Computer Fraud and Abuse
Computers are everywhere and it seems that little business can be conducted without them. In the age of cloud computing, access to data is more mobile than ever. What happens when someone accesses your data without authority to do so or restricts your access to your own data? There is a Federal rule and its California equivalent that are designed to address the rights of those who have been wronged by another’s unauthorized access to computerized data. In other words, there are laws aimed at “hackers,” both inside hackers and outside hackers. Sometimes the term “hacker” does not fit the situation as the person who wrongfully obtains data could otherwise have access to that data, but access does not always equal authority. Ad Astra Law Group has extensive experience with claims made under the Federal Computer Fraud and Abuse Act (“CFAA”) and the California rule known as Penal Code section 502 or the California Computer Data and Access Fraud Act (“CDAFA”).
What is the CFAA (Computer Fraud and Abuse Act)?
The CFAA is the Computer Fraud and Abuse Act. It is a federal rule that simply addresses a situation when your computerized data has been accessed by someone who either didn’t have authority to access it or exceeded their authority to access your data and caused you $5,000.00 at least of loss or damage.
How does the CFAA (Computer Fraud and Abuse Act) work procedurally?
The CFAA works just like any other civil law you can sue under. There’s not pre-filing check, there’s no agency that you need to go to to get an opinion. You simply need to identify that you have been the victim of someone accessing your data without authority and that you need to be able to identify that the person caused you at least $5,000.00 of loss or damage. Then you go to an attorney, discuss the situation the attorney will draft up the complaint for you, which can be filed in either state or federal court. Even though this is a federal law you have the ability to go to federal court if you like or you can go file in state court if that’s more convenient for you if there’s other claims involved that have more state law involved. However, if either party to the dispute wants to be in federal court the defendant can remove the case to federal court and you’ll end up there anyway. But it’s your choice as the plaintiff where you want to file at the beginning.
In what context does the CFAA (Computer Fraud and Abuse Act) come into play?
The CFAA comes into play in many contexts and we’re seeing more and more as the age of cloud computing is rising. There are lots of issues that arise when an employee leaves an employer’s business, there’s claims that they business owner makes against the employee perhaps if the employee uses a password that still works and they access the information in the former employers database. Sometimes, actually there’s a large case right now that’s being heard I think for the third time in the Ninth Circuit where a former employee used a current employee’s password to get access to the employers database. Its’ recently come up in the Houston Astros vs. the St. Louis Cardinal’s that is more of a traditional hacking case. The allegation being that someone within the Cardinal’s organization hacked the player information database that belongs to the Houston Astros. It comes up in the context of ecommerce business owners where the business exists almost entirely online and if somebody either changes your passwords or hacks into your system and deletes some of your data it can come up there.
We actually were able to create some new law here at Ad Astra law group by getting a judge in the northern district of California to rule that essentially any computer connected to the internet including a third party cloud storage website counts as a protected computer within the CFAA. And the final context that it comes up in is, well, maybe not the final one ’cause it’s an evolving area of law, but essentially anytime a third party who doesn’t have any authority or exceeds their authority to access your data does so usually online. So in the age of cloud computing, like I said, we are looking at a lot more businesses that are going to be vulnerable to attacks.
What are the undecided issues in this area of the law?
The undecided issues currently surrounding the CFAA, which is both a criminal and civil statute although today I’m only going to speak to the civil aspect of the law because we don’t have a criminal practice here at Ad Astra. But the number one unsettled area regarding the CFAA is about circumvention of a technical access barrier whether or not the law requires such a thing. The words technical access barrier don’t actually appear in the text of the law. The law only talk’s about authorized access versus unauthorized access versus access in excess of your authority. Technical access barrier doesn’t appear anywhere. However, it has been an open issue because there are some courts that make a determination that there’s no liability for the defendant because he or she did not circumvent a technical access barrier. But then many other courts have recognized that technical access barrier not only does it not appear in the statutory text it also is a moving target and it makes it very hard to make sense of the problem.
For instance, in this case US vs. Nosel that the Ninth Circuit has addressed several times the defendant there used a password in order to access data. He used to work for the company whose data was accessed. HE didn’t hack into the system but what he did was he took a password from a current employee and used that to get in. And his argument, which is before the Ninth Circuit is I didn’t violate the CFAA because I had the keys to the castle. And the open question is well; if you took the key from somebody who had the key knowing that you are not supposed to have the key, even if it was easy for you to get the key is that still a violation of the CFAA. We filed an amicus brief in a case that was pending before the Ninth Circuit arguing that technical access barrier doesn’t make sense. Not only is not in the statutory text but it’s also going to be a moving target. We’ve all seen how fast technology improves and changes and it would just be very difficult for litigants and courts to keep up with whatever the latest trend is in technology.
What constitutes loss or damage under the CFAA (Computer Fraud and Abuse Act)?
Loss and damage under the CFAA both have defined meanings. Damage is an easier one it means any impairment to the availability of data or the integrity of data in a system, which would include deletion. Loss is a broader term and encompasses essentially, what you would have to expend in order to investigate what happened to your data, remedy what happened to your data. Sometimes this can be stretched to make an argument that you would be entitled to attorney’s fees. Let’s say you had to hire an attorney to help get your data back perhaps that would qualify. But we continue to look back at what the statutory definition is however, it is worth noting that the California equivalent law the Penal Code Section 502 does not have the statutory loss and damage terms. Instead, it talks about damage in terms of compensatory damages. Essentially whatever it costs you to get yourself back to the position you were in before your data was comprised that’s a recoverable element.
What are the recoverable damages I am entitled to in a CFAA (Computer Fraud and Abuse Act) case?
The recoverable damages that you’re entitled to in a CFAA case can be cut up into a couple of different categories, broadly the money that you spend investigating what occurred is going to be recoverable and that could include the cost of an attorney if you’re using a law firm to help you with the investigation. Secondly, a recoverable area of damages would be what it cost you to restore your data system to the point that it was before the alleged acts occurred. And that can include computer experts, a cost of your time as a business owner, your staff’s time. It’s also very important when you’re claiming damages in a CFAA case to be very specific about what it is you list out in your complaint because that’s a way for the defendant to attack your complaint and say no, this is just too vague. You need to tell me how it was you were damaged. Although, we’re only dealing with a $5,000.00 threshold here it’s pretty easy to meet it but you do need to be very specific.
Who are the likely plaintiffs and defendants in CFAA (Computer Fraud and Abuse Act) cases?
I’ll start by addressing who the likely plaintiffs are in CFAA cases. A lot of times, we’re looking at business owners, employers. In the context of a former employee getting back into the employers system, it’s usually going to be the employer that’s the plaintiff and the former employee who is the defendant. Although it’s important to note that, the CFAA is not a trade secrets rule. It doesn’t really care what you did with the data it cares that you accessed it and maybe deleted it.
There are cases where professional service firms are victims of what you can call hacking either by inside hacker or an outside hacker in which case, again, it’s a business owner that is going to be the plaintiff and either another business or an individual that’s going to be the defendant.
There’s a criminal application of the CFAA as well, which Ad Astra Law Group doesn’t deal with, but in the context of a criminal application of the statute its’ the United States that is the plaintiff and either an individual or a business that is the defendant. We see this come up a lot with ecommerce businesses. There can be business partner who access each other’s data after they stop working together, in which case it’s not really business versus business but rather business owner versus former partner business owner.
But we’re seeing a lot more changes in how broadly the CFAA is applied because as everyone moves to cloud computing almost everybody could be a potential CFAA plaintiff. And if you are accessing someone’s data in excess of your authority or without any authority to do so i.e. hacking you could end up being a CFAA defendant.
What is a “protected computer” under the CFAA (Computer Fraud and Abuse Act)?
A protected computer under the CFAA is pretty much any computer that’s connected to the internet. Ad Astra Law Group had a big win a couple years back we got the northern district of California to rule that even a third party website that you don’t own but you have an account with would qualify as a protected computer within the CFAA.
I’ll give you an example. I don’t own Gmail but I do own my e-mail account with Gmail. I certainly don’t own Google, it doesn’t require that you own Google it requires that you own your e-mail account. So if someone has accessed your e-mail account and otherwise met the requirements of the statute your e-mail account can be a protected computer.