Federal Internet Law & Policy
An Educational Project
Cybercrime Reference Dont be a FOOL; The Law is Not DIY
- Crime / CFAA
- Hacks
- - Govt Computer
- - Protected Computer
- - Pri Right Action
- - Passwords
- - Blackmail
- - Damage
- Theft of Info
- - Classified Info
- - Govt Info
- - Info from Protected Computers
- Fraud
- Data Retention
- States
- Reference

- Agencies
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
- Reference
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- WiFi Security
- Cyberwar
- Network Reliability
- Infrastructure Protection

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- ID Theft
- Offensive Words
- Sex Offenders
- Child Protection

Info Gathering
- Wiretaps
- Forensics
- Carnivore
- Patriot Act
- Data Retention

- Assessment
- Reliability
- Vulnerabilities

US Code

  • 18 USC § 1001 Statements or entries generally (sometimes cited on federal websites as a statute that would be violated by a hack)
  • 18 U.S.C. § 1029.  Fraud and Related Activity in Connection with Access Devices
  • Computer Fraud and Abuse Act of 1986 18 U.S.C. 1030.
  • 18 U.S.C. § 1362.  Communication Lines, Stations, or Systems
  • 18 U.S.C. § 2511.  Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited
  • 18 U.S.C. § 2701.  Unlawful Access to Stored Communications
  • 18 U.S.C. § 2702.  Disclosure of Contents
  • 18 U.S.C. § 2703.  Requirements for Governmental Access
  • See FISMA and FIPS requirements for the USG
  • See also the Fraudulent Online Identity Sanctions Act (criminalizing false WHOIS records)
  • Patriot Act
  • Redline Showing Changes Resulting from 2001 USA Patriot Act
  • Economic Espionage Act
  • Computer Fraud and Abuse Act of 1986 18 U.S.C. 1030.
  • Computer Fraud and Abuse Act of 1984
  • 18 U.S.C. 1030.
  • The Computer Fraud and Abuse Act was originally enacted in 1984 to provide a clear statement of proscribed activity concerning computers to the law enforcement community, those who own and operate computers and those tempted to commit crimes by unauthorized access to computers. Rather than having to ``boot-strap'' enforcement efforts against computer crime by relying on statutory restrictions designed for other offenses, the Computer Fraud and Abuse statute, 18 U.S.C. 1030, set forth in a single statute computer-related offenses. This first Federal computer crime statute made it a felony to access classified information in a computer without authorization and a misdemeanor to access financial records or credit histories in financial institutions or to trespass into a Government computer. Report of the Senate Committee on the Judiciary on the National Information Infrastructure Protection Act (August 27, 1996)
  • Judiciary Committee, S Report No 99-432
  • at 6: "the premise of 18 U.S.C. § 1030(a)(2) will remain the protection, for privacy reasons, of computerized credit records and computerized information relating to customers' relationship with financial institutions... Because the premise of this subsection is privacy protection, the Committee wishes to make clear that 'obtaining information' in this context includes mere observation of data.".
  • At 10: "[T]he mere use of a computer or computer service has a value all of its own. Mere trespasses onto someone else's computer system can cost the system provider a "prot" or access channel that he might otherwise be making available for a fee to an authorized user. At the same time, the Committee believes it important to distinguish clearly between acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as misdemeanors. That distinction would be wiped out were the Committee to treat every trespass as an attempt to defraud a service provider of computer time."
  • Amendments

  • Patriot Act
  • National Information Infrastructure Protection Act of 1996

    On June 29, 1995, Senators Kyl, Leahy, and Grassley introduced the NII Protection Act, S. 982. At hearings in both the House of Representatives and the Senate, representatives from Federal law enforcement agencies expressed the need for, and their support of, this bill. Specifically, Attorney General Janet Reno discussed the provisions of S. 982 in her October 30, 1995, responses to written questions in connection with the June 27, 1995, Judiciary Committee oversight hearing of the Department of Justice; Federal Bureau of Investigation Director Louis Freeh testified about S. 982 during the February 28, 1996, joint hearing with the Select Committee on Intelligence and the Judiciary Committee on economic espionage; and U.S. Secret Service Deputy Assistant Director of Investigations Robert Rasor testified about S. 982 during the October 11, 1995, hearing of the House Committee on Banking and Financial Services Subcommittee on domestic and International Monetary Policy.
          As intended when the law was originally enacted, the Computer Fraud and Abuse statute facilitates addressing in a single statute the problem of computer crime, rather than identifying and amending every potentially applicable statute affected by advances in computer technology. As computers continue to proliferate in businesses and homes, and new forms of computer crimes emerge, Congress must remain vigilant to ensure that the Computer Fraud and Abuse statute is up-to-date and provides law enforcement with the necessary legal framework to fight computer crime. The NII Protection Act will likely not represent the last amendment to this statute, but is necessary and constructive legislation to deal with the current increase in computer crime.
      On June 13, 1996, the Committee on the Judiciary first considered the NII Protection Act, S. 982, as an amendment made by Senators Leahy, Kyl, and Grassley to H.R. 1533, a bill to amend title 18, United States Code, to increase the penalty for escaping from a Federal prison. At that time, with a quorum present, by voice vote, the Committee unanimously accepted the Leahy-Kyl-Grassley amendment to H.R. 1533, and unanimously ordered H.R. 1533, so amended, favorably reported.
          On August 1, 1996, the Committee on the Judiciary, with a quorum present, again accepted an amendment in the nature of a substitute to S. 982 offered by Senator Leahy, on behalf of himself and Senators Kyl and Grassley. The amendment included the provisions in the S. 982, as introduced, with one modification. As discussed in more detail below, the amendment inserted the word ``nonpublic'' before ``computer of a department or agency'' in section 2(1)(C)(I) of the bill. The Leahy-Kyl-Grassley amendment was accepted by voice vote, and the Committee, also by voice vote, then unanimously ordered S. 982, as amended, favorably reported.
    Report of the Senate Committee on the Judiciary on the National Information Infrastructure Protection Act (August 27, 1996)

  • USDOJ, The National Information Infrastructure Protection Act of 1995
  • Electronic Communications Privacy Act
  • Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
  • Requires annual report card of agencies' security efforts
  • Information Infrastructure Protection Act of 1996
  • Computer Security Act of 1987 | CIO Copy | EPIC | PL 100-235 |
  • Jones Telecom:  Computer Fraud
  • Electronic Communications Privacy Act
  • GSA Computers and Information Technology
  • CCIPS:  Federal Computer Intrusion Laws
  • DOJ Material
  • Legislative Analysis
  • CCIPS: Federal Code Related to Cybercrime
  • Example statement of a federal agency website warning against illegal activity.
  • State Law

  • Computer Hacking and Unauthorized Access Laws, National Conference of State Legislatures
  • Government

  • Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Lawspdf, Congressional Research Service (Dec. 27, 2010)
  • DOJ It’s Not Just Fun and "War Games" – Juveniles and Computer Crime, Joseph V. DeMarco, USA Bulletin (May 2001)
  • DOJ Working with Victims of Computer Network Hacks, Richard P. Salgado, USA Bulletin(March 2001)
  • DOJ Supervised Release and Probation Restrictions in Hacker Cases, Christopher M.E. Painter, USA Bulletin (March 2001)
  • Caselaw (select cases)

  • DOJ Computer Intrusion Cases
  • Appellate
  • United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc) ("[W]e hold that the phrase `exceeds authorized access' in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.")
  • US v. Rodriguez, 628 F. 3d 1258 - Court of Appeals, 11th Circuit 2010
  • United States v. John, 597 F.3d 263, 271 (5th Cir. 2010) (where employee had authorization to access computers, scope of that authorization could be construed as limited. Defendant knew or should have known that she was not authorized to access computers for activities in furtherance of a crime).
  • Rehberg v. Paulk, (11th Cir. March 11, 2010) (if you send an email to anyone else, you have relinquished any privacy interest in that email)
  • Orin Kerr, Eleventh Circuit Decision Largely Eliminates Fourth Amendment Protection in E-Mail, Volokh Conspiracy (Mar. 2010)
  • LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009)
  • A. V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 645 (4th Cir. 2009) (concluding that use of another's password to access website without website owner's permission was unauthorized access in violation of CFAA);
  • United Slates v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007) (the scope of an individual's authorization to access a computer network is analyzed "on the basis of the expected norms of intended use.")
  • US v Trotter, No 05-4202 (8th Cir. Feb. 23, 2007) (ruling that Salvation Army's computers are protected computers as they are engaged in interstate communications connected to the Internet)
  • Fiber Systems International v. Roehrs, 2006 WL 3378403 (5th Cir. Nov. 22, 2006) (finding that CFAA authorizes a private right of action for all of its provisions)
  • U.S. v. Walters, 182 Fed. Appx. 944, 945 (11th Cir. 2006)
  • U.S. v. Millot, 433 F.3d 1057, 1061 (8th Cir. 2006)
  • International Airports Centers v. Citrin, 440 F3d 418 (7th Cir 2006) (company has a cause of action where departing employ deleted files off of laptop and used a trace removal program to scrub the laptop of any vestige of the files)
  • PC Yonkers v. Celebrations the Party and Seasonal Superstore, __ F3d __ (3rd Cir. Nov. 2005) (dismissing claim pursuant to 1030(a)(4) for lack of evidence of anything taken)
  •, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), aff’d in part, rev’d in part, 356 F.3d 393 (2d Cir. 2004) (facts involved Verio's utilization of a search bot)
  • Creative Computing v. LLC, 386 F.3d 930 (9th Cir. 2004)
  • Theofel v. Farey-Jones, 359 F3d 1066, 1078 (9th Cir 2003)
  • EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)
  • EF Cultural Travel BV v. Explorica, Inc. , 274 F.3d 577 (1st Cir. 2001)
  • former employees data-mined former employers website in contravention of confidentiality agreement and TOS
  • US v Middleton 231 F3d 1207 (9th Cir. 2000) (damages)
  • United States v Kevin Mitnick, 145 F.3d 1342 (9th Cir. 1998)
  • Mitnick Banned From Security Group, Security Focus 2/14/03
  • Why Kevin Mitnick Worries Me, Newsfactor 1/3/03
  • KEVIN DAVID MITNICK LICENSEE OF STATION N6NHG IN THE AMATEUR RADIO SERVICE FOR RENEWAL OF STATION LICENSE. Granted application of Kevin David Mitnick for Renewal of License of Station NGNHG in the Amateur Radio Service. (Dkt No. 01-344). Action by: ALJ Richard L. Sippel. Adopted: 12/20/2002 by Initial Decision. (FCC No. 02D-02). OALJ FCC-02D-02A1.pdf FCC-02D-02A1.txt, FCC 1/2/03
  • Freed Hacker Mitnick Debunks Myths Vnunet 10/18/02
  • Hacker Mitnick Sells Laptops, Allafrica 10/3/02
  • Mitnick to Plead for Ham License (Feb 8, 2002), Wired
  • "By this Order, we commence a hearing proceeding before an FCC Administrative Law Judge to determine, ultimately, whether the application of Kevin David Mitnick for renewal of Amateur Radio Station and General Class Operator License N6NHG should be granted. As discussed below, Mr. Mitnick is a convicted felon whose illegal activities have included the interception of electronic communications, computer fraud, wire fraud, and causing damage to computers. Based on the information before us, we believe that Mr. Mitnick's criminal behavior raises a substantial and material question of fact as to whether he possesses the requisite character qualifications to be and remain a Commission licensee. Because we are unable to make a determination that grant of Mr. Mitnick's application would serve the public interest, convenience, and necessity, we hereby designate the application for hearing, as required by Section 309(e) of the Communications Act of 1934, as amended."
  • Discussion of Kevin Mitnick
  • U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)
  • unauthorized browzing aint no crime
  • unauthorized access to IRS database by IRS employee did not constitute a violation of 1030(a)(4) where government failed to establish anything of value was obtained
  • US v. Sablan, 92 F3d 865 (9th Cir. 1996)
  • Brown v. Waddell, 50 F.3d 285, 294 (4th Cir. 1995) (interception of pager signals)
  • United States v. Davis, 978 F.2d 415, 419–20 (8th Cir. 1992) (interception of satellite signals)
  • U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991)
  • First famous Internet worm from 1988 which led to the establishment of CERT finding that the morris worm fell under the CFAA - "discussing criminal liability for putting a "worm" on the Internet and causing many computer systems to crash.
  • United States v Brown , 925 F2d 1301, 1308 (10th Cir. 1991), where the court held that purely intangible intellectual property, such as a computer program, cannot constitute goods, wares, merchandise, securities, or moneys which have been stolen converted, or taking within the meaning of § 2314."
  • United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988).
  • District Court
  • GIVAUDAN FRAGRANCES CORPORATION v. Krivda, Dist. Court, D. New Jersey 2013 (""While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer.""
  • METABYTE, INC. v. NVIDIA CORP., Dist. Court, ND California 2013 ("The Ninth Circuit has recently made clear that the CFAA is not mean to serve as a supplement or replacement for misappropriation claims.")
  • Sharma v. Howard County, Dist. Court, D. Maryland 2013
  • ORACLE AMERICA, INC. v. SERVICE KEY, LLC, Dist. Court, ND California 2012
  • ANIMATORSATLAW, INC. v. CAPITALLEGALSOLUTIONS, LLC Dist Court EDVA May 10, 2011 (denying motion to dismiss; whether investigation expenses after incursion were reasonable was a triable fact for the jury)
  • Hillsboro Dental, LCC v Hartford Casualty Insurance, Co., et al., Case No. 4:10-CV-271 (CEJ). United States District Court, E.D. Missouri, Eastern Division. December 14, 2010 (Def Motion to Dismiss where plaintiff failed to alleged that Defendant's actions were unauthorized)
  • Nucor Steel Marion, Inc., v. Mauer, Dist. Court, D. New Hampshire 2010
  • US v. Fowler, Case No. 8:10-cr-65-T-24 AEP (MDFL Oct. 25, 2010)
  • Systematic Formulas v Kim, Case No. 1:07-cv-00159-TC-DN (D Utah Sept 3, 2010)
  • Multiven, Inc. v. Cisco Systems, Inc., 2010 WL 2889262, at *3 (N.D. Cal. July 20, 2010)
  • National City Bank, N.A. v. Prime Lending, Inc., 2010 WL 2854247, at *4 n.2 (E.D. Wash. July 19, 2010)
  • Expert Janitorial, LLC v. Williams, 2010 WL 908740, at *8 (E.D. Tenn. Mar. 12, 2010);
  • Mktg. Tech. Solutions, Inc. v. Medizine LLC, No. 09 Civ. 8122(LLM), 2010 WL 2034404, at *7 (S.D.N.Y. May 18, 2010)
  • US v Aleynikov, SDNY Sept 3, 2010
  • Univ. Sports Pub. Co. v. Playmakers Media Co., No. 09 Civ. 8206(RJH), ___ F. Supp. 2d ___, 2010 WL 2802322, at *3-*4 (S.D.N.Y. July 14, 2010)
  • Global Policy Partners, LLC v. Yessin, 686 F. Supp.2d 642, 647 (E.D. Va. 2010) (CFAA plaintiff must show that qualifying costs are "reasonable" and were "caused" by a CFAA violation)
  • Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010)
  • Jet One Group, Inc. v. Halcyon Jet Holdings, Inc., No. 08 Civ. 3980(JS), 2009 WL 2524864, at *5 (E.D.N.Y. Aug. 14, 2009)
  • Dedalus Foundation v. Banach, 2009 WL 3398595, at *2 (S.D.N.Y. Oct. 16, 2009)
  • Continental Group, Inc. v. KW Property Management, LLC, 622 F. Supp.2d 1357, 1370 (S.D. Fla. 2009)
  • NCMIC Finance Corp. v. Artino, 638 F. Supp.2d 1042, 1065 (S.D. Iowa 2009)
  • Lori Drew
  • USA v Lori DrewPDF, No CR 08--0582-GW (CD CA Nov. 20, 2009) (Motion for Voluntary Dismissal on Appeal)
  • USA v Lori DrewPDF, No CR 08--0582-GW (CD CA Aug. 28, 2009)
  • "Treating a violation of a website's terms of service, without more, to be sufficient to constitute "intentionally access[ing] a computer without authorization or exceed[ing] authorized access" would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals. As noted in Section IV(A) above, utilizing a computer to contact an Internet website by itself will automatically satisfy all remaining elements of the misdemeanor crime in 18 U.S.C. 1030(a)(2)(C) and 1030(c)(2)(A). Where the website's terms of use only authorizes utilization of its services/applications upon agreement to abide by those terms (as, for example, the MSTOS does herein), any violation of any such provision can serve as a basis for finding access unauthorized and/or in excess of authorization."
  • One need only look to the MSTOS terms of service to see the expansive and elaborate scope of such provisions whose breach engenders the potential for criminal prosecution. Obvious examples of such breadth would include: 1) the lonely-heart who submits intentionally inaccurate data about his or her age, height and/or physical appearance, which contravenes the MSTOS prohibition against providing "information that you know is false or misleading"; 2) the student who posts candid photographs of classmates without their permission, which breaches the MSTOS provision covering "a photograph of another person that you have posted without that person's consent"; and/or 3) the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter's girl scout cookies, which transgresses the MSTOS rule against "advertising to, or solicitation of, any Member to buy or sell any products or services through the Services." See Exhibit 3 at 4. However, one need not consider hypotheticals to demonstrate the problem. In this case, Megan (who was then 13 years old) had her own profile on MySpace, which was in clear violation of the MSTOS which requires that users be "14 years of age or older." Id. at 2. No one would seriously suggest that Megan's conduct was criminal or should be subject to criminal prosecution.
  • Given the incredibly broad sweep of 18 U.S.C. 1030(a)(2)(C) and 1030(c)(2)(A), should conscious violations of a website's terms of service be deemed sufficient by themselves to constitute accessing without authorization or exceeding authorized access, the question arises as to whether Congress has "establish[ed] minimal guidelines to govern law enforcement." Kolender, 461 U.S. at 358; see also City of Chicago v. Morales, 527 U.S. 41, 60 (1999). Section 1030(a)(2)(C) does not set forth "clear guidelines" or "objective criteria" as to the prohibited conduct in the Internet/website or similar contexts. See generally Posters 'N' Things, Ltd., 511 U.S. at 525-26. For instance, section 1030(a)(2)(C) is not limited to instances where the website owner contacts law enforcement to complain about an individual's unauthorized access or exceeding permitted access on the site.29 Nor is there any requirement that there be any actual loss or damage suffered by the website or that there be a violation of privacy interests.
  • The Government argues that section 1030(a)(2)(C) has a scienter requirement which dispels any definitional vagueness and/or dearth of guidelines, citing to United States v. Sablan, 92 F.3d 865 (9th Cir. 1996). The Court in Sablan did observe that:
  • [T]he computer fraud statute does not criminalize otherwise innocent conduct. Under the statute, the Government must prove that the defendant intentionally accessed a federal interest computer without authorization. Thus, Sablan must have had a wrongful intent in accessing the computer in order to be convicted under the statute. This case does not present the prospect of a defendant being convicted without any wrongful intent as was the situation in [United States v.] X-Citement Video [513 U.S. 64, 71-73 (1994)].
  • Id. at 869. However, Sablan is easily distinguishable from the present case as it: 1) did not involve the defendant's accessing an Internet website;30 2) did not consider the void-for-vagueness doctrine but rather the mens rea requirement; and 3) dealt with a different CFAA subsection (i.e. 18 U.S.C. 1030(a)(5)) and in a felony situation.
  • The only scienter element in section 1030(a)(2)(C) is the requirement that the person must "intentionally" access a computer without authorization or "intentionally" exceed authorized access. It has been observed that the term "intentionally" itself can be vague in a particular statutory context. See, e.g., American Civil Liberties Union v. Gonzales, 478 F.Supp.2d 775, 816-17 (E.D. Pa. 2007), aff'd, 534 F.3d 181, 205 (3rd Cir. 2008), cert. denied, 129 S.Ct. 1032 (2009).
  • Here, the Government's position is that the "intentional" requirement is met simply by a conscious violation of a website's terms of service. The problem with that view is that it basically eliminates any limiting and/or guiding effect of the scienter element. It is unclear that every intentional breach of a website's terms of service would be or should be held to be equivalent to an intent to access the site without authorization or in excess of authorization. This is especially the case with MySpace and similar Internet venues which are publically available for access and use. See generally BoardFirst, 2007 U.S. Dist. LEXIS 96230 at *43. However, if every such breach does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. Given the "standardless sweep" that results, federal law enforcement entities would be improperly free "to pursue their personal predilections."31 Kolender, 461 U.S. at 358 (citing Smith v. Goguen, 415 U.S. 566, 575 (1994)).
  • In sum, if any conscious breach of a website's terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law "that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet]." City of Chicago, 527 U.S. at 64.
  • Kim Zetter, Prosecutors Drop Plans to Appeal Lori Drew Case, WIRED (Nov. 20, 2009)(" Letting that interpretation stand would ultimately have given prosecutors the power to criminally prosecute anyone for violating a website's terms of service, Wu reasoned, and "would convert a multitude of otherwise innocent internet users into misdemeanant criminals." ")
  • Lori Drew Files New Bid for Dismissal on Grounds that MySpace Authorized Access, Wired 12/16/2008
  • Defense In Lori Drew Case Rests, As Judge Considers Dismissing The Case, Techdirt 11/25/2008
  • MySpace bully sentencing delayed, BBC 5/19/2009
  • Should Police Be Arrested For Illegal Hacking For Setting Up Fake Facebook Profile?, Techdirt 5/19/2009
  • Turnitin Errata: CFAA "Loss" Occurred After Complaint Was Filed, Techlaw 4/21/2009
  • Can Lori Drew Verdict Survive Appeal?, Wired 12/2/2008
  • Thanks To The Lori Drew Case, I Can Make Each Of You A Criminal, Techdirt 12/2/2008
  • Conviction in MySpace Suicide Case Dangerous Ruling, CDT 12/2/2008
  • MySpace bully case dismissed, BBC 12/2/2008
  • Lori Drew Case & Online Anonymity, Tech Lib Front 12/2/2008
  • Cyberbully Jury Nears Verdict on Three Charges, Struggles With Fourth, Wired 11/25/2008
  • Arguments in Case Involving Net and Suicide, NYT 11/20/2008
  • State Analysis, Inc. v. Am. Fin. Servs. Assocs., 621 F. Supp. 2d 309, 316 (E.D. Va. 2009) (concluding that use of another's password to access website without website owner's permission was unauthorized access in violation of CFAA)
  • MPC Containment Systems, Ltd., v. MorelandPDF No. 05 C 6973 (July 23, 2008) (defendant emailing company documents to his home computer may result in a CFAA claim)
  • Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965-66 (D. Ariz. 2008)
  • Black & Decker Inc. v. Smith, 568 F. Supp. 2d 929, 934 (W.D. Tenn. 2008)
  • Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D. Ga. 2007)
  • Calyon v. Mizuho Securities USA, Inc., No. 07 Civ. 2241(RO), 2007 WL 2618658, at *1 (S.D.N.Y. Sept. 5, 2007)
  • Wilson v Moreau (DRI 2006) (attorneys fees do not count towards $5000 damage threshold)
  • Lockheed Martin Corp v. Speed, Case No 6:05-cv-1580-Orl-31KRS (MDFl Aug 1, 2006) (Defendant did not access computers in excess of authority pursuant to s 1030(a)(4) where defendant copied files while still employed by Lockheed, but prior to departing for a rival firm).
  • SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D. Va. 2005)
  • IMS Inquiry Management Systems v. Berkshire Information Systems , __ FSupp2d __ (SDNY Feb. 23, 2004) (court found a potential cause of auction where a competitor allegedly gained unauthorized access to a password protected online database through the use of a password issued to and obtained from one of plaintiff’s clients)
  • Pacific Aerospace & Elecs., Inc. v. Taylor, 295 F Supp 2d 1188, 1195 (ED Wash 2003).
  • Four Seasons Hotels and Resorts B.V. v. Consorcio Barr, S.A., 267 F. Supp. 2d 1268, 1322 (S.D. Fla. 2003) (access to protected network achieved via spoofing so that unauthorized computer appeared authorized)
  • In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y.2001)
  • Court dismissed Computer Fraud and Abuse Act cause of action on grounds that damage caused by cookies did not meet statutory threshold, and that the use of cookies constitutes permissive access
  • In re Intuit Privacy Litigation, 138 F.Supp.2d 1272 (C.D.Cal.2001) (claim that use of cookies violates CFAA dismissed)
  • dismissing claims that cookies violate CFAA but finding a possible cause of action under ECPA’s stored communications provisions
  • Chance v. Avenue A, Inc., 165 F.Supp.2d (W.D.Wash.2001) (claim that use of cookies violates CFAA dismissed)
  • U.S. v. Smith, (D. N.J. May 1, 2001) (David Smith was charged with, and plead guilt to, releasing the Melissa virus and violating 1030(a)(5)(A))
  • v. Verio, Inc., 126 F. Supp. 2d 238 (S.D. N.Y. 2000)
  • had given notice to Verio that Verio did not have permission to data mine’s DNS database
  • Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 121 F. Supp. 2d 1255, 1274 (N.D. Iowa 2000) (degrading network service can constitute damage)
  • Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 FSupp2d 1121 (WD Wash 2000) (defining “protected computers” broadly)
  • "recent amendments to the federal Computer Fraud and Abuse Act create federal jurisdiction over damage caused to nearly all computers connected to the Internet."
  • "The CFAA was found in this case to provide a civil remedy by a private employer against employees who abuse their authority to access private company information by transmitting it to third parties via Internet email for their own personal advantage."
  • where individual was an employee who copied confidential business information and transmitted it to a competitor, the individual was acting as an agent of the competitor and therefore no longer was acting as an authorized employee, and the copying of the data constituted a breach to the integrity of the network and a loss to the plaintiff which could satisfy the damage thresholds of CFAA.
  • Scott Moulton and Network Installation Computer Services, Inc. v. VC3, Civ. Act. No. 1:00-CV-434-TWT (N.D.Ga. Nov. 6, 2000 ) (Court held that port scan was not actionable under CFAA).
  • Shaw v. Toshiba America Information Systems, Inc. , 91 F. Supp. 2d 926 (E.D. Tex. 1999) where the court permitted a claim to go forward on the basis that faulty code had resulted in data loss.
  • America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998) (AOL TOS against SPAM meant access was unauthorized)
  • North Texas Preventive Imaging, L.L.C. v. Eisenberg 1996 U.S. Dist. LEXIS 19990 (C.D. Cal. Aug. 19, 1996) (SA CV 96-71 AHS (EEx))
  • Where plaintiff alleged that defendant placed a disabling code in software without authorization in the license, plaintiff has stated a cause of action for a violation of 1030(a)(5).
  • Sec. IV.A: "On this issue, Senator Leahy stated that the new language would not criminalize the use of disabling code 'when their use is pursuant to a lawful licensing agreement that specifies the conditions for reentry or software disablement.' Although Senator Leahy did not state the converse proposition, i.e., that the bill did criminalize the use of disabling codes which are not specified in a lawful licensing agreement, this is certainly a reasonable implication of the statement. The court has fund nothing in the statute or legislative history to suggest that Congress intended a blanket exemption for the use of time bombs for the CFAA's prohibitions. Rather, time bombs would appear to fall within the statute's proscription on the use of 'codes, information, programs, or commands' to cause harm to protected computer systems. Whether the use of a time bomb is illegal appears to require a case-by-case analysis of the defendant's intent, the type of computer involved, and the resulting harm."
  • US v. Fernandez, 1993 WL 88197 (CDNY): "overruling vagueness objection to 1030(a)(5) and defining the term "federal interest computer""
  • US v. Morris, 728 FSupp 95, 96 (NDNY 1990): "defining elements of crime under 1030(a)(5) (see circuit court)
  • Cybercrimes

    1030 Damage

    US v. McDaniel (defendant emailed customers of former employer, elucidating them to the security vulnerabilities of the former employee's systems). Stanford Cyberlaw Clinic.

    Stored Communications

    Christine Souhrada, User Privacy and Anonymity on the Internet 2002 UCLA J.L. & Tech. Notes 22 ("See In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y.2001) ("Doubleclick"), In re Intuit Privacy Litigation, 138 F.Supp.2d 1272 (C.D.Cal.2001) ("Intuit"), Chance v. Avenue A, Inc., 165 F.Supp.2d [1153] (W.D.Wash.2001) ("Chance")..... The Intuit court held that accessing the cookies on a user's hard drive, even those that the accessing party placed there, could be found to be an unauthorized access under the statute; however, the Doubleclick and Chance courts held that the EPCA did not protect cookies and that the advertising companies in those cases, to whom the cookies belonged, were exempted from the EPCA.")

    Public Information

  •, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 255 (S.D.N.Y. 2000)
  • eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058, 1065 n.11 (N.D. Cal. 2000)
  • Niva Elkin-Koren, Let the Crawlers Crawl: On Virtual Gatekeepers and the Right to Exclude Indexing, 26 U. DAYTON L. REV. 179, 183 (2001)
  • Maureen A. O’Rourke, Property Rights and Competition on the Internet: In Search of an Appropriate Analogy, 16 BERKELEY TECH. L.J. 561, 574-80 (2001)
  • Statistics

    Federal Activity

    Federal Agencies



    Webcasts & Podcasts




  • News Archive Continued
  • © Cybertelecom ::