I have read several blog posts that are stating, as a blanket proposition, that you must prove intent to defraud for CFAA claims. This, they say, comes from the recent Seventh Circuit Court of Appeals case, Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 2016 WL 258632 (7th Cir. Jan. 21, 2016) (opinion).
This is reading too much into the court’s opinion.
For years the courts have been fairly consistent in finding that the “fraud” used in “Computer Fraud and Abuse Act” is not the same “fraud” as used in the Common Law, and thus CFAA claims are not subject to the heightened pleading requirement of Rule 9. (see explanation)
In practice, I have seen numerous defendants make the argument that “the CFAA requires proof of an intent to defraud” but, the only statutory provision they point to is 18 U.S.C. § 1030(a)(4), which specifically requires that the access be “knowingly and with the intent to defraud.” This argument ignores the fact that § 1030(a) contains 7 categories of offenses (see the CFAA) and, of those, only categories (a)(4) and (a)(6) include the language “knowingly and with the intent to defraud.” Subsections (a)(1), (a)(2), (a)(3), (a)(5), and (a)(7) do not mention “with the intent to defraud.”
In Fidlar Technologies, the case dealt with two provisions of the CFAA: (a)(4) and (a)(5). The Seventh Circuit analyzed the “intent to defraud” issue in Section A.1. on page *3 of the opinion, titled “Intent to Defraud Under § 1030(a)(4)” and opened the analysis with a block quote of the statutory language, emphasis in the court’s quote:
Section 1030(a)(4) punishes anyone who:
“[K]nowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value….”
The court then analyzed the issue as follows:
Although this Court has not previously examined this element of § 1030, we have explained that in similar statutes “intent to defraud means that the defendant acted willfully and with specific intent to deceive or cheat, usually for the purpose of getting financial gain for himself or causing financial loss to another.” United States v. Pust, 798 F.3d 597, 600 (7th Cir.2015) (quoting United States v. Paneras, 222 F.3d 406, 410 (7th Cir.2000)) (internal quotation marks omitted). Because direct evidence of intent is often unavailable, intent to defraud “may be established by circumstantial evidence and by inferences drawn from examining the scheme itself which demonstrate that the scheme was reasonably calculated to deceive persons of ordinary prudence and comprehension.” Id. at 600–01. (emphasis added).
The court found, as the facts seemed to support, that there was no intent to defraud and, thus, no violation of § 1030(a)(4).
The court did not say “the CFAA requires proof of an intent to defraud for subsections (a)(1), (a)(2), (a)(3), (a)(5), and (a)(7) — in addition to (a)(4) or (a)(6).” Proceed with caution.
Proceed with caution.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.