often referred to as an “access crime” because the act that is prohibited is accessing a computer. Misusing information that someone else obtained from a computer is not accessing a computer. Doing so may be wrong for other reasons, but it is not a CFAA violation because it does not entail accessing a computer.
The court in New Show Studios LLC v. Needle, 2014 WL 2988271 (C.D. Cal. June 30, 2014) addressed this issue where a former employee continued to use his former employer’s information after his employment terminated by having people who still worked for the company access information and supply it to him. The court dismissed the CFAA claim because the plaintiff did not plead any access to a computer:
To prevail on a CFAA claim, plaintiffs must establish, among other things, that defendants “intentionally accessed a computer.” LVRC Holdings LLC, 581 F.3d at 1132. But the FAC is devoid of any allegation that the defendants accessed any computer. Instead, the FAC only alleges that Needle “gained access to confidential and sensitive information.” FAC ¶ 37. Accessing plaintiffs’ information, however, is not the same thing as accessing plaintiffs’ computer systems, even if that information was at some point stored on those computers. The Ninth Circuit has specifically cautioned against reading the CFAA as an “expansive misappropriation statute.” Nosal, 676 F.3d at 857; see also id. at 863 (explaining that the “general purpose” of the CFAA “is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets”). If plaintiffs wish to assert a claim under the CFAA, they must plainly allege that defendants’ accessed their computer systems, and explain the basis for those allegations.
A person’s use of his single individual use password to access a news site to access content that he then shared with over 100 other people did not cause any impairment to the integrity or availability of data or loss due to interruption of service as required to bring a civil claim under the Computer Fraud and Abuse Act.
Capitol Audio Access, Inc. v. Umemoto, 980 F. Supp.2d 1154 (E.D. Cal. 2013).
The U.S. Eastern District of Louisiana recently sided with employers in the on-going judicial debate over interpreting the Computer Fraud and Abuse Act “CFAA”. See Associated Pump & Supply Co., LLC v. Dupre, et al., No. 14-0009 E.D. La.. Associated Pump sued its former employee Kevin Dupre for violating CFAA during his alleged scheme to steal Associated Pump’s trade secrets. The complaint sets forth a now familiar scenario: shortly before resigning, Dupre used his work computer to violate a confidentiality agreement and known company policies by improperly accessing and obtaining Associated Pump’s confidential information to use while employed by Associated Pump’s competitor. These allegations, the Court held, state a viable CFAA claim.
On April 24, 2013, a jury convicted Defendant David Nosal of three counts of computer fraud in violation of the Computer Fraud and Abuse Act “CFAA”, 18 U.S.C. § 1030a4, two counts of unauthorized downloading, copying, and duplicating of trade secrets without authorization, in violation of the Economic Espionage Act “EEA”, 18 U.S.C. § 1832a2, and one count of conspiring to violate the EEA. During sentencing, the Court ordered Defendant to pay restitution to his victim and indicated that the amount of restitution would be determined at a subsequent hearing. Having considered the parties arguments, the Court orders that Defendant pay $827,983.25 in restitution to Korn/Ferry.
In Morgan v. Preston, 2013 WL 5963563 (M.D. Tenn. Nov. 7 2013), the U.S. District Court for the Middle District of Tennessee dismissed a Computer Fraud and Abuse Act claim brought by one ex-spouse against the other.
The basis for the CFAA claim was, following their separation and filing for divorce, the one spouse had installed Spector Pro monitoring software that was designed to capture all user activity on the computer without a user knowing, including all passwords typed, all emails sent and received, as well as all other activity which information it then automatically uploaded to a designated website or email address.
The reason the court dismissed the CFAA claim was because the plaintiff failed to meet the jurisdictional threshold for a civil claim by establishing a $5,000 loss.