Computer Fraud - Fraud by Use of a Computer
It should come as no surprise that every business is a victim of some form of “computer fraud.” In its broadest sense, computer fraud is simply a dishonest or deceptive act committed in connection with the use of a computer.
There seems no limit to dishonest and fraudulent schemes devised by the human imagination, and the advent of computer technology expands the reach of deceptive behavior. Virtually all businesses have computers and use technology. And every business involves people -- employees, vendors, licensees, consultants, competitors. They are all potential perpetrators of computer fraud against a company.
Typical business tort claims such as fraud might cover some forms of computer fraud. But there are also specific computer fraud statutes that create liability for conduct that might not neatly fit within the common law legal structure of fraud. In 1984, the federal government enacted the statute known as the Computer Fraud and Abuse Act (“CFAA”), codified at 18 U.S.C. § 1030. The CFAA was enacted originally as a criminal statute only, which is why it is codified in Chapter 18 of the U.S. Code.
A major focus of the statute initially was hacking into the computers and databases of government and financial institutions. It has been amended several times since then, and in 1994 the CFAA was amended to include a private right of action for civil liability and remedies, including damages and injunctive relief. See 18 U.S.C. § 1030.
The statute prohibits “computer fraud” including improper access to computers and databases, damage to computer systems and data, and the improper transmission of data. The standard “fraud claim” under the CFAA requires that the person: (1) knowingly and with intent to defraud, (2) accessed a “protected computer” (“used in or affecting interstate or foreign commerce”), (3) without authorization or exceeding authorized access, and (4) by doing so, furthered the intended fraud and obtained something of value. It also requires a threshold “value” of $5,000 during any one-year period. 18 U.S.C. § 1030(a)(4).
The title of the statute also suggests it covers computer “abuse” as well as computer “fraud.” And consistent with the title, liability under the CFAA is not limited to conduct “with intent to defraud.” A broader form of civil liability under the CFAA does not require fraudulent intent. Among other things, the CFAA prohibits the obtaining of information by intentional access of a “protected computer” (“used in or affecting interstate or foreign commerce”), where the access was either: (1) without authorization, or (2) exceeded authorized access. 18 U.S.C. § 1030(a)(2). For most civil liability, a threshold requirement is there must be a “loss” of at least $5,000. See 18 U.S.C. § 1030(c)(4)(A)(i)(I) and § 1030(g).
Most states have also enacted laws prohibiting dishonest conduct through the use of computers and technology. For instance, California Penal Code § 503(c) prohibits knowing access and unauthorized damage to computer systems and data, to either defraud or wrongfully obtain money, property or data. The California law also provides for broad civil liability (Cal. Penal Code § 503(e)), but unlike the CFAA, the California statute does not require the CFAA’s minimum $5,000 threshold. Section 503(e)(1) even purports to hold civilly liable the parents and legal guardians of unemancipated minors who engage in such conduct.
The Computer Fraud and Abuse Act (“CFAA”) covers a wide range of conduct involving computers. However, the restrictions in the CFAA may limit a company’s potential claims.
In some ways, the CFAA is quite broad; in other respects, it is actually not as broad as one might expect.
The statute covers a wide range of conduct involving a company’s computers and computer data, not only by employees but also outsiders. The CFAA and similar state statutes are sometimes asserted in unfair competition and trade secret cases, when a former employee and a competitor allegedly take information such as computer files and other data from a business. But the types of conduct covered by the CFAA are broad and include the following:
- computer hacking by an outsider
- licensees and consultants who exceed their authorization in accessing computer systems and particular data on the systems
- computer viruses, malware and the like
- fake logins to disrupt legitimate website sales
- employee accessing data on the computer that not entitled to, e.g., using someone else’s password
- improper access of email accounts
- unauthorized access of website using usernames and passwords not belonging to the person
- placing unauthorized software codes on web users’ computers
- IT service providers accessing company’s non-public online product without authorization
- hackers and/or former employees using computers to carry out spam operations and denial of service attacks
The CFAA clearly covers improper access by outside hackers and data breaches. However, the statute might not cover every concern a company may have. Generally, the computer access must be “unauthorized” or “beyond the authorization.” Some cases have held that if an employee was authorized to access certain files, the taking of those files to compete is not a violation of the CFAA (although it may lead to other valid legal claims). That rule also raises concerns regarding the level of access by licensees and outside consultants. In addition, the company whose files were improperly accessed generally must show a threshold “loss” of $5,000.
Various types of civil claims can be asserted under the CFAA, and the requirements for each claim can be quite complex. To determine the validity of a CFAA claim, a company needs to analyze the facts, the actual loss or damage caused by the conduct, as well as the CFAA case law in the particular jurisdiction. The decisions in the federal circuit courts can vary significantly depending upon the specific requirement or issue under the CFAA.
Topics: Business Fraud