It often said that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is an access crime — meaning that it is designed to punish the wrongful access of a device. A recent case out of the Northern District of Texas highlights this point.
In Nicole Clarke-Smith v. Business Partners in Healthcare, LLC, 2016 WL 279094 (Jan. 22, 2016), the defendant brought a CFAA counterclaim against the plaintiff alleging that she retained possession of a company-owned laptop and USB drive after being terminated. The Court got it right in granting the plaintiff’s motion for summary judgment that was premised on there being no evidence of a wrongful access of those devices, even if the plaintiff did retain possession of them:
BPIH’s claim for violation of the CFAA fails because there is no evidence that Clarke-Smith accessed a protected computer without authorization. Indeed, BPIH admits that it has no evidence that Clarke-Smith used the laptop or any files on the computer after she was fired. BPIH asserts that Clarke-Smith allegedly continued possession of the laptop “in and of itself” constitutes unauthorized access, but this assertion is not supported by the law. While the CFAA does not define “access,” courts interpreting the statute have concluded that “[u]se of the computer is integral to the perpetration of a fraud under the CFAA, and not merely incidental.” Dresser-Rand Co. v. Jones, 957 F. Supp.2d 610, 614-15 (E.D. Pa. 2013) (emphasis added); see also BoardFirst, 2007 WL 4823761 at *12-13 (interpreting access for purposes of CFAA liability to require successful interaction with computer).
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.