The Computer Fraud and Abuse Act (“CFAA”), codified at 18 U.S.C. § 1030, is a federal statute that, broadly speaking, prohibits individuals from wrongfully accessing information on a protected computer for the purpose of committing fraud. Although primarily a criminal statute, the CFAA also provides a civil remedy for any person who suffers a loss of more than $5,000 in any one-year period as a result of a violation of the Act. This civil cause of action under the CFAA is often important in employment, independent contractor, partnership, trade secret, and non-compete disputes. One common fact pattern involves a terminated employee or independent contractor who, without permission, downloads company files he or she hopes to use in a competing business.
So, what are the elements of a civil CFAA claim? And what are the advantages to asserting this claim? New Mexico business lawyer David Baake has experience litigating CFAA claims and can help you understand your rights under the statute.
There are actually several different civil claims that can be asserted under the CFAA, including special claims that involve the transmission of computer viruses and the use of ransomware. However, the most common civil claim asserts a violation of subsection (a)(4) of the Act. To assert a claim under this subsection, a plaintiff must show that the defendant “(1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted, (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). In practice, almost any computer will be considered a “protected computer,” since the term is defined to include any computer “used in or affecting interstate or foreign commerce or communication.” Other statutory terms are less straightforward. Most of the litigation concerns the meaning of “without authorization or exceeds authorized access.” In other cases, the question of whether the plaintiff has suffered a “loss” must be litigated.
The CFAA does not define the term “without authorization.” Courts have found that the touchstone for deciding whether access is “without authorization” is whether the defendant had permission to use the computer. For example, if a company informs an employee that he or she is required to return his computer upon being terminated, and the employee refuses to do so and continues to use the computer, the employee may be found liable for accessing the computer “without authorization.” See, e.g., Tech Sys., Inc. v. Pyles, 630 F. App’x 184, 186 (4th Cir. 2015) (finding that “upon termination of her employment, Pyles accessed her corporate email account and company-issued Blackberry without authorization”).
Unlike the term “without authorization,” the term “exceeds authorized access” is defined by statute. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). In other words, individuals who are generally authorized to use a protected computer may nonetheless be liable if they access “particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.” Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021).
Certain scholars and litigants have argued that the term “exceeds authorized access” should be construed to require a showing that the defendant “hacked” into a protected area of the computer. So far, courts have rejected this idea and instead held that a defendant “exceeds authorized access” when he or she accesses a particular file, folder, or database without permission from the owner of the computer, whether or not there was any technological barrier to the defendant’s access. One district court explained that “the mere possession of a password does not render any subsequent access ‘authorized.’” United States v. Eddings, 2021 WL 2527966, at *5 (E.D. Pa. June 21, 2021); see also Gemstone Foods, LLC v. AAA Foods Enterprises, Inc., No. 5:15-CV-01179-MHH, 2022 WL 586767, at *2 (N.D. Ala. Feb. 26, 2022) (the defendant’s “technological ability to access the email accounts because [his former employer] had not yet changed the passwords for the accounts is not the equivalent of permission to access the accounts”).
Taunting the animals versus entering the monkey cage: the Computer Fraud and Abuse Act after Van Buren.
In Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021), the Supreme Court clarified the meaning of the term “exceeds authorized access,” explaining that simply using a computer for an improper or forbidden purpose is not a violation of the CFAA. In that case, a police officer named Van Buren was approached by an FBI informant, who offered Van Buren money to run a license plate search on someone. Van Buren agreed, and ran the search on the law enforcement computer data base. He was then charged with violating the CFAA.
The question for the Court was whether the officer had “exceed[ed] authorized access” when he ran this license plate search. The Court held that he did not. Central to the Court’s conclusion was the fact that all parties agreed “that Van Buren had been given the right to acquire license-plate information . . . from the law enforcement computer database.” In other words, the defendant did not violate a computer access policy; he violated a policy regarding how he could use the programs he was permitted to access. However, the Court confirmed that someone who accesses a computer file or program that he or she is not permitted to access may still be found to violate the CFAA. And the Court specifically left open the possibility that the violation of a contractual computer access policy could give rise to CFAA liability.
To understand the Van Buren rule, think about going to the zoo. There are certain areas of the zoo that are closed to the public. These are access limits. Even within the areas that are open to the public, there are rules about what visitors can do. These are rules against improper use of the zoo facility.
An example of improper use of the zoo facility would be taunting the animals from the public viewing area. This is wrong and a violation of zoo policy, but it is not “exceeding authorized access” of the zoo. If you enter the monkey cage, however, things are different. You are now accessing a part of the zoo that is off limits to you. You are exceeding authorized access even if there was no technological impediment to your action (i.e., even if the door to the monkey cage was unlocked). What matters is that you knew you did not have permission to go somewhere and you went anyway.
The CFAA only regulates access. It is implicated if the defendant accesses a file, folder, or database he or she does not have permission to access. Like the monkey cage, it is not necessary to show that there was any technological barrier to access. As long as the defendant knows he does not have permission to access the files in question, he is violating the CFAA.
If you have more questions about the Computer Fraud and Abuse Act, contact New Mexico business lawyer David Baake today.
Get in TouchFill out the contact form or call us at (575) 343-2782 to schedule your free consultation.
- 1 Free Consultation
- 2 World Class Education
- 3 Track Record of Success