The Computer Fraud and Abuse Act (“CFAA”): It’s Not Just For Hackers

Conference Room

The Computer Fraud and Abuse Act (“CFAA”): It’s Not Just For Hackers. 

In 1984 Congress enacted the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, to protect against hacking into U.S. government and financial institution computers.  With the expansion of computer use, the explosion of the Internet and the adaption of crime to these expanding technologies, Congress broadened the CFFA to include almost any computer.  Moreover, a 1994 amendment added a civil cause of action to the criminal statute.

The CFAA prohibits seven acts briefly summarized as:

  1. trespassing a computer to commit espionage;
  2. trespassing a computer and obtaining specified financial, credit, governmental or commercial information;
  3. trespassing a government computer;
  4. trespassing a computer to commit fraud;
  5. damaging a computer;
  6. trafficking in computer passwords; and
  7. threatening to damage a computer.

The CFAA contains several definitions that apply the statute broadly.  For example, the CFAA applies to “protected computers.”  This includes computers owned by the U.S. government, financial institutions and those “used in or affecting interstate or foreign commerce or communication.”  Thus, the CFAA applies to virtually all computers.

As abbreviated above, trespassing includes accessing a computer “without authorization” or “exceeding authorized access.”  A Computer Fraud and Abuse Act violator could have authorized computer access such as a log-in ID and password, but later access data that was not within that user’s authorized scope.  By way of example, a bank employee may have authorization to access and modify data in the ordinary course of business, but if the bank employee violates computer use policies by viewing an acquaintance’s account records with no business need to do so, the CFAA is violated by exceeding authorized access.

Federal courts have creatively interpreted the terms “without authorization” and “exceeding authorized access.”  In Shureguard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000), a federal court in Seattle held that a former employee lost “authorized access” when he became an agent of a competitor by e-mailing the competitor trade secrets and proprietary information belonging to the former employer while still employed there.  The court did not rely on a non-disclosure agreement, but rather on an agency common law principle where the employee’s authority terminates when the employee “acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty” to the employer.  While some courts have disagreed with this ruling, see, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) others have followed this line of reasoning.

In another case involving a former employee who used confidential information obtained from the former employer to benefit a new competitor, the court focused on the use of “Confidential or Proprietary Information” and the existence of a confidentiality agreement.  EF Cultural Travel BV. v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).  There, plaintiff was in the business of providing global tours for high school students.  Former executive had confidential information of tour codes and data structure of proprietary information of former employer and was bound by a confidentiality agreement (“NDA”).  The former executive assisted competitor’s Internet consultant in designing a “scraper” program to extract pricing information from former employer’s Web site.  The competitor then used this data to undercut former employer’s prices.  The First Circuit Court of Appeals did not reach the question of whether the competitor was authorized to navigate plaintiff’s Web site to obtain competitive data.  Rather, the court held that defendant former executive exceeded that authorization “by providing proprietary information and know-how” to the Internet consultant to create the scraper program for the competitor.

The CFAA has also been invoked by Web site operators where the user had violated the Web site’s Terms of Service (“TOS”).  America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E. D. Virginia 1998), involved an AOL member who harvested AOL members e-mail addresses for sending unsolicited bulk e-mails (“spam”) via AOL’s network in breach of AOL’s Unsolicited Bulk E-Mail Policy and its TOS.  While the case involved other serious issues such as trademark violations for “spoofing” the spam e-mail messages as being from the “” domain, the trial court held that the TOS violations rendered defendants’ access as unauthorized and in violation of the CFAA for computer trespassing and gaining commercial information.

While the AOL case involved a member TOS agreement, Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004), involved Southwest Airline’s Web site’s TOS and directly warning defendants about prohibited activities on its Web site.  Defendant software company created and licensed software that could “scrape” Southwest’s Web site to obtain data by “sending out a robot, spider, or other automated scraping device across the Internet.”  Another defendant licensed the software to use in a product for corporate travelers to search airline fare information.  Southwest sued under various theories, including violation of the CFAA.  Defendants argued that Southwest’s Use Agreement (“TOS”) was an unenforceable contract.  The court reserved that fact question as inappropriate in a motion to dismiss.  Rather, the court relied on Southwest’s direct communication to one of the defendants that Southwest prohibited the use of “any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same things.”  Thus, Southwest directly informed one defendant that its access was authorized, giving the court grounds to deny defendants’ motion to dismiss this claim.

While the CFAA is a criminal statute, there is a private right of action.  Generally, the prospective plaintiff needs to prove damage to the computer, or “loss” exceeding $5,000.  Losses are defined as “any reasonable costs to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or consequential damages incurred because of interruption of service.”  Proving the statutory minimum loss to institute a civil lawsuit for injunctive and/or monetary damages can be easily met with costs of investigation and plugging security holes.  The fair value of in-house IT staff has been allowed in the calculation of “loss.”

The CFAA will likely be increasingly used in employment, trade secret and unfair competition cases.  The key takeaways with respect to the CFAA include:

  • Maintain network security;
  • For employees and other “insiders,” require non-disclosure agreements (“NDAs”) and provide clear limits on data access, modification and deletion through a comprehensive IT or computer use policy; and
  • For Web sites, provide clear Terms of Use (“TOS”) and monitor traffic to determine whether there may be a violation of TOS and serve cease and desist letters on identifiable violators.