Strategies For Businesses Protecting Electronic Data Within California
Part One: The Computer Fraud And Abuse Act (18 U.S.C. § 1030 Et Seq.)
Data security is top-of-mind in today’s corporate world. According to The Ponemon Institute’s 2015 Cost of Data Breach Study, the average total cost of a data breach for the 350 participating organizations increased 23 percent during the past two years to $3.79 million. Businesses in California are equipped with a number of tools to help battle unauthorized intrusions into their electronic data, whether by employees, former employees, disreputable competitors or random hackers. Knowledge of these tools is essential for counsel to advise clients on preventive and remedial measures.
This e-alert is the first of three spanning the next three weeks that together should constitute a primer on three key statutes that can help businesses deal with breaches of electronic security. The statutes include the federal Computer Fraud And Abuse Act, 18 U.S.C. § 1030 et seq.; the California Computer Data Access And Fraud Act, Cal. Pen. Code, § 502; and the federal Stored Communications Act, 18 U.S.C. § 2701 et seq. This first alert addresses the Computer Fraud and Abuse Act, while the final alert will include best practices to help businesses preserve the integrity of their electronic data.
1. Summary of Prohibitions
The Computer Fraud And Abuse Act (“CFAA”) applies to a “protected computer” which the statute defines as one “which is used in or affecting interstate or foreign commerce or communication.” The CFAA prohibits, among other things:
- knowingly caus[ing] the transmission of a program, information, code, or command and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer;
- intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly caus[ing] damage; or
- intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.
Additionally, the CFAA makes it unlawful to “knowingly and with the intent to defraud, [access] a protected computer without authorization, or [exceed] authorized access, and by means of such conduct [further] the intended fraud or [obtain] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1 year.”
While it is a criminal statute, the CFAA also provides a civil remedy to “any person who suffers damage or loss by reason of a violation of [the act].” Such person may obtain compensatory damages and equitable (including injunctive) relief. For a civil plaintiff to recover, the CFAA requires that the plaintiff allege and prove that the offensive conduct caused any one of the following five circumstances:
- loss to one or more persons during any one-year period, aggregating $5,000 in value;
- the modification, impairment, or potential modification or impairment of the medical examination, diagnosis, treatment, or care of one or more individuals;
- physical injury to any person;
- a threat to public health or safety;
- damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security
A civil plaintiff must show that a defendant (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer [,] and that (5) there was a loss to one or more person during any one-year period aggregating at least $5,000 in value. Alternatively, a plaintiff may seek to prove that a defendant (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted, (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained something of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
The CFAA is designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who have the capacity to access and control high technology processes vital to our everyday lives. The CFAA is not meant to serve as a supplement or replacement for trade secret misappropriation claims.
The limitations period under the CFAA is two years from the date of the action complained of or the date of discovery of the damage.
2. “Without Authorization”
The CFAA requires that a defendant access a protected computer “without authorization.” According to the federal court of appeals,
[A] person who uses a computer “without authorization” has no rights, limited or otherwise, to access the computer in question. In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations.
Further addressing “without authorization,” the federal court of appeals stated:
[A] person uses a computer “without authorization” under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.
It appears that most courts do not require circumvention of “technological access barriers” (e.g., unauthorized use of passwords) for use to be considered unauthorized. Whether a defendant has exceeded authorization is a factual issue. Thus, it is important to clearly delineate the scope of authorization in writing if practicable. Moreover, employment policy manuals, employment agreements and consulting agreements should clarify that any authority to access computer systems is terminated when an employee departs a job, whether or not log-in access is disabled. Of course, an employer should disable log-in access upon termination of an employee or consultant.
3. Exceeding Authorized Access
While a defendant may not have accessed a computer “without authorization,” he may have exceeded authorized access nonetheless. Exceeding authorized access, as noted above, can be grounds for a CFAA violation. The phrase “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.
According to the federal court of appeals in United States v. Nosal (9th Cir. 2012) 676 F.3d 854, 864, “exceeding authorized access” implicates violations of restrictions on access to information, and not restrictions on its use, for example, an employee who is given access to product information on a company computer but who accesses customer data. In contrast, an employee who has access to customer lists but is not authorized to send them out would not violate the CFAA by doing both. The latter conduct would be the subject of a claim for misappropriation of trade secret. In sum, one who “exceeds authorized access” is someone who is authorized to access only certain data or files but accesses unauthorized data or files – colloquially known as “hacking.” The CFAA is not applicable to a person who is authorized to access a computer or parts of the computer but who, in so doing, misuses or misappropriates information.
4. Damages And Other Relief
As noted, the CFAA provides a private remedy to a person who “suffers damage or loss” resulting from certain violations of the CFAA. For most private litigation, the CFAA is limited to “economic damages.”
The CFAA defines “damage” to mean “any impairment to the integrity or availability of data, program, a system, or information.” Under the act, loss means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense. The definition also covers any lost revenue, cost incurred, or other consequential damages because of interruption of service. Courts have held that it is not necessary for data to be physically changed or erased to constitute damage to that data. It is sufficient to show that data integrity has been impaired, as when an intruder retrieves password information from a computer and the rightful computer owner must take corrective measures “to prevent the infiltration and gathering of confidential information.”
Cognizable costs include the costs associated with assessing a hacked system for damages and upgrading a system’s defenses to prevent future unauthorized access. Moreover, in situations in which the offense involves unauthorized access and the use of protected information, the cost of discovering the identity of the offender or the method by which the offender accessed the protected information is part of the loss for purposes of the CFAA.
Loss of business and business goodwill are included within “economic damages.” Such damages include scenarios in which the value of an individual or firm’s money or property is impaired, or money must be spent to restore or maintain some aspect of a business affected by a violation.
Injunctive relief under the CFAA can include barring a defendant’s access even to publicly available websites for past egregious and numerous instances of violations.
The CFAA does not expressly provide for attorney’s fees. However, as will be discussed in the future e-alerts, attorney’s fees are available under section 502 of the California Penal Code (California Computer Data Access And Fraud Act) and the Stored Communications Act (18 U.S.C. § 2707(b)(3)) for similar conduct. Thus, it will usually be advisable to combine claims under the CFAA with claims under the California statute and the Stored Communications Act where possible.
The CFAA is a powerful statute. It provides a basis for federal court jurisdiction which is advantageous to a plaintiff because resolution is likely to be speedier than in state court. The federal judge’s expertise on the technical issues is likely to be greater as well.
Our next e-alert will discuss the California state analog to the CFAA – the California Computer Data Access And Fraud Act, Cal. Pen. Code, § 502. Combining claims under both the CFAA and the California statute is valuable because, among other things, the California statute provides a basis for claiming attorney’s fees for data breaches that violate both the federal and state statute.