The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is predominately a criminal law that also permits those who have suffered a “damage” or “loss” to bring civil claims for its violations. The CFAA has a list of prohibitions but the most common one that individuals and business use for civil claims is contained in subsection (a)(4) of the CFAA, what I call the “fraud” provision, which is violated by:
Whoever … knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; (18 U.S.C. § 1030(a)(4))
Sounds pretty simple, eh?
Ha! Guess again — there is nothing simple about it!
There are tens of thousands of pages case law and commentary attempting to explain all of the nuances involved in the prosecution or defense of a civil claim under this fraud provision of the CFAA. Even the United States Circuit Courts of Appeal cannot all agree on how it should be applied, much less the numerous United States District Courts still struggling with the issues. To provide even a cursory overview of this subject would require the volume of a lengthy law review article (which, by the way, I am currently writing).
The purpose of this post is not to overwhelm the reader with all of the details — trust me, I know that all 3 of you who actually read this would never come back! Plus, that is what my law review article will be for–to save readers money by their not having to purchase Ambien to go to sleep! But seriously …
With so much talk about computer fraud and hacking in the news these days, I simply want to give you “40,000 foot overview” of what elements must be proven, in very generic terms, to state a claim under this fraud provision of the CFAA. Here goes, hot off the press from a case handed down on March 30, 2011 stating that a claim under subsection (a)(4) the CFAA has four elements:
- a defendant has accessed a protected computer;
- has done so without authorization or by exceeding such authorization as was granted;
- has done so knowingly and with intent to defraud; and
- as a result has furthered the intended fraud and obtained anything of value.
Scottrade, Inc. v. Broco Investments, Inc., 10 Civ. 03 537, 2011 WL 1226467 *9 (S.D.N.Y. Mar. 30, 2011).
“Complex, but it has only 4 elements?” you say? Yeah, I here ya–I know, we lawyers have a way of overly complicating everything, so if you don’t believe me, just go give it a try yourself and tell me how it works out for you when that Federal Judge says “so, was it access without authorization or access by exceeding authorization?” …
- Court Rejects Argument That All First-Time Email Hacking Offenses Are Felonies (eff.org)
- CFAA Not Subject to Rule 9 (shawnetuma.com)
- Computer Fraud and Abuse Act Can Prohibit Employee From Deleting Emails (shawnetuma.com)
- Taking of Confidential Info Alone Not “Loss” Under CFAA (shawnetuma.com)
- Former Employee’s Deletion of Data May Constitute CFAA “Damage” (shawnetuma.com)
- Is the Value of Confidential Information Different From Copyrighted Material Under the Computer Fraud & Abuse Act? (shawnetuma.com)
- Should Everyone Who Uses A Phone Or A Computer As Part Of A Crime Get A Longer Sentence? (techdirt.com)