Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
Computer Fraud & Abuse Act Dont be a FOOL; The Law is Not DIY
- Crime / CFAA
- Hacks
- - Govt Computer
- - Protected Computer
- - Pri Right Action
- - Passwords
- - Blackmail
- - Damage
- Theft of Info
- - Classified Info
- - Govt Info
- - Info from Protected Computers
- Fraud
- Data Retention
- States
- Reference

Cybersecurity
- Agencies
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
- Reference
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- DOS
- Cyberwar
- Network Reliability
- Infrastructure Protection

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- ID Theft
- Offensive Words
- Sex Offenders
- Child Protection

Info Gathering
- Wiretaps
- CALEA
- ECPA
- FISA
- Forensics
- Carnivore
- Patriot Act
- Data Retention

Emergency
- EAS
- Assessment
- Reliability
- Vulnerabilities

CFAA: Unauthorized Access to a Computer + Damage

Government Computer

Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Lawspdf, Congressional Research Service (Dec. 27, 2010)

Paragraph 1030(a)(3) condemns unauthorized intrusion (“hacking”) into federal government computers whether they are used exclusively by the government or the federal government shares access with others. Broken down into its elements, paragraph (a)(3) makes it unlawful for anyone who:

  • Without Authorization
  • Intentionally
  • Either
  • Accesses a government computer maintained exclusively for the use of the federal government, or
  • accesses a government computer used, at least in part, by or for the federal government and the access affects use by or for the federal government
  • Consequences: Imprisonment for not more than one year (not more than 10 years for repeat offenders) and/or a fine under title 18 (the higher of $100,000 for misdemeanors/$250,000 for felonies or twice the amount of the loss or gain associated with the offense, 18 U.S.C. 3571). These, like most federal offenses committed by juveniles, are usually tried in state court. Violations of each of the paragraphs of subsection 1030(a) may trigger forfeiture, restitution, money laundering, civil liability and racketeering provisions found elsewhere.

    Other criminal liability: attempt, conspiracy, complicity & more: An attempt to violate any of the paragraphs of subsection 1030(a), and conspiracy to violate any federal law are separate federal crimes, 18 U.S.C. 1030(b), 371.

    Simply hacking into government computers—without damage to the system, injury to the government, or gain by the hacker—implicates only a few other laws. It may breach the “hacking-and-acquiring-information” ban of paragraph 1030(a)(2), discussed infra. It may also violate one of the state computer crime statutes. 

    18 U.S.C. § 1030(a)(3) [NIIP Analysis]

    Protected Computers

    The CFAA deals with bad people who bother about “protected computers.” This is not a reference to the use of firewalls or virus protection (although these are good ideas). Originally “protected computers” were computers from financial institutions and the government. Gradually this definition has been expanded to include all networked computers, inside the U.S. or outside. 18 U.S.C. § 1030(e)(2)(B). [Shurgard WDWA 2000]

    Computers on the Internet are 'protected computers.' [Trotter 8th Cir 2007 (Non-profit's computers are engaged in interstate communications connect to Internet)] [Walters 11th Cir. 2006) (stating that the internet is an instrumentality of interstate commerce)] [Fowler 945 MDFL 2010 (computer connected to Internet is 'protected computer')] [Multiven NDCA 2010 (finding that a computer connected to the internet was a protected computer)] [National City Bank, N.A. EDWA 2010 (stating that "any computer connected to the internet is a protected computer")] [Expert Janitorial EDTN Mar. 12, 2010] [Dedalus Foundation SDNY 2009 (noting that courts have "found that computers that access the Internet through programs such as email qualify as protected computers")] [Continental Group, SDFL 2009 (noting that a connection to the internet affects interstate commerce or communication)]

    Causing Damage (Private Right of Action)

    Whoever

  • Knowingly transmits a worm or virus and intentionally causes damage [Smith] [Mitnick] [Morris]
  • Intentionally hacks a computer and recklessly causes damage, or
  • Intentionally hacks a computer and causes damage
  • And the damage results in
  • The loss of at least $5000 in a year for a person
  • A change to a medical examination, diagnosis, treatment or care
  • Physical injury to a person
  • A threat to public health or safety, or
  • Harm to a computer owned or used by the government in furtherance of justice, defense, or security.
  • Section 1030(a)(5) Matrix
     

    Trespassers

    Authorized Users

    Intentional Damage

    Felony

    Felony

    Reckless Damage

    Felony

    No Crime

    Negligent Damage

    Misdemeanor

    No Crime

    Source: The National Information Infrastructure Protection Act of 1996, Legislative Analysis by CCIPS USDOD (updated June 1998)

    18 U.S.C. § 1030(a)(5).

    There has been clarification on what constitutes a bad deed:

    Bad deeds:

  • Inserting a disabling code into software without a provision in the license. [North Texas Sec. IV.A]
  • Data-mining where consent is lacking. [Register] [EFCultural]
  • Email harvesting in violation of terms of service. [Can Spam Act] [LCGM]
  • Accessing and sending proprietary information from current employer to new employer. [Shurgard]
  • Deleting files and using a trace removal tool to scrub the memory of any vestiges of the files. [Citrin]
  • Not Bad Deeds:

  • Inserting disabling code into software with a provision in the license. [North Texas]
  • Placing cookies on a computer. [Doubleclick] [Intuit] [Chance]
  • Port scans. [Moulton]
  • Designing shoddy software. [18 U.S.C. § 1030(g), a probably response to Shaw]
  • Note that this provision has a mens rea; the hack must be intentional. Some courts have interpreted "intentional" to mean "intentional access" as opposed to "intentional damage." [Morris p 509] [Sablan p 868]

    Where the bad deed falls under 18 U.S.C. § 1030(a)(5)(B), there is a private right of action. 18 U.S.C. § 1030(g). [Theofel at 1078] [IMS at 526] [Yonkers] [See Fiber Sys Intl (finding private right of action for violation of any CFAA provision)] Remedy includes compensatory damages, injunctive relief, or equitable relief. Actions must be brought within 2 years of the date of the act or the discovery of the damage. Injured parties may also consider seeking relief under the Electronic Communications Privacy Act which prohibits the unauthorized interception and access of communications.

    Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Lawspdf, Congressional Research Service (Dec. 27, 2010)

    Paragraph 1030(a)(5) proscribes unleashing worms or viruses or otherwise causing computer damage, that is, (A) intentionally causing unauthorized damage by knowingly causing a transmission to a protected computer; (B) recklessly causing damage by intentionally accessing a protected computer; or (C) causing damage and loss by intentionally accessing a protected computer. These kinds of damage are only federal crimes under paragraph 1030(a)(5) if they involve a protected computer. There are five types of protected computers or computer systems. The five include computers (1) used exclusively for or by the United States Government; (2) used exclusively for or by a bank or other financial institution; (3) used in part for or by the United States Government where the damage “affects” government use or use on the government’s behalf; (4) used in part for or by a bank or other financial institution where the damage “affects” use by or on behalf of the institution; and (5) used in, or affecting, interstate or foreign commerce or communications.

    Penalties: Recidivism and causing serious damage recklessly or intentionally are punished more severely than first offenses or causing damage without necessarily intending to do so or than causing less serious damage intentionally or recklessly. First-time offenders that do not cause serious damage are punishable by imprisonment of not more than one year. When an offender with a prior conviction causes damage that is not serious, he is punishable by imprisonment for more than 10 years. Offenders with a prior conviction who intentionally or recklessly cause damage that is not serious are punishable by imprisonment for not more than 20 years.

    On the other hand, intentionally causing serious damage through a knowing transmission to a protected computer is punishable by imprisonment for not more than 10 years (not more than 20 years for a second or subsequent offense). Recklessly causing serious damage following unauthorized access or attempted access carries a penalty of imprisonment for not more than five years (not more than 20 years for a second or subsequent offense). An offender who knowingly or recklessly causes or attempts to cause serious bodily injury or death by knowingly causing an intentionally damaging transmission to a protected computer is punishable by imprisonment for not more than 20 years (any term of years or life if death results).

    Other than physical injury or death, the types of serious damage that trigger more severe punishment are damage that (1) causes a loss that over the course a year exceeds $5,000; (2) modifies, impairs, or could modify or impair medical services; (3) causes physical injury; (4) threatens public health or safety; (5) affects a justice, national defense, or national security entity computer; or (6) affects 10 or more protected computers over the course of a year.

    Other Crimes: The general observations concerning attempt, conspiracy and complicity noted for the simple trespass paragraph apply here. In addition, there are more than a few other federal statutes that might be implicated by damage or destruction of federal property, of the property of financial institutions, or of property used in interstate or foreign commerce. A partial inventory might include: 18 U.S.C. 844(f)(destruction of federal property by arson or explosion); 18 U.S.C. 1853 (destruction of timber of U.S. lands); 18 U.S.C. 2071 (destruction of government records); 18 U.S.C. 1361 (destruction of federal property); 18 U.S.C. 1362 (destruction of federal communications property); 18 U.S.C. 32 (destruction of aircraft or aircraft facilities); 18 U.S.C. 33 (destruction of motor vehicles or their facilities); 18 U.S.C. 2280 (destruction of maritime navigational facilities); 18 U.S.C. 1992 (causing a train wreck); 18 U.S.C. 1367 (damaging an energy facility).

    Passwords

    Whoever

  • Knowingly and with intent to defraud traffics in
  • computer passwords or
  • “similar information through which a computer may be accessed.”
  • 18 U.S.C. § 1030(a)(6).

    Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Lawspdf, Congressional Research Service (Dec. 27, 2010)

    Paragraph 1030(a)(6) outlaws misconduct similar to the access device proscriptions of section 1029. Although limited, it provides several distinct advantages. First, it covers passwords to government computers more clearly than does section 1029. Second, as something of a lesser included offense to section 1029, it affords the government plea bargain room in a case that it might otherwise be forced to bring under section 1029 or abandon. Third, it contributes a means of cutting off the practice of publicly posting access to confidential computer systems without imposing severe penalties unless the misconduct persists. Fourth, it supplies a basis for private enforcement through the civil liability provisions of subsection 1030(g) of misconduct that may be more appropriately addressed by the courts as a private wrong. The elements of the crime are:

  • knowingly and with an intent to defraud
  • trafficking in (i.e., “to transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of” (18 U.S.C. 1029(e)(5)))
  • a computer password or similar computer key
  • either
  • of a federal computer or
  • in a manner that affects interstate or foreign commerce.
  • Penalties: not more than one year (not more than 10 years for repeat offenders) and/or a fine under title 18, 18 U.S.C. 1030(c)(2). Offenders are also civilly liable to their victims, 18 U.S.C 1030(g).

    Other crimes: The generally applicable provisions dealing with attempt, conspiracy and complicity will apply with equal force in cases involving paragraph 1030(a)(6). Paragraph 1030(a)(6) appears to have few counterparts in federal law, other than the prohibition against trafficking in access devices (credit card fraud) under 18 U.S.C. 1029(a)(2) and the wire fraud provisions of 18 U.S.C. 1343. Nevertheless, either of these may provide the foundation for a RICO (18 U.S.C. 1962) or money laundering (18 U.S.C. 1956, 1957) prosecution, so that should conduct in violation of paragraph 1030(a)(6) also offend either the mail fraud or credit card fraud prohibitions, a criminal breach of RICO or the money laundering provisions may also have occurred.

    Computer Blackmail / Extortion

    Whoever

  • With intent to blackmail, transmits a threatens to damage a computer.
  • 18 U.S.C. § 1030(a)(7).

    Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Lawspdf, Congressional Research Service (Dec. 27, 2010)

    This paragraph provides that no one shall

  • transmit in interstate or foreign commerce
  • any communication containing any threat
  • to cause damage, [i.e., “any impairment to the integrity or availability of data, a program, a system, or information, that
  • causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals
  • modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals
  • causes physical injury to any person; or
  • threatens public health or safety” (1030(e)(8))]
  • to a protected computer
  • with the intent to extort money or a thing of value
  • from any person, firm, association, educational institution, financial institution, government entity, or other legal entity.
  • Penalties: not more than five years (not more than 10 years for second and subsequent offenses) and/or a fine under title 18, 18 U.S.C. 1030(c), and victims may claim the advantages of the civil cause of action available under 18 U.S.C. 1030(g).

    Other crimes: The general observations concerning attempt, conspiracy and complicity noted with respect to the other paragraphs of 1030(a) apply here. Violations of paragraph 1030(a)(7) may also offend 18 U.S.C. 1951 (extortion that affects commerce); 18 U.S.C. 875 (threats transmitted in interstate commerce); 18 U.S.C. 876 (mailing threatening communications); 18 U.S.C. 877 (mailing threatening communications form a foreign country); and 18 U.S.C. 880 (receipt of the proceeds of extortion).

    Damage

    In order for a cause of action to be maintained, there must be a minimum $5000 damage. This has been a notorious problem where, for example, Clifford Stoll’s $0.75 accounting discrepancy was insufficient to garner federal attention, even if the hacker’s breadcrumbs indicated international espionage of highly sensitive military information.

    Plaintiff must allege that the violation caused at least $5000 in economic damages. [Global Policy Partners at 647 EDVA 2010] [Sharma DMD 2013]

    The damage must be caused by the alleged CFAA violation. [Hillsboro EDMO 2010] [Global Policy Partners at 647 EDVA 2010]

    So what is “damage” and “loss”? “The term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). A “loss” is

    any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.

    18 U.S.C. § 1030(e)(11). Damages can include

  • Cost incurred in response to and investigation of the incursion.
  • Vanderhye 645-46 (cost expended by Turnitin for investigation of incursion when a student who turned in a paper using another students username and password)
  • Sharma DMD 2013
  • Sealord Holdings, Inc. v. Radler, No. 11-6125, 2012 WL 707075, at *4 (E.D. Pa. Mar. 6, 2012) (quoting Fontana v. Corry, No. 10-1685, 2011 WL 4473285, at *7 (W.D. Pa. Aug.30, 2011)) ("Numerous district court decisions in the Third Circuit have held that to fall within this definition of `loss,' the `alleged "loss" must be related to the impairment or damage to a computer or computer system.'")
  • Clinton Plumbing & Heating of Trenton, Inc. v. Ciaccio, No. 09-2751, 2011 WL 6088611, at *5 (E.D. Pa. Dec. 7, 2011) ("A compensable `loss' under the CFAA . . . is the cost of remedial measures taken to investigate or repair the damage to the computer, or the loss is the amount of lost revenue resulting from a plaintiff's inability to utilize the computer while it was inoperable because of a defendant's misfeasance.")
  • Cost of salaries of employees to repair system
  • Larsen 553 9th Cir 2006 (stating that losses "include[] the time that the victim's salaried employees spend responding to the unauthorized intrusion")
  • Millot 1061 8th Cir 2006 (recognizing that hours spent by employees responding to an intrusion constitute losses under the statute, because their time could have been spent on other duties)
  • Middleton 1214 9th Cir 2000 (finding that a salaried employee's time spent responding to an intrusion is a loss under the statute, because "[t]here is no basis to believe that Congress intended the element of `damage' to depend on a victim's choice whether to use hourly employees, outside contractors, or salaried employees to repair the . . . harm to a protected computer")
  • Fowler MDFL 2010
  • NCMIC Finance Corp 1065 SDIowa 2009 (finding that the company's chief information officer's time spent investigating the matter was appropriately considered a loss under the statute)
  • Theft of trade secrets
  • [Shurgard]
  • Lost profits. 18 U.S.C. 1030(e)(11)
  • Nexans Wires S.A. v. Sark-USA, Inc., 166F. App'x 559, 562(2d Cir. 2006) ("[T]he plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an `interruption in service.'"))
  • Damage does not include

  • Attorney's fees.
  • Mintel Int'l Group, LTD. v. Neergheen, No. 08-3939, 2010 WL 145786, at *10 (N.D. Ill. Jan. 12, 2010) (holding that fees paid to a computer expert to assist the plaintiff in litigation against alleged violator, but not for the purpose of assessing computer damage, were not "losses" under the CFAA)
  • Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Int'l Inc., 616 F. Supp. 2d 805, 812 (N.D. Ill. 2009)
  • Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627, 647 (E.D. Pa. 2007)
  • Wilson v. Moreau, 440 F. Supp. 2d 81, 110 (D.R.I. 2006).
  • According to DOJ, "any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property ‘in the thieves' market,’ can be used to meet the” required showing of a minimum $5,000 minimum damage. [NIIP] [Steroga]

    Unauthorized Access

    What does it mean to have "unauthorized access" to a computer or network. 18 U.S.C. §§ 1030(a)(2), 1030(a)(5)(A). When can authorized access become unauthorized access? If one who has authorized access then misappropriates information on the computer, has that access become "unauthorized"? If one has access to a public website, but then violates that site's terms of service, has the access become a criminal unauthorized access? Can the police prosecute as a federal crime a violation of a site's Terms of Service? Some courts confronting this conundrum have opined that using the CFAA to redress such actions "transform[s] the CFAA from an anti-hacking statute into an expansive misappropriation statute." But not all courts are in agreement.

    The Southern District of New York stated:

    Where a statutory term is undefined, it must be given its ordinary meaning. Santos, 553 U.S. 507, 128 S. Ct. at 2024 ; Broxmeyer, 2010 WL 3001351, at *3; see also United States v. Morris, 928 F.2d 504, 511 (2d Cir. 1991) (holding that the word "authorization" for purposes of the CFAA is "of common usage, without any technical or ambiguous meaning," and therefore the district court "was not obliged to instruct the jury on its meaning"). "Authorization" is generally defined as the "act of authorizing" or "permission or power granted by an authority." See, e.g., The Random House Dictionary of the English Language 100 (Unabridged ed. 1970). The term "authorize," in turn, ordinarily means to grant authority or permission to do something. See, e.g., The American Heritage Dictionary 121 (4th ed. 2000) ("To grant authority or power to; [t]o give permission for; sanction."); 1 Oxford English Dictionary 799 (2d ed. 1989) ("To give legal or formal warrant to (a person) to do something; to empower, permit authoritatively."); The Random House Dictionary of the English Language 100 (1970) ("[T]o give authority or official power to; empower; to give authority for; formally sanction (an act or proceeding)."); Webster's Third New International Dictionary 146 (1993) ("[T]o endorse, empower, justify, or permit by or as if by some recognized or proper authority."). Based on the ordinary meaning of "authorization," then, a person who "accesses a computer without authorization" does so without any permission at all. By contrast, a person who "exceeds authorized access" has permission to access the computer, but not the particular information on the computer that is at issue.

    [Aleynikov Sec. D SDNY 2010]

    "Courts have generally and sensibly concluded that the scope of an individual's authorization to access a computer network is analyzed 'on the basis of the expected norms of intended use.'" [Phillips 219 5th Cir 2007] [Creative Computing 9th Cir 2004] [EF Cultural Travel 582 1st Cir 2001] [Morris 505 2nd 1991]

    Question: If an individual accesses a computer service in violation of a Terms of Service or Acceptable Use Policy or Employment Policy - does that constitute an unauthorized access for CFAA purposes?

  • United States v. Teague, 646 F.3d 1119 (8th Cir. 2011). "There, the defendant used her privileged access to the National Student Loan Data System to obtain the student-loan records of President Obama. See id. at 1121. Following a jury trial, the defendant was convicted of one count of exceeding authorized access to a computer in violation of the CFAA. On appeal, the Eighth Circuit rejected the defendant's argument that there was insufficient evidence that she was the person who accessed President Obama's student-loan records. See id. at 1122-23. Because the defendant did not raise the issue, the Eighth Circuit did not decide whether accessing information for an improper purpose could violate the CFAA."
  • Violation of Terms of Service is not sufficient to establish that unauthorized access. [US v Lori Drew CDCA 2009]
  • use of another's password to access website without website owner's permission was unauthorized access in violation of CFAA [Vanderhye 645 4th Cir 2009] [State Analysis 316 EDVA 2009]
  • Misuse / Misappropriation of information

    Employment

    During Employment

    Narrow Interpretation :: No CVAA Violation: "an employee with authority to access his employer's computer system does not violate the CFAA by using his access privileges to misappropriate information."

  • 9th Circuit
  • Nosal 9th Cir. 2012 ("[W]e hold that the phrase `exceeds authorized access' in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.")
  • LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) Finding that since there was no policy against emailing company documents, doing so did not give rise to CFAA claim.
  • "Authorization is defined in the dictionary as "permission or power granted by an authority." RANDOM HOUSE UNABRIDGED DICTIONARY, 139 (2001); see also WEBSTER'S THIRD INTERNATIONAL DICTIONARY, 146 (2002) (defining authorization as "the state of being authorized" and "authorize" as "to endorse, empower, justify, permit by or as if by some recognized or proper authority"). Based on this definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it. Because LVRC permitted Brekka to use the company computer, the "ordinary, contemporary, common meaning," Perrin, 444 U.S. at 42, 100 S.Ct. 311, of the statute suggests that Brekka did not act "without authorization."... In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or "without authorization."" p. 1133
  • "The Ninth Circuit held that Brekka, an employee of a residential addiction treatment center, had not violated the Act when he emailed documents that he was authorized to obtain to his personal email account. Id. at 1129. The treatment center argued that Brekka obtained the documents he emailed without authorization because he later used them for his own personal interests. Id. at 1132. The treatment center had no policy prohibiting employees from emailing company documents to personal email accounts, and there was no dispute that Brekka had been authorized to obtain the documents or to send the emails while he was employed. Id. at 1129." Rodriquez.11th Cir 1020
  • METABYTE, INC. v. NVIDIA CORP., Dist. Court, ND California 2013 ("The Ninth Circuit has recently made clear that the CFAA is not mean to serve as a supplement or replacement for misappropriation claims.")
  • "the plain language of the CFAA targets the unauthorized procurement or alteration of information—i.e., computer "hacking"—not the misuse or misappropriation of such information. 676 F.3d at 863. Since the Korn/Ferry employees were authorized to access the confidential information, the court found that they did not exceed their authorized access by accessing the company database. Id. at 864. In other words, the sharing of confidential information by employees, even if obtained and distributed in violation of company policy, was not actionable under the CFAA. Id. The court reasoned that to conclude otherwise "would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute." Id. at 857." [Oracle v Service Key NDCA 2012]
  • Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 967 (D.Ariz.2008) ("`A violation for accessing `without authorization' occurs only where initial access is not permitted. And a violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted.");
  • 1st Circuit
  • ADVANCED MICRO DEVICES, INC. v. Feldstein, Dist. Court, D. Massachusetts 2013 ("There is no express indication in the legislative history of the CFAA that Congress intended for employers to sue at-will employees to recover economic damages resulting from time spent looking at personal emails instead of working. See id. at 857-58 (majority opinion). However, any information stored on any computer can satisfy the textual requirements of § 1030(a)(2)(C). Therefore, if this Court were to adopt a broad interpretation of the term of art "access that exceeds the scope of authorization" then arguably any violation of a contractual obligation regarding computer use becomes a federal tort so long as a very minimal damages threshold is met ($5,000 in any twelve-month period).")
  • Wentworth-Douglass Hosp. v. Young & Novis Prof'l Ass'n, No. 10-cv-120-SM, 2012 WL 2522963 at *4 (D.N.H. June 29, 2012), the district court distinguished between a person who violates a computer use policy, as opposed to a person who violates computer access restrictions. In that case, the court ruled that a doctor who used his own password to access a computer system in a way proscribed by policy, but not blocked technically, was not violating the CFAA. In contrast, the court found that a different doctor who used his wife's password to access a computer system had gained unauthorized access and thus had "circumvented the [technical] access restrictions." Id.
  • Nucor Steel Marion, Inc. v. Mauer, No, 10-cv-327-SM, 2010 WL 5092774 at *5 (D.N.H. Dec. 7, 2010): a person who is "entitled to obtain the information at issue [and does not go] beyond that which he was entitled to obtain" does not run afoul of the unauthorized access provisions of the CFAA.
  • Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42 (D. Mass. 2009).
  • 2nd Circuit
  • Univ. Sports Pub at 3-4 SDNY 2010
  • Orbit One 385 SDNY 2010
  • Jet One Group at 5 EDNY 2009
  • 3rd Circuit
  • GIVAUDAN FRAGRANCES CORPORATION v. Krivda, Dist. Court, D. New Jersey 2013 ("While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer." Id. at 55-56 (quoting Consulting Prof. Res., Inc. v. Concise Techs. LLC, 2010 U.S. Dist. LEXIS 32573, *6 (W.D. Pa. Mar. 9, 2010). )
  • "Here Defendant had permissible access to the formula management database system. Plaintiff's proposition that Defendant could not "review and print" does not fall within the definition of exceeds authorized access."
  • Synthes, Inc. v. Emerge Med., Inc., 2012 U.S. Dist. LEXIS 134886, 52 (E.D. Pa. Sept. 19, 2012) ("Generally, the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information. ")
  • The inquiry depends not on the employee's motivation for accessing the information, but rather whether the access to that information was authorized. Id. at 53 (citing Brett Senior & Assocs., P. C. v. Fitzgerald, 2007 U.S. Dist. LEXIS 50833, *4 (E.D. Pa. July 13, 2007)). "While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer." Id. at 55-56 (quoting Consulting Prof. Res., Inc. v. Concise Techs. LLC, 2010 U.S. Dist. LEXIS 32573, *6 (W.D. Pa. Mar. 9, 2010).
  • Bro-Tech Corp. v Thermax, Inc., 651 F. Supp. 2d 378, 407 (E.D. Pa. 2009). "an employee who may access a computer by the terms of his employment is authorized to use that computer for purposes of CFAA even if his purpose in doing so is to misuse or misappropriate the employer's information."
  • 4th Circuit
  • Diamond Power Int'l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D.Ga.2007). "[A] violation for accessing "without authorization" occurs only where initial access is not permitted. And a violation for "exceeding authorized access" occurs where initial access is permitted but the access of certain information is not permitted."
  • International Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 498 (D.Md.2005) ("[T]o the extent that [the employee] may have breached the Registration Agreement by using the information obtained for purposes contrary to the policies established by the [employer's constitution], it does not follow, as a matter of law, that she was not authorized to access the information, or that she did so in excess of her authorization in violation of the CFAA.")
  • 6th Circuit
  • Black & Decker, Inc. v. Smith, 568 F.Supp.2d 929, 934-37 (W.D.Tenn.2008) (rejecting Citrin and Shurgard; "[The employee] was permitted access to [the employer's] network and any information on that network. The fact that [the employee] did not have permission to subsequently misuse the data he accessed by sharing it with any of his former employer's competitors is another matter that may be circumscribed by a different statute.")
  • 8th Circuit
  • SEBRITE AGENCY, INC. v. Platt, Dist. Court, Minnesota 2012 ("narrower interpretation of the CFAA, holding that the misuse or misappropriation of confidential information stored on a computer to which the defendant has authority to access does not give rise to liability")
  • 11th Circuit
  • Keen v. BOVIE MEDICAL CORPORATION, Dist. Court, MD Florida 2013- No CFAA violation where employer gave former employee permission to purge company laptop of personal information after termination of employment.
  • Clarity Services, Inc. v. Barney, 698 F. Supp. 2d 1309 - Dist. Court, MD Florida 2010
  • Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4-7 (M.D.Fla. Aug. 1, 2006);
  • The term, "without authorization," is not defined by the CFAA. Nonetheless, "authorization" is commonly understood as "[t]he act of conferring authority; permission." The American Heritage Dictionary, 89 (1976). On the other hand, the CFAA defines "exceeds authorized access" as follows: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter[.]" 18 U.S.C. § 1030(e)(6). The CFAA targets access "without authorization" in six separate offenses (§§ 1030(a)(1), (a)(2), (a)(3), (a)(4), (a)(5)(ii), (a)(5)(iii)), only three of which also reach persons "exceeding authorized access" (§§ 1030(a)(1), (a)(2), (a)(4)). Thus, it is plain from the outset that Congress singled out two groups of accessers, those "without authorization" (or those below authorization, meaning those having no permission to access whatsoever—typically outsiders, as well as insiders that are not permitted any computer access) and those exceeding authorization (or those above authorization, meaning those that go beyond the permitted access granted to them—typically insiders exceeding whatever access is permitted to them)....
  • Citrin relegates the work performed by "exceeds authorized access" to those outside the principal-agent relationship (e.g., ex-employee) that are permitted a minimum level of access to a computer, and then exceed that access. But this effectively turns the plain reading of the statutory definition of "exceeds authorized access" on its head. The statutory definition appears purposefully aimed at the company insider that already has authorization—not the non-agent outsider with public access to a company website. Citrin agreed that the CFAA's distinguished use of "without authorization" and "exceeds authorized access" resulted in "[m]uddying the picture some." In this Court's view, the plain meaning brings clarity to the picture and illuminates the straightforward intention of Congress, i.e., "without authorization" means no access authorization and "exceeds authorized access" means to go beyond the access permitted. While Citrin attempts to stretch "without authorization" to cover those with access authorization (albeit those with adverse interests), Congress did not so stipulate.
  • Broad Interpretation :: CVAA Violation: "an employee accesses a computer "without authorization" or "exceeds authorized access" within the meaning of § 1030 whenever the employee, without knowledge of the employer, possesses an adverse interest or breaches the duty of loyalty to the employer, thereby terminating her agency relationship." [US v John 271 5th Cir 2010 ("`authorization' may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system . . . at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime")]

  • 11th Circuit
  • US v. Rodriguez, 628 F. 3d 1258 - Court of Appeals, 11th Circuit 2010 (Employer Social Security Administration had policy prohibiting accessing information on its databases for nonbusiness reasons; Defendant had authority to access database, but accessed it and downloaded information for nonbusiness reasons. Affirmed that Defendant exceeded his authority to access the database and therefore violated the CFAA).
  • 9th Circuit
  • Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1125 (W.D.Wash.2000) (holding that employees' authority to access company computers ended when those employees surreptitiously became agents of defendant competitor and sent company's proprietary information to competitor via email)
  • 8th Circuit
  • Personalized Brokerage Services, LLC v. Lucius, 05-cv-1663 (PAM/FLN), 2006 WL 208781, at *2 (D. Minn. Jan. 26, 2006) ("An employee who exceeds authorized access to an employer's computer may violate the CFAA.").
  • 7th Circuit
  • International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006) (defendant's "breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship")
  • 2nd Circuit
  • Mktg Tech Solutions at 7 SDNY 2010
  • Calyon at 1 SDNY 2007
  • 1st Circuit
  • EF Cultural Travel BV v. Explorica, Inc. (EF Cultural I), 274 F.3d 577, 583-84 (1st Cir. 2001)(defendant's use of "scraper" software to systematically glean tour company's prices from its website "exceeded authorized access," assuming program's speed and efficiency was attributable to defendant's breach of his confidentiality agreement with the company, his former employer)
  • Register 252-53 2000
  • After Employment

  • Possession of former employer's laptop with company proprietary information, and accessing that information, may give rise to a CFAA cause of action. [Formulas DUtah 2010]
  • References

  • See Orin Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1634 (2003) (explaining that the agency theory of authorization extends liability to "an employee's use of an employer's computer for anything other than work-related activities.").
  • Open network?

    This can become a complicated issue when a network like a Wi-Fi network is openly available to the public with no notice of restriction, or when an employee has authorization to access a network but then does something disgruntled. There are lots of circumstances where this is less than clear. One example of this that has arisen is open Wifi networks. If a coffee house leaves a network open and unsecured, and a bloke standing outside with a Skype phone automatically detects and connects to that Wifi network, is it unauthorized access? Some states have concluded that it is. [Register (defendant on notice lacked permission to datamine website)] [Galbraith (critiquing use of CFAA in Register case)] [Four Seasons Hotels (spoofed computer made to look authorized on network)] [LCGM (violation of TOS can create unauthorized access)]

    Where an individual come upon an open network, if the individual uses that network, does the individual run afoul of state law. This issue is commonly seen in the context of the question of access to a computer network utilizing an open, unsecured wireless access point (WAP), where an individual with a WiFi enabled device seeks to access the computer network. See WiFi Theft for a discussion. But it could be as simple as a stand alone remote terminal in a library or other public space, or an open, unsecured Ethernet jack in a public government building.

    Security Requirement:

    Several states have conclude that for access to be unauthorized, the network or system must be using security of some type. See Louisiana, New York, Nebraska, Massachusetts, and Minnesota.

    Notice Burden:

    The state laws seem to fall out into two categories:

  • Those states that require the outsider to know that access to a network is unauthorized for the access to be unauthorized. This creates the defense on the part of the outsider that the outsider simply did not know. This places the burden on the network owner to provide notice to the outsider.

  • Those states that require the outsider to know that access is authorized for the access to be authorized. This places the burden on the outsider to acquire knowledge that access is permissive before utilizing a network. A few states require notice to potential network users. Minnesota

  • The States Chart has a column labeled Open Network? This column seeks to break state laws into groups according to whom has the burden. This is clearly just are opinion in the context of an academic evaluation and discussion (in other words, if you need legal advice, consult an attorney)

    Recall that the issue is whether an individual accessing an open network runs afoul of state law; no nefarious intent is assumed - we can assume that this is just Joe Dude seeking to do a quick email check. Therefore some states' laws which have an element of bad intent or bad action would not appear to apply at all.

    Trespass to Chattels

    Many scholars have likened this analysis to a Trespass to Chattels argument. [Hale] [Kern] [Bierlein] Several courts have applied Trespass to Chattels jurisprudence to "unauthorized access" to computers issues. [Register.com at 404] Trespass to Chattels has been used in spam cases. [Compuserv] [AOL v IMS] [AOL v LCGM] [AOL v Natl Health Care Disc] Other course have been unpersuaded that Trespass to Chattels applies to computer access cases. [Intel]

    Contrasting Trespass to Chattels and Trespass to Real Property (land) , the problem is that Trespass to Chattels addresses the deprivation of use from the owner of some thing - while Trespass to Real Property addresses whether access to the real property is authorized or not (ie., trespass).

    According to the Restatement (Second) of Torts, “A trespass to a chattel may be committed by intentionally (a) dispossessing another of the chattel, or (b) using or intermeddling with a chattel in the possession of another.” RESTATEMENT (SECOND) OF TORTS § 217.

    While Trespass to Chattels typically is the appropriate analysis for stuff that is not real property, the question before us is whether access is authorized (trespass), not whether someone has deprived someone else the use of some thing.

    Some authorities note that the use of security to restrict access to a network is provides notice to individuals that access is restricted and potentially unauthorized. [EF Cultural Travel p 63 (“After all, password protection itself normally limits authorization by implication (and technology), even without express terms.”)]

  • Sotelo v. DirectRevenue, L.L.C., 384 F. Supp. 2d 1219 (N.D. Ill. 2005) (applying Trespass to Chattels)
  • Southwest Airlines v. Farechase, Co., 318 F. Supp. 2d 435 (N.D. Tex. 2004) (applying Trespass to Chattels)
  • Intel v. Hamidi, 30 Cal. 4th 1342 (2003) ("In Hamidi the California Supreme Court held that a former Intel Corporation employee's e-mails to current Intel employees, despite requests by Intel to stop sending messages, did not constitute trespass of Intel's e-mail system.")
  • eBay, Inc. v. Bidder’s Edge, 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (applying Trespass to Chattels)
  • Thrifty-Tel, Inc. v. Bezenek, 54 Cal. Rptr. 2d 468 (Cal. Ct. App. 1996) ("unauthorized access to telephone system constituted trespass to chattels")
  • Thrifty-Tel, 54 Cal. Rptr. 2d at 473 n.6 (Trespass to Chattels: “In our view, the electronic signals generated by the Bezenek boys’ activities were sufficiently tangible to support a trespass cause of action.”
  • White Buffalo Ventures L.L.C. v. Univ. of Texas, 420 F.3d 366, 377 n.24 (5th Cir. 2005) (Trespass to Chattels)
  • Register.com v. Verio
  • WEC Carolina Energy Solutions LLC v. Miller (4th Cir.)
  • Caselaw

  • LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009) "The Ninth Circuit holds: "[A] person uses a computer 'without authorization' under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.""
  • US v Powers (D Nebraska Mar. 4, 2010) upholding claim where allegedly defendant accessed email account of victim, with password she had provided to him, and sent out emails with nude pictures of her to addresses in her address book - court implicitly finding that intent of defendant in accessing computer is relevant to whether access is unauthorized. Computer Fraud Blog
  • Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 768-70 (N.D. Ohio 2008) ("recognizing split of authority as to meaning of "without authorization"")
  • SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D. Va. 2005) ("dismissing CFAA claims against non-party to licensing agreement where licensee of software permitted non-party to access licensee's server and copy licensor's proprietary information because licensee "authorized" non-party's access to its own computers")
  • Papers

    Web services provided by Wyoming.com
    :: Home :: About Us :: Contact Us :: Sitemap :: Discussion :: Disclaimer :: Search ::