Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The federal Computer Fraud and Abuse Act, 18 U.S.C. 1030, is fast becoming one of the most expansive and potent civil statutes in a civil litigator’s arsenal. The CFAA was enacted in 1984 as part of the federal criminal code, designed to protect “only a relatively narrow class of government operated computers.” Pacific Aerospace & Electronics Inc. v. Taylor, 295 F. Supp. 2d 1188, 1194 (E.D. Wash. 2003). Since 1984, “Congress has … continuously broadened the scope and coverage of the CFAA,” and in 1994 amended the statute to allow any person injured by a violation of the statute to bring “a civil action against the violator to obtain compensatory damages and injunctive relief.” Id.; 18 U.S.C. 1030(g). Like the civil remedy in the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. 1964(c), the CFAA encompasses a panoply of crimes upon which a civil remedy can be predicated. These include the theft of data, schemes to defraud, trafficking in computer passwords, damaging computer data, hacking and sending computer viruses. This article will examine the breadth of the CFAA and why it should be considered as a cause of action whenever there is evidence relating to the use of computers in perpetrating a wrongful act. ACT COVERS VIRTUALLY ANY COMPUTER THAT SENDS E-MAIL For starters, the jurisdictional reach of the CFAA is extremely broad. Computers subject to protection under the CFAA are those that are “used in interstate or foreign commerce or communication.” 18 U.S.C. 1030(e)(2)(B). Thus, virtually any computer that sends e-mail in the course of its business is a “protected computer” under the CFAA. In 2001, the USA Patriot Act expanded the definition of “protected computer” to include “a computer located outside the United States” that communicates with the United States. Id. Thus, the act of e-mailing a message from a computer in Beijing to the United States is sufficient to create CFAA jurisdiction over violations committed in China. The only other jurisdictional prerequisite is to prove $5,000 in “loss.” The CFAA defines “loss” to include “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. 1030 (e)(11). While the proof of such “loss” is limited strictly to computer-related losses, see, e.g., Nexans Wires S.A. v. Sark-USA Inc., 319 F. Supp. 2d 468, 469 (S.D.N.Y. 2004), this $5,000 threshold can, as one court commented, be met with “ease.” Pacific Aerospace, 295 F. Supp. 2d at 1197. “Loss” is broadly interpreted to include the cost of responding to the offense by “making a company’s computer database more ‘hacker-proof’ ” or hiring computer forensic experts to uncover the facts relating to the offense. Id. The key element required to prove CFAA claims — that the defendant exceeded authorized access to the computer or data — has likewise been broadly interpreted. 18 U.S.C. 1030(e)(6). Whether one is permitted access to particular computers or data can be established by the permissions set by the owner of the computers or data. The 1st U.S. Circuit Court of Appeals, in rejecting the claim that “there is a ‘presumption’ of open access to Internet information,” held that the “CFAA … is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). The courts, however, have interpreted “authorized access” to be broader than simply following the rules set by the information provider. For example, in Shurgard Storage Centers Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121, 1124 (W.D. Wash. 2000), the court rejected the defendants’ assertion that the CFAA did not apply to them because, as employees, they “had full access” to their employer’s computer when they sent their employer’s trade secret information from its computer network to the computer of a competitor who was about to become their new employer. While their employer had no published rules forbidding employees from sending company data over the Internet to competitors, the court, relying on the Restatement (Second) of Agency � 112 (1958), held that the employees had exceeded their authorized access under the CFAA because their authority to access the data ended when they became agents of the competitor and breached their duty of loyalty to their current employer. In addition to Shurgard-type employment actions, CFAA civil actions to date have been predicated on the theft of data by a competitor (e.g., Physicians Interactive v. Lathian Systems Inc., 2003 WL 23018270 (E.D. Va. 2003)), the use of data downloaded from a business Web site without permission (e.g., Southwest Airlines Co. v. Farechase Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004)), spam e-mail attacks (e.g., Tyco International Inc. v. John Does, 2003 WL 23374767 (S.D.N.Y. 2003)), defects in computer software (e.g., In re America Online Inc. Version 5.0 Software Litigation, 168 F. Supp. 2d 1359 (S.D. Fla. 2001)), improper retrieval of personal credit information (e.g., Carter v. Atchley Ford Inc., 2002 WL 802682, at 6 (D. Neb. 2002)) and the use of spyware (e.g., Chance v. Avenue A Inc., 165 F. Supp. 2d 1153 (W.D. Wash. 2001)). That section of the CFAA that is clearly the broadest is � 1030(a)(4), which outlaws accessing a protected computer without authorization and with intent to defraud: “Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value [commits a crime].” This section was “patterned after the federal mail and wire fraud statutes.” Pacific Aerospace, 295 F. Supp. 2d at 1194. A scheme to defraud is not defined in the CFAA or the mail or wire fraud statutes for the simple reason that “the range of potential schemes is as broad as the criminal imagination.” Speigel v. Continental Illinois Nat l Bank, 790 F.2d 638, 646 (7th Cir. 1986). What is critical is the defendant’s intent to defraud. This element has been defined by the courts to “mean wrongdoing and not proof of the common law elements of fraud.” Shurgard Storage Centers, 119 F. Supp. 2d at 1126. Traditionally, to prove fraudulent intent, there is no requirement “to prove that an intended victim was actually defrauded” — only that the defendant “contemplated some actual harm or injury to” the victim. U.S. v. Starr, 816 F.2d 94, 98 (2d Cir. 1987). In U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), the court overturned a CFAA criminal conviction because there was insufficient evidence of the defendant’s intent to defraud. The proof at trial showed that the Internal Revenue Service employee who had accessed tax information in the computer that he was not authorized to access only intended “to satisfy idle curiosity” in reviewing the data. There was no proof that the defendant had accessed the data “in light of a fraudulent scheme” to steal it, use it or disclose it. Id. at 1078. ACT PROVIDES REMEDY FOR ALL KINDS OF COMPUTER FRAUD Even with the requirement to prove fraudulent intent, there is little doubt that the CFAA can be used as a powerful cause of action for all kinds of computer fraud, including the recently publicized epidemic of identity theft where consumer personal data, such as Social Security numbers, have been stolen from computers and in turn used to steal funds from personal bank accounts. It is precisely this “breadth” of a scheme to defraud that is the centerpiece of the mail and wire fraud statutes (and now the CFAA) that prompted the U.S. Supreme Court to acknowledge that the use of these statutes has resulted in the “extraordinary uses to which civil RICO has been put.” Sedima v. Imrex Co. Inc., 473 U.S. 479, 500 (1985). The 9th Circuit’s affirmance of the jury verdict for a CFAA violation alleging a scheme to defraud in Creative Computing v. Getloaded.Com LLC, 386 F.3d 930 (9th Cir. 2004), shows just how similar such a civil case is to a civil RICO case. The plaintiff, Creative Computing, had developed a successful Internet site “to match loads with trucks” to fill up the capacity of trucks carrying freight. This Internet matching allowed trucks returning to home base after delivering a load to return “carrying revenue-producing freight.” Id. at 931-32. The defendant, Getloaded, set up a competing company and perpetrated a number of dishonest acts to steal Creative’s business. Getloaded obtained information from Creative’s Web site by falsely posing as customers of Getloaded. The officers of Getloaded “hacked into the code Creative used to operate its website” to steal unique features of Getloaded’s Web site. Id. at 933. Getloaded hired a Creative employee who stole “confidential information regarding several thousand of Creative’s customers” and then violated a court-ordered injunction by destroying evidence and lying under oath. Id. As with civil RICO, litigators can no longer overlook the CFAA. Whenever the evidence reflects that computers are involved in the perpetrating of a wrong, the CFAA should be reviewed for potential claims. The advantages are obvious. Like RICO, the CFAA is a federal statute and thus provides automatic federal jurisdiction, when the only available claims might be based on state law with no diversity jurisdiction. The CFAA also has certain advantages over using RICO (albeit without the treble damages and attorney fees mandated by RICO). Without the “pattern” and “enterprise” elements essential to prove a RICO violation, the CFAA provides a basis to bring a civil action predicated on a scheme to defraud, and like a RICO claim, provides the plaintiff with a device to portray the defendant as a criminal who committed a serious federal felony. Nick Akerman is a partner in the New York office of Dorsey & Whitney.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.