Attorney Steve® Computer and Internet Law - 18 U.S. Code § 1030 - Fraud and related activity in connection with computers [Computer Fraud and Abuse Act]. Call us at (877) 276-5084.
Introduction
The Computer Fraud and Abuse Act (CFAA), a federal law in the United States, was passed in 1986 to address fraud involving computers and illegal access to computer systems. The CFAA's goal is to stop a variety of computer-related offenses include hacking, data theft, malware distribution, and other nefarious practices.
History: The CFAA was initially established to address worries that computer hacking may escalate into a serious issue. The federal Comprehensive Crime Control Act of 1984 was amended by its passage. The law was created to prevent illegal access to and abuse of both public and private computer systems. The CFAA has undergone a number of revisions throughout time to keep up with changing difficulties in the digital world and technical breakthroughs. It has nonetheless drawn criticism for its imprecise terminology and probable abuse in the prosecution of relatively minor offenses.
The primary goals of the CFAA are to discourage and hold accountable anyone who participate in unlawful access, transmission, or disclosure of computer data. It intends to give people legal options against individuals who purposefully acquire unauthorized access to computer systems, go beyond their authorized access, or commit computer system-related fraud.
Elements a Plaintiff in the 9th Circuit Must Prove:
A plaintiff must prove the following factors to win a CFAA case in the 9th Circuit, which encompasses a significant chunk of the western United States:
1. Access to a "protected computer": The plaintiff must show that the network or computer system in question is protected by the CFAA, such as a computer utilized by the federal government, a financial institution, or one used in domestic or international trade.
2. Unauthorized access or exceeding authorized access: The plaintiff must demonstrate that the defendant used the computer system without authorization or went beyond what was allowed of them. This component examines whether the defendant had the required authorization to enter the computer system.
3. Intent: The plaintiff must demonstrate that the defendant engaged in conduct that violated the CFAA with the intention of defrauding, obtaining something of value, harming the computer system, or engaging in any other illegal activity. Identifying guilt requires consideration of intent.
4. Damages or loss: The plaintiff must show that they were injured by the defendant's actions or lost something. This can be in the form of monetary losses, service interruptions, or other quantifiable harm brought on by the unauthorized access.
The factors described here for the 9th Circuit may not apply in other circuits, thus it's crucial to understand that specific interpretations and criteria may differ between circuit courts. For a thorough understanding of the CFAA's application in any specific matter, legal assistance or consultation with an attorney should be obtained.
18 U.S. Code § 1030 - Prohibited Acts
There are basically 7 prohibited acts under the CFAA, several involve offenses against the government.
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; [Offenses against the Government]
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
See Cal. Civ.Code § 3426.1(b).
A trade secret is "information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (1) Derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use; and (2) Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy." Cal. Civ.Code § 3426.1(d). A customer list may qualify as a trade secret because of its "economic value" when its "disclosure would allow a competitor to direct its sales efforts to those customers who have already shown a willingness to use a unique type of service or product as opposed to a list of people who only might be interested and [plaintiff] took reasonable steps to protect this information." Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., 556 F.Supp.2d 1122, 1135 (E.D.Cal.2008). Misappropriation can occur when an individual misuses a former employer's protected trade secret client list, for example, "by using the list to 1174*1174 solicit clients or to otherwise attain an unfair competitive advantage." Reeves v. Hanlon, 33 Cal.4th 1140, 1155, 17 Cal. Rptr.3d 289, 95 P.3d 513 (2004).
Breach of Fiduciary Duty crossover: (a) “Improper means” includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means. Reverse engineering or independent derivation alone shall not be considered improper means. [ex. Where an officer of a company illegally access computer information for anti-competitive purposes, breach their fiduciary duty owed to the company.
----------------------------
(4)knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; [this is broad, anything of value"]
Statute of limitations
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.
A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).
NOTE: This is the section usually relied on when meeting this pleading requirement:
(c)(4)(A)(i)[5](I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.
No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.
No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
CFAA Civil Conspiracy is a Separate Claim
Where you have actors working in concert with an agreement and overt act conspiring to commit a violation of any of the 7 items set forth above, a conspiracy action may be brought.
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
NOTE: not all districts may agree on liability for Civil conspiracy. Here is one California case that did find a private right of action for conspiracy under the CFAA. See Welenco Inc. v. Corbell 126 F.Supp 3d 1154, 1176 (E.D. California 2015).
CFAA Case Law
Here are a few cases that discuss the CFAA. I will be adding more soon.
To maintain a civil action under the CFAA, the plaintiff must show that he or she "suffer[ed] damage or loss by reason of [the defendant's] violation" of the Act and that one of five enumerated circumstances is present. 18 U.S.C. § 1030(g). NovelPoster claims that the defendants violated two provisions of the CFAA, 18 U.S.C. § 1030(a)(2)(C) and 18 U.S.C. § 1030(a)(5)(C).
Section 1030(a)(2)(C) makes liable anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). Section 1030(a)(5)(C) similarly creates a cause of action against anyone who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss." 18 U.S.C. § 1030(a)(5)(C).
The circumstance relevant to NovelPoster's claims is whether the defendants' alleged CFAA violations caused "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i)(I). The upshot is that NovelPoster must show that the defendants' violation of each of the alleged CFAA provisions caused a loss of at least $5,000, and, further, that the defendants' violation of section 1030(a)(5)(C) caused both "damage and loss." 18 U.S.C. §§ 1030(a)(5)(C), 1030(c)(4)(A)(i)(I); see also, Network Cargo Sys. Int'l, Inc. v. Pappas, No. 13-cv-09171, 2014 U.S. Dist. LEXIS 58552, 2014 WL 1674650, at *2 (N.D. Ill. Apr. 25, 2014) (noting that a plaintiff bringing a claim under 18 U.S.C. 1030(a)(5)(C) must show both "damage" and "loss").
The CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). "Loss" is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11).
Thus, while "damage" covers harm to data and information, "loss" refers to monetary harms sustained by the plaintiff. See Phillips v. Ex'r of Estate of Arnold, 13-cv-00444, 2013 U.S. Dist. LEXIS 116542, 2013 WL 4458790, at *4 (W.D. Wash. Aug. 16, 2013).
Section (C) Damages
Only economic damages can be recovered (ex. no losses for death, personal injury or mental distress).
Potential Criminal Liability
There is potential criminal liability as well. For example:
-
Section 1030(a)(1) First offense: not more than ten years. [Prior offense: not more than 20 years].
- Section 1030(a)(2) First offense where fraud is less or equal to $5,000: not more than one year. A first offense where fraud is greater than $5,000: not more than five years. [Prior offense: not more than ten years].
- Section 1030(a)(3) First offense: not more than one year. [Prior offense: not more than ten years].
- Section 1030(a)(4) First offense: not more than five years. [Prior offense: not more than ten years].
- Section 1030(a)(5) First offense where fraud is less than or equal to $5,000: not more than one year. [A prior offense where fraud is less than or equal to $5,000: not more than ten years]. [A prior offense where fraud is less than or equal to $5,000 and the defendant acts intentionally or recklessly: not more than 20 years]. A first offense where fraud is greater than $5,000: not more than ten years. [Prior offense where fraud is greater than $5,000: not more than 20 years].
- Section 1030(a)(6) First offense: not more than one year. [Prior offense: not more than ten years].
- Section 1030(a)(7) First offense: not more than five years. [Prior offense: not more than ten years]
