The Accidental Hacker: Civil Claims Under the CFAA
Hacking into protected networks. Transmitting viruses. Trafficking in stolen passwords. Identity theft. These are among the federal crimes defined by the Computer Fraud and Abuse Act (CFAA). Spurred to action in part by the 1983 Matthew Broderick vehicle WarGames, Congress passed the original CFAA over thirty years ago, though the law has been amended on several occasions over the decades.
The CFAA’s relevance, however, isn’t limited to high-tech criminals and federal law enforcement. In addition to its criminal provisions, 18 U.S.C. § 1030 provides civil remedies for those damaged by some of the activities prohibited under the statute (as long as those damages exceed $5,000). In an economy dominated by digital commerce, CFAA lawsuits have increasingly become a mainstay of commercial litigation, and the statute’s application extends far beyond what most people picture when they think of “hacking.”
The most common section of the CFAA cited by civil plaintiffs is (a)(2)(C), which provides a claim against a defendant who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” Generally, the two biggest issues in these cases are whether the defendant’s access was unauthorized and whether the damage caused by the access exceeds the statutory $5,000 threshold.
As the Supreme Court recently explained, there are two ways to improperly access a computer system under the CFAA: “(1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Musacchio v. United States, 136 S. Ct. 709, 713 (2016).
When someone cracks or steals a password to gain access to a protected system, there’s usually little question that the access is unauthorized. But many, if not most, civil CFAA claims involve situations where someone had authorized access to a system. Then, either that authorization was revoked or else the person did something with their otherwise-authorized access that they weren’t supposed to do.
The CFAA often pops up these days in disputes between businesses and ex-employees. The usual situation goes like this: on their way out the door, an employee, disgruntled or simply with an eye towards their next career move, uses their authorized access (or formerly authorized access) to the employer’s computer systems to copy confidential information or, worse, to sabotage the enterprise by deleting files or creating other havoc.
For example, in the influential 2006 7th Circuit case International Airport Centers, L.L.C. v. Citrin, the defendant breached his employment agreement with a real estate development company. Before handing back his company laptop, he wiped it in order to cover up certain wrongdoing. The court agreed with the employer that, even if the defendant had authorized access to the computer, he didn’t have authorized access to do that.
In 2016, Facebook won a suit against the makers of a third-party application that aggregated information from various social media profiles. The Ninth Circuit found that the defendant had accessed Facebook’s computers without authorization when it continued collecting information from users’ Facebook accounts after Facebook told them to stop. However, last August, a California district court judge found that similar claims brought by LinkedIn were unlikely to violate the CFAA, a ruling now pending appeal to the Ninth Circuit.
The CFAA’s focus has shifted noticeably in recent years towards computers protected, not by passwords and technical barriers, but by contracts. As a result, the federal statute has made its way into a broader range of commercial disputes than one might expect.