©2011 Braydon Fuller
Believe it or not, there really can be a case of “computer fraud” that is NOT covered by the Computer Fraud and Abuse Act (CFAA).
Let me explain.
The CFAA is an “access” crime that requires there to be an unlawful “access” to a computer by either accessing a computer “without authorization” or “exceed[ing] authorized access.” An access in this context is limited to accessing the computer in its informational capacity such as logging in or viewing information stored on the computer, not a physical access opening up the box with a screwdriver and removing its processor or hard drive. (see p. 172) Now, if the hard drive is physically removed but the information stored on the hard drive is later examined, the latter could very well be a CFAA violation but the former is not.
There is a good example of this from the recent news. A federal court jury in Houston recently convicted a man of conspiracy to defraud Hewlett-Packard of roughly $14 million. The way he did it was by fraudulently using an HP equipment discount reserved for large-volume purchasers to purchase computers for others and divert them for resale.
This was a literal case of “computer fraud” and he deserved everything he got — but it was not a violation of the CFAA because there was no unlawful informational access to a computer even though the computers themselves were fraudulently obtained and resold.
Now think about this scenario:
- The case was brought in Houston, Texas, which is in the Fifth Circuit — so let’s assume Fifth Circuit CFAA jurisprudence applies.
- What if he was an employee or contractor of HP, using his HP login credentials and access to the HP computer system?
- What if HP had a policy (that he had signed) that expressly limited his authorization to use HP’s computer system and information therein for activities that were in the furtherance of HP’s legitimate business interests and prohibited him from using it for activities that were detrimental to its business interests?
- What if he used his access to HP’s computer system to orchestrate this fraud?
- What if he used his access to HP’s computer system to obtain the information he used in order to orchestrate this fraud?
- What if HP spent more than $5,000 to investigate or remediate his activities?
What do you think now? Would HP have a CFAA civil case against him?
If you want a hint, read this post: Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act
Read more about the underlying case involving HP: Man Convicted In HP Computer Fraud Sales Scheme « CBS Houston.
About the author
Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.