Fraud by Use of a Computer (Part 2)
Part 1 of this topic introduced the Computer Fraud and Abuse Act (“CFAA”). This article discusses the scope of the CFAA. In some ways, the CFAA is quite broad; in other respects, it is actually not as broad as one might expect.
The statute covers a wide range of conduct involving a company’s computers and computer data, not only by employees but also outsiders. The CFAA and similar state statutes are sometimes asserted in unfair competition and trade secret cases, when a former employee and a competitor allegedly take information such as computer files and other data from a business. But the types of conduct covered by the CFAA are broad and include the following:
- computer hacking by an outsider
- licensees and consultants who exceed their authorization in accessing computer systems and particular data on the systems
- computer viruses, malware and the like
- fake logins to disrupt legitimate website sales
- employee accessing data on the computer that not entitled to, e.g., using someone else’s password
- improper access of email accounts
- unauthorized access of website using usernames and passwords not belonging to the person
- placing unauthorized software codes on web users’ computers
- IT service providers accessing company’s non-public online product without authorization
- hackers and/or former employees using computers to carry out spam operations and denial of service attacks
The CFAA clearly covers improper access by outside hackers and data breaches. However, the statute might not cover every concern a company may have. Generally, the computer access must be “unauthorized” or “beyond the authorization.” Some cases have held that if an employee was authorized to access certain files, the taking of those files to compete is not a violation of the CFAA (although it may lead to other valid legal claims). That rule also raises concerns regarding the level of access by licensees and outside consultants. In addition, the company whose files were improperly accessed generally must show a threshold “loss” of $5,000.
Various types of civil claims can be asserted under the CFAA, and the requirements for each claim can be quite complex. To determine the validity of a CFAA claim, a company needs to analyze the facts, the actual loss or damage caused by the conduct, as well as the CFAA case law in the particular jurisdiction. The decisions in the federal circuit courts can vary significantly depending upon the specific requirement or issue under the CFAA.
Topics: Business Fraud