The Texas Bar Journal’s 2019 year-end Cybersecurity & Data Privacy Update was once again provided by Shawn Tuma and addressed the following issues: Texas’ New Data Breach Notification Requirements effective January 1, 2020 Whether website scraping allegations are sufficient to invoke Texas and federal “hacking” laws Whether viewing pictures on another’s cellphone violates Texas “hacking” law Cyber…
Category: CFAA Cases
Evolution of CFAA Jurisprudence
The Computer Fraud and Abuse Act (CFAA) is my favorite law. Studying it is both a hobby and passion. I am fascinated by the paradox of observing one of the most high-tech areas of law evolving into a unique body of jurisprudence through the ancient Common Law method. I explained this in “What Does CFAA Mean and Why Should I Care?” A Primer on the Computer Fraud and Abuse Act for Civil Litigators (p.167):
Within the customary lifespan of a body of law, the CFAA is still in its infancy. The interpretation and application of its provisions are continuously evolving, and will continue to be refined through the judicial process as courts struggle with the meanings and inner workings of its key provisions. In what may seem counterintuitive, the litigation of these issues is positive for its development and refinement. This is the essence of jurisprudence and will benefit the CFAA just as it has other bodies of law throughout history. In the words of the eminent legal scholar Benjamin Cardozo, “In the endless process of testing and retesting, there is a constant rejection of the dross, and a constant retention of whatever is pure and sound and fine.”
In my own efforts to keep abreast of this evolving body of jurisprudence, for several years I have done my best to read every judicial opinion that has substantive CFAA value, and I continue to try and do so today. Over this time I have read far too many opinions to count and, just as I cannot recall the number, I also lose track of what I have learned from each.
Evolution of CFAA digest
A few years ago I began experimenting with setting up my own crude database of information with an Excel spreadsheet, where I kept track of the key information from each case: case name, date, jurisdiction, citation, and key legal principles. This was very cumbersome and it did not take long before I realized that would not work.
I then set up a blog, the computer fraud | data privacy | social media | Law Blog, and thought that would be a good tool for keeping track of the cases I read. Blogging, however, is much different from simply recording raw information — in a blog people look for some insight, analysis, and commentary on the cases, not just the vital information — and I do not have the time or capacity to put that kind of effort into each opinion that comes out. When I am able to offer that kind of analysis and commentary on an opinion, I will continue to blog about it, but not here. So, for these purposes, the blog was a fail as well.
My next idea was to set up a private wiki that would be easy to populate with the vitals of each case and always be accessible online. That has seemed to work pretty well but then I got to thinking, “if I am going to go through all of this work, why not share the information with others?” The information about the Computer Fraud and Abuse Act cases is not my information, it is the law and none of us own the law. So, in the spirit of Aaron Swartz, I decided to liberate this information for the benefit of anyone who is willing to take the time to read it. My goal is to capture each case going forward and, as time permits, work backward and start adding important cases from the past — again, as time permits.
That, my friends, is how we got here and, I can assure you, I am already trying to think of other ways to improve on this concept so if you have any suggestions (that are within my capabilities) then please let me know.
What is the Purpose of CFAA digest?
The purpose is simply to provide only the most important information about each case:
It starts with the case name, the date, and the citation so you can find the case (I try to include a link to the case but that is not always possible);
The jurisdictional information such as court and circuit court of appeal in which the court is located as I find this is helpful in tracking how the jurisprudence is evolving in various courts; and
Most important, the key principle or principles that can be drawn from each case, without added commentary, analysis, or fluff.
Will I be able to keep up with this project? I certainly hope so, but I also hope that I do not have to do it alone. CFAA digest is not about me, it is about the law and the effort to keep up with “the endless process of testing and retesting . . . [and] constant rejection of the dross, and a constant retention of whatever is pure and sound and fine.”
No one person can take on a project like this alone and do it justice. I would love to have others collaborate with me in making this the most thorough and complete source of information that is available on the Computer Fraud and Abuse Act. If you would like to post case updates for current or past cases, send me cases that I might otherwise miss, or simply offer suggestions on how I can improve the site, please do not hesitate to let me know.
-Shawn Tuma
Fifth Circuit Upholds CFAA Conviction for Former Employee’s Misuse Causing Damage Based on Circumstantial Evidence
In United States v. Anastasio N. Laoutaris, 2018 WL 614943 (5th Cir. Jan. 29, 2018), the United States Fifth Circuit Court of Appeals affirmed a jury verdict finding Laoutaris guilty of two counts of computer intrusion causing damage, in violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i) of the Computer Fraud and Abuse Act. Laoutaris…
Former Cardinals exec sentenced to prison for hacking Astros
HOUSTON (AP) — A federal judge sentenced the former scouting director of the St. Louis Cardinals to nearly four years in prison Monday for hacking the Houston Astros’ player personnel database and email system in an unusual case of high-tech cheating involving two Major League Baseball clubs. Source: Former Cardinals exec sentenced to prison for…
Can a Company Remotely Wipe an Ex-Employee’s Device?
Note: this article was previously posted on Norse’s DarkMatters. One of my favorite sayings about cyber risk is “an ounce of prevention is cheaper than the very first day of litigation.” A recent case provides a nice example of exactly what I mean. In this case, an effective BYOD policy could have saved this company…
Departing Employee Taking Data from “Restricted” but Unsecured Folder Doesn’t Violate CFAA
TAKEAWAYS: If your company intends to limit its employees access to certain information on the company network, (1) make sure appropriate technological restrictions are in place and are working; and (2) make sure there are appropriate policies or other documentation in place to show the employees subjectively knew it was off limits. When an employer…
Be Careful of Commentary on 7th Cir.’s Fidlar Tech CFAA “Intent to Defraud”Case
I have read several blog posts that are stating, as a blanket proposition, that you must prove intent to defraud for CFAA claims. This, they say, comes from the recent Seventh Circuit Court of Appeals case, Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 2016 WL 258632 (7th Cir. Jan. 21, 2016) (opinion). This is…
Court Order Provides CFAA Authorization to Access Computer, Even if Later Overturned
A party who accesses a computer pursuant to a court order authorizing him to seize and access the computer will not be found in violation of the Computer Fraud and Abuse Act if such order is later overturned. “An essential element of a CFAA claim under 10 U.S.C. § 1030 is that the [defendant] accesses a…
The CFAA Requires Access of a Computer — Not Just Access to Information
To have a valid CFAA claim, there must be an access to a computer. The Computer Fraud and Abuse Act is often referred to as an “access crime” because the act that is prohibited is accessing a computer. Misusing information that someone else obtained from a computer is not accessing a computer. Doing so may…
Using Single Individual Password to Access News Site to Share Info With Others is Not CFAA Interruption of Service
A person’s use of his single individual use password to access a news site to access content that he then shared with over 100 other people did not cause any impairment to the integrity or availability of data or loss due to interruption of service as required to bring a civil claim under the Computer Fraud…
Employers Receive Friendly Computer-Fraud-And-Abuse-Act Ruling From Louisiana Court
The U.S. Eastern District of Louisiana recently sided with employers in the on-going judicial debate over interpreting the Computer Fraud and Abuse Act “CFAA”. See Associated Pump & Supply Co., LLC v. Dupre, et al., No. 14-0009 E.D. La.. Associated Pump sued its former employee Kevin Dupre for violating CFAA during his alleged scheme to steal Associated Pump’s trade…
You must be logged in to post a comment.