cybersecurity
cybersecurity ()

“It is unfortunate when men cannot, or will not, see danger at a distance; or seeing it, are restrained in the means which are necessary to avert, or keep it afar off. … Not less difficult is it to make them believe, that offensive operations, often times, is the surest, if not the only (in some cases) means of defence.”

—Letter from George Washington to John Trumbull—June 25, 1799

“Cybercrimes” have increasingly drawn the attention of corporate counsel. However, the attention is usually directed at their companies’ own liabilities arising from the hacking of computer systems (e.g., government investigations and class actions). It is usually not directed at pursuing civil claims for relief against the “hackers.”

Undoubtedly, one important way to deal with a data breach is to prevent it from happening in the first place by: (1) defining roles, responsibilities and oversight for data security at the company; (2) conducting regular risk assessments; (3) implementing and regularly updating security measures, privacy and third-party vendor monitoring policies, and crisis response, corrective action and incident reporting plans; and (4) obtaining cyberinsurance (which may provide pre-breach risk management services and post-breach response services to help manage an incident).

However, besides the ubiquitous trade secret misappropriation claims, few companies fully appreciate that the federal Computer Fraud and Abuse Act (CFAA) specifically provides a mechanism for the civil prosecution of cybercrimes. And promoting a corporate reputation for zealously enforcing civil claims against employees, vendors and other would-be hackers puts some teeth into defensive data-breach efforts.

This article will discuss the CFAA, its elements in a civil action, and the types of relief available under the CFAA. It will also address a split among federal circuit courts of appeals regarding the meaning of the phrase “unauthorized use” in the CFAA—an issue that is the topic of continuing potential legislation and that soon may be decided by the U.S. Supreme Court.

The Hypothetical Hack

Suppose you are general counsel of a manufacturing company with a robust network for distributing its product. Your company gave one of its distributors access to its computer system solely for marketing purposes. The distributor, in fact, regularly accesses your company’s computer system to review marketing materials to help facilitate its sales.

One day, your company’s CIO tells you that the distributor had viewed, altered and improperly used for its own purposes some of the confidential financial information and business plans in your company’s computer system. She told you it has cost tens of thousands of dollars to investigate the situation, conduct a damages assessment, and restore the data. You are understandably angry about this development and contemplating next steps.

Consider the CFAA. The CFAA was originally enacted to protect U.S. government computers and provide a tool to prosecute criminal hackers. Nevertheless, it also provides a mechanism by which to file a civil action against persons or entities that gain access to a “protected computer” without authorization and cause damage or loss as a result.

The basic elements of a civil CFAA claim in a business context, such as the case of the dastardly distributor, are: (a) intentional access to a protected computer, (b) without authorization or exceeding authorized access, and (c) causing damage or loss to one or more persons.

The CFAA defines a “protected computer” to include any computer that is used in or affects interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the interstate and international nature of the Internet, any computer in the United States, including a tablet or cellphone, arguably comes under the reach of the CFAA.

The CFAA provides that any person who suffers damage or loss due to a violation of the statute may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.

Under CFAA Section 1030(e)(4)(11), “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

CFAA Section 1030(c)(4)(A)(i)(I) permits a private right of action for a “loss to one or more persons during any one-year period … aggregating at least $5,000 in value.”

‘Without Authorization’ or ‘Exceeds Authorization’

The case against your company’s “hacking” distributor under the CFAA seems relatively straightforward. The computer system is a “protected computer” under the CFAA. The distributor’s actions caused over $5,000 in damages and loss. And your company never did (and never would) authorize the distributor to access corporate financial records and business plans.

But it did authorize the distributor to access the company’s computer system.

Here creeps in an area of substantial debate concerning the CFAA, namely: What does the phrase “exceeding authorization” necessarily mean? This question has provoked a split in interpretation among the federal circuit courts of appeals.

CFAA Section 1030(e)(6) defines “exceed authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”

The U.S. Court of Appeals for the First, Fifth, Seventh and Eleventh Circuits have adopted what has come to be called a “broad interpretation” of the phrase. In sum, there is CFAA liability if a person with authorization to access a computer did so for an improper use or in violation of the company’s policies. The rational is to punish bad actors who access data without express or implied permission, which may involve evidence of the breach of “terms of use” and confidentiality agreements to prove “exceeding authorized access.”

Thus far, the Second, Fourth and Ninth Circuits have found that such a blanket rule would sweep too far. For example, in the Ninth Circuit, an en banc panel adopted a narrower interpretation, noting: “If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose,” as in United States v. Nosal.

Nonetheless, in Facebook v. Power Ventures, the Ninth Circuit distinguished the 2012 Nosal case and found liability where Power Ventures, a social networking company, disregarded Facebook’s cease and desist letter regarding the aggregation of its users social media information in one place. On March 9, Power Ventures filed a petition for a writ of certiorari with the U.S. Supreme Court arguing, among other things, that “the meaning of the words ‘without authorization or exceeds authorized access’ in 18 U.S.C. Section 1030(a)(2)(C) has sparked conflict among the lower courts and is ripe for guidance from this court.”

Whatever the precise contours of those phrase—an issue that may someday be decided by the U.S. Supreme Court—it remains true that the CFAA is a powerful tool of which companies should be aware and that companies should not hesitate to use in the appropriate instances. In the meantime, companies should implement policies and procedures that have terms and conditions which, among other things:

  • Directly address access to and use of computer systems and data;
  • Provide and carefully distribute password protection for various databases in their computer systems;
  • Specifically limit authorization to those databases and delineate the purpose of such access and use; and
  • Terminate right of access upon certain defined events.

“The best defense is a good offense” is a commonly used adage that has been applied in many different fields of endeavor, including sports and military strategy. It should also be used as part of a company’s earnest and prudent business practices. In this regard, when a company is faced with a cyberdata breach, general counsel should also consider the CFAA and offensive actions against the breaching culprit as part of it crisis management plan.

“It is unfortunate when men cannot, or will not, see danger at a distance; or seeing it, are restrained in the means which are necessary to avert, or keep it afar off. … Not less difficult is it to make them believe, that offensive operations, often times, is the surest, if not the only (in some cases) means of defence.”

—Letter from George Washington to John Trumbull—June 25, 1799

“Cybercrimes” have increasingly drawn the attention of corporate counsel. However, the attention is usually directed at their companies’ own liabilities arising from the hacking of computer systems (e.g., government investigations and class actions). It is usually not directed at pursuing civil claims for relief against the “hackers.”

Undoubtedly, one important way to deal with a data breach is to prevent it from happening in the first place by: (1) defining roles, responsibilities and oversight for data security at the company; (2) conducting regular risk assessments; (3) implementing and regularly updating security measures, privacy and third-party vendor monitoring policies, and crisis response, corrective action and incident reporting plans; and (4) obtaining cyberinsurance (which may provide pre-breach risk management services and post-breach response services to help manage an incident).

However, besides the ubiquitous trade secret misappropriation claims, few companies fully appreciate that the federal Computer Fraud and Abuse Act (CFAA) specifically provides a mechanism for the civil prosecution of cybercrimes. And promoting a corporate reputation for zealously enforcing civil claims against employees, vendors and other would-be hackers puts some teeth into defensive data-breach efforts.

This article will discuss the CFAA, its elements in a civil action, and the types of relief available under the CFAA. It will also address a split among federal circuit courts of appeals regarding the meaning of the phrase “unauthorized use” in the CFAA—an issue that is the topic of continuing potential legislation and that soon may be decided by the U.S. Supreme Court.

The Hypothetical Hack

Suppose you are general counsel of a manufacturing company with a robust network for distributing its product. Your company gave one of its distributors access to its computer system solely for marketing purposes. The distributor, in fact, regularly accesses your company’s computer system to review marketing materials to help facilitate its sales.

One day, your company’s CIO tells you that the distributor had viewed, altered and improperly used for its own purposes some of the confidential financial information and business plans in your company’s computer system. She told you it has cost tens of thousands of dollars to investigate the situation, conduct a damages assessment, and restore the data. You are understandably angry about this development and contemplating next steps.

Consider the CFAA. The CFAA was originally enacted to protect U.S. government computers and provide a tool to prosecute criminal hackers. Nevertheless, it also provides a mechanism by which to file a civil action against persons or entities that gain access to a “protected computer” without authorization and cause damage or loss as a result.

The basic elements of a civil CFAA claim in a business context, such as the case of the dastardly distributor, are: (a) intentional access to a protected computer, (b) without authorization or exceeding authorized access, and (c) causing damage or loss to one or more persons.

The CFAA defines a “protected computer” to include any computer that is used in or affects interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the interstate and international nature of the Internet, any computer in the United States, including a tablet or cellphone, arguably comes under the reach of the CFAA.

The CFAA provides that any person who suffers damage or loss due to a violation of the statute may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.

Under CFAA Section 1030(e)(4)(11), “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

CFAA Section 1030(c)(4)(A)(i)(I) permits a private right of action for a “loss to one or more persons during any one-year period … aggregating at least $5,000 in value.”

‘Without Authorization’ or ‘Exceeds Authorization’

The case against your company’s “hacking” distributor under the CFAA seems relatively straightforward. The computer system is a “protected computer” under the CFAA. The distributor’s actions caused over $5,000 in damages and loss. And your company never did (and never would) authorize the distributor to access corporate financial records and business plans.

But it did authorize the distributor to access the company’s computer system.

Here creeps in an area of substantial debate concerning the CFAA, namely: What does the phrase “exceeding authorization” necessarily mean? This question has provoked a split in interpretation among the federal circuit courts of appeals.

CFAA Section 1030(e)(6) defines “exceed authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”

The U.S. Court of Appeals for the First, Fifth, Seventh and Eleventh Circuits have adopted what has come to be called a “broad interpretation” of the phrase. In sum, there is CFAA liability if a person with authorization to access a computer did so for an improper use or in violation of the company’s policies. The rational is to punish bad actors who access data without express or implied permission, which may involve evidence of the breach of “terms of use” and confidentiality agreements to prove “exceeding authorized access.”

Thus far, the Second, Fourth and Ninth Circuits have found that such a blanket rule would sweep too far. For example, in the Ninth Circuit, an en banc panel adopted a narrower interpretation, noting: “If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose,” as in United States v. Nosal.

Nonetheless, in Facebook v. Power Ventures, the Ninth Circuit distinguished the 2012 Nosal case and found liability where Power Ventures, a social networking company, disregarded Facebook’s cease and desist letter regarding the aggregation of its users social media information in one place. On March 9, Power Ventures filed a petition for a writ of certiorari with the U.S. Supreme Court arguing, among other things, that “the meaning of the words ‘without authorization or exceeds authorized access’ in 18 U.S.C. Section 1030(a)(2)(C) has sparked conflict among the lower courts and is ripe for guidance from this court.”

Whatever the precise contours of those phrase—an issue that may someday be decided by the U.S. Supreme Court—it remains true that the CFAA is a powerful tool of which companies should be aware and that companies should not hesitate to use in the appropriate instances. In the meantime, companies should implement policies and procedures that have terms and conditions which, among other things:

  • Directly address access to and use of computer systems and data;
  • Provide and carefully distribute password protection for various databases in their computer systems;
  • Specifically limit authorization to those databases and delineate the purpose of such access and use; and
  • Terminate right of access upon certain defined events.

“The best defense is a good offense” is a commonly used adage that has been applied in many different fields of endeavor, including sports and military strategy. It should also be used as part of a company’s earnest and prudent business practices. In this regard, when a company is faced with a cyberdata breach, general counsel should also consider the CFAA and offensive actions against the breaching culprit as part of it crisis management plan.