Fraud by Use of a Computer (Part 1)
It should come as no surprise that every business is a victim of some form of “computer fraud.” In its broadest sense, computer fraud is simply a dishonest or deceptive act committed in connection with the use of a computer.
There seems no limit to dishonest and fraudulent schemes devised by the human imagination, and the advent of computer technology expands the reach of deceptive behavior. Virtually all businesses have computers and use technology. And every business involves people -- employees, vendors, licensees, consultants, competitors. They are all potential perpetrators of computer fraud against a company.
Typical business tort claims such as fraud might cover some forms of computer fraud. But there are also specific computer fraud statutes that create liability for conduct that might not neatly fit within the common law legal structure of fraud. In 1984, the federal government enacted the statute known as the Computer Fraud and Abuse Act (“CFAA”), codified at 18 U.S.C. § 1030. The CFAA was enacted originally as a criminal statute only, which is why it is codified in Chapter 18 of the U.S. Code.
A major focus of the statute initially was hacking into the computers and databases of government and financial institutions. It has been amended several times since then, and in 1994 the CFAA was amended to include a private right of action for civil liability and remedies, including damages and injunctive relief. See 18 U.S.C. § 1030.
The statute prohibits “computer fraud” including improper access to computers and databases, damage to computer systems and data, and the improper transmission of data. The standard “fraud claim” under the CFAA requires that the person: (1) knowingly and with intent to defraud, (2) accessed a “protected computer” (“used in or affecting interstate or foreign commerce”), (3) without authorization or exceeding authorized access, and (4) by doing so, furthered the intended fraud and obtained something of value. It also requires a threshold “value” of $5,000 during any one-year period. 18 U.S.C. § 1030(a)(4).
The title of the statute also suggests it covers computer “abuse” as well as computer “fraud.” And consistent with the title, liability under the CFAA is not limited to conduct “with intent to defraud.” A broader form of civil liability under the CFAA does not require fraudulent intent. Among other things, the CFAA prohibits the obtaining of information by intentional access of a “protected computer” (“used in or affecting interstate or foreign commerce”), where the access was either: (1) without authorization, or (2) exceeded authorized access. 18 U.S.C. § 1030(a)(2). For most civil liability, a threshold requirement is there must be a “loss” of at least $5,000. See 18 U.S.C. § 1030(c)(4)(A)(i)(I) and § 1030(g).
Most states have also enacted laws prohibiting dishonest conduct through the use of computers and technology. For instance, California Penal Code § 503(c) prohibits knowing access and unauthorized damage to computer systems and data, to either defraud or wrongfully obtain money, property or data. The California law also provides for broad civil liability (Cal. Penal Code § 503(e)), but unlike the CFAA, the California statute does not require the CFAA’s minimum $5,000 threshold. Section 503(e)(1) even purports to hold civilly liable the parents and legal guardians of unemancipated minors who engage in such conduct.
Part 2 of this topic will highlight some of the conduct covered by the CFAA.
Topics: Business Fraud