What Is the Computer Fraud and Abuse Act (“CFAA”)?
The Cyber-Security Law: Computer Fraud and Abuse Act (CFAA)
The cyber-security law that outlaws conduct that victimizes computer systems in the United States is called the Computer Fraud and Abuse Act (“CFAA”). The objective of the CFAA is to safeguard computers against trespass, threats, damage, espionage, and from being employed for use as instruments of fraud. This act covers all computers in which the federal government has an interest, which encompasses all computers utilized in interstate commerce. Pretty much every computer becomes subject to the CFAA since there are probably no computing devices that are not in some way used extensively to transmit, receive, and exchange data for personal or business use across state and country lines.
Criminal Sanctions and Civil Penalties
The CFAA lays out criminal sanctions for an individual who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” or even damages said computer. Even though the CFAA is a criminal statute, it also provides for civil penalties where applicable. Under the civil enforcement provision of the CFAA, anyone who suffers damage as a result of someone else violating the CFAA can sue the violator for damages, injunctive relief, or both.
The Question of Access
The courts consistently discover an excess or lack of authorization to use a computer, regardless of whether some access was allowed, whenever the use and access was against the interests of the authorizing party. For instance, in LVRC Holdings LLC v. Brekka, 581 F 3d 1127, 1135 (9th Cir. 2009), the court ruled that “A person uses a computer without authorization…when the person has not received permission to use the computer for any purpose…or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” In a similar ruling, Patrick Patterson Custom Homes, Inc. v. Bach, 586 F. Supp.2d 1026, 1035 (N.D. Ill. 2008), the court maintained that the employee’s access to the employer’s computer was in a manner that exceeded her authority and that that action, and the fact that she installed data shredding software which caused permanent deletion of files on the computer were sufficient to state a cause of action under the CFAA.
Cases Involving Computer Damage
Damage, in this case, has a broad definition. Any impairment to the integrity or availability of data, a program, a system, or information constitutes damage under the CFAA. In addition, loss under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Charges of damage or loss must come in above the $5,000.00 minimum statutory threshold prescribed in the statute.
As far as damage or impairment of a computer system is concerned, physical damage to a computer is not necessary to allege damage or loss. Any loss incurred from “securing or remedying” a computer system after an alleged CFAA violation is classed as loss, because it compromises the integrity of a victim’s data system. Courts have allowed inclusions in loss claims such as the costs of seeking to identify evidence of the breach, assess any damage it potentially inflicted, and figuring out whether any remedial measures were required to rescue the network.