The need for a narrowly tailored Computer Fraud and Abuse Act

Authors: Derek Kan, Rohan Salantry, Shreyas, Max Gutman

Congress enacted its first anti-hacking law called Computer Fraud and Abuse Act (CFAA) in 1986, which was intended to address federal computer-related offenses. The CFAA was originally enacted to protect against the fraudulent use of federal government computers and computers used in financial institutions; with the recent proliferation of computer technology, Congress recently amended the act to include civil and employment liability. Now, the CFAA, which was initially intended to punish hackers and other digital trespassers who damage computer systems or steal customer information, can also be used to prosecute people inside a company who download sensitive data without his/her employer’s approval or possibly even those who access Facebook during working hours.

Critics argue that the language in CFAA is too vague and that the effect of a broad provision implies that any information access that we perform on the Internet, in violation of a private computer use policy, can be seen as a federal crime. Anyone who uses a computer for private use and different activities on the web might be affected by CFAA; this is particularly important when evaluating on-the-job use of computers by employees. One of the more debated areas of the law is centered on the notion that it is illegal to “intentionally access a computer without authorization or exceeds authorized access.” Can liability be imposed on an employee who is given lawful access to a computer and information on it, but later misuses that information in violation of the employer’s personal use policies? Or does it simply place liability on employees who are not permitted to access certain information, but do so anyway?

Under § 1030(a), an employer seeking reprisal in court must establish that an employee (a) had knowingly accessed a computer without authorization or exceeding authorized access; (b) had obtained private information; and (c) done so with intent to defraud that led to at least $5,000 of loss for the employer.

The U.S. Supreme Court has yet to clarify the scope of the CFAA, leaving companies to plead broad CFAA claims against disloyal employees for restitution, and thus leaving trial courts to tussle with the issue. Some employers have tested how CFAA might apply on former employees who captured or destroyed company information upon termination of his/her employment. The activity of employees in these instances is far cry from the innocuous activity of checking Facebook during office hours, but both fall on the spectrum of access. However, relevant case law has not provided a strong consensus on the matter.

In International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), courts considered whether an employer could pursue action against a former employee for intentionally erasing files from a company laptop before terminating employment and starting a competing business. The Seventh Circuit ruled that an employee who breaches loyalty for the purpose of furthering an act of disloyalty to the employer, becomes “unauthorized” to access the employer’s computer. To the contrary, the court ruled in LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) that an employee’s act of disloyalty does not render his/her access to an employer’s computer “unauthorized”. The court found that there is no statutory language to support that authorization concludes implicitly when an employee determines to act contrary to the interest of an employer: “It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or without authorization.”

A recent case involving the vagueness of language in the CFAA is United States v. Nosal, 642 F.3d 781 (9th Cir. 2011). As in the previously litigated cases, US v Nosal, involves a company claim that employees exceeded authorized access. The company also claims they were defrauded by the band of employees and Nosal (an ex-employee) who used information stored on company computers to start a new business. The majority opinion of the Ninth Circuit Court of Appeals concluded the definition of “exceeds authorized access” proposed by the US would lead to a broadening of the CFAA to the point where everyday computer acts would be criminalized. The charges involving the CFAA brought against Nosal were dismissed.

What does this convey to us when courts are unclear about what “unauthorized access” means?  Many companies take matters into their own hands and block unauthorized users from accessing specific file directories, intranet pages or Internet content. Unauthorized access in the context of technological enforcement seems clear cut but when employees find ways to breach these access protections to view Facebook, to use g-chat or listen to music during work hours they face the risk of prosecution under the CFAA.

Beyond computer use in the workplace, the effect of the CFAA on consumers is tremendous, as it is applicable to everyone who uses an Internet-enabled device, whether it is from a personal computer, smartphone or tablet. The CFAA has the ability to transform what many would consider to be minor dalliances into prosecutable criminal offences, such as lying about his or her age on social networking sites. Consumers access the internet everyday, in many cases from different devices at once; for consumers to be unaware of the private computer use policies as a whole presents challenges in terms of both adherence and prosecution.

Under § 1030(a)(2)(C) the Justice Department prosecuted Lori Drew, a woman who posed as a 17 year old boy to cyberbully her daughter’s classmate on the social network, Myspace. Like those of other social networking sites, the Myspace Terms of Service prohibit users from falsifying his/her identity and personal information. It has become quite common, however, for consumers to falsify information on social networking sites to invent an impressive web persona or disguise their true identities for security purposes. Despite the fact that many could deem misrepresenting one’s age a harmless act, under the breadth of the CFAA, those who do so could be prosecuted criminally.

Although the government assures us that it would not prosecute “minor violations”, this term is open to interpretation and it is unclear how the term will be evaluated by prosecutors in the future. Recent judgements have adopted a broad interpretation of the statute, as it would criminalize common computer related activities. The Circuit Court suggested that previous decisions, delivered by lower courts, had not considered the effect of the statute on ordinary citizens. Furthermore, they suggest that vague criminal statutes such as CFAA should be construed narrowly, as it is not the court’s position to put words into the mouths of lawmakers. Finally, the courts have also suggested the rule of lenity that ensures that citizens have fair notice about what conduct of theirs would be considered criminal by law.

The ubiquity of computers and the ease by which information can be transported and corrupted by users has led to the enforcement of an act that needs refinement. The CFAA was crafted before the Internet was omnipresent in the workplace. Employees today have access to an array of sensitive company information, leading to scenarios that the writers of the law may never have envisioned. The language defined by Congress at the beginning of enterprise adoption of computers is not sufficient for today’s work environments and the courts are struggling to make sense of it. In many cases, the result hinges on what authorization and access means in the new paradigm of work. The final word will come from Congress, but for now, the most recent cases have affirmed that computer users will not be thrown in jail for violating company use policies or other terms of service agreements.