• Scope of CFAA Violations Remains in Debate
  • May 22, 2013 | Authors: Thomas S. Hixson; Geoffrey M. Howard; Bryan M. Killian; Nargues Motamed
  • Law Firms: Bingham McCutchen LLP - San Francisco Office ; Bingham McCutchen LLP - Washington Office ; Bingham McCutchen LLP - San Francisco Office
  • The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, creates civil and criminal liability for persons who access computers without authorization or in excess of authorization. Because the statute does not define “authorization,” courts and commentators have taken several conflicting positions, and Congress appears poised to weigh in.

    The CFAA was originally enacted in 1984 to enhance the government’s ability to prosecute computer crimes. The Act targeted hackers and criminals who accessed computers to steal information or to disrupt or destroy computer functionality. The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization to obtain information often to damage a computer or computer data. Over the years the statute has been materially amended five times, adding private rights of action and changing the degree of punishment resulting from the crime. Today, much of the debate focuses on statutory interpretation and defining the proper scope of the CFAA.

    The Circuit Split and United States v. Nosal

    In April 2012, the en banc Ninth Circuit adopted a narrow interpretation of “authorization” under the CFAA and found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Ninth Circuit dismissed five of the government’s eight CFAA charges, concluding that CFAA liability “is limited to violations of restrictions on access to information, and not restrictions on its use.”

    While the Fourth Circuit has adopted a position like the Ninth Circuit, the Fifth, Seventh, and Eleventh Circuits have adopted a broad interpretation of “exceeds authorized access.” In doing so, they rely on common-law principles and computer usage policies to find CFAA liability against employees who, for example, access a computer with authorized credentials but then engage in conduct outside the scope of that authorization and adverse to the employer.

    Last summer, the federal government declined to petition the United States Supreme court for a writ of certiorari to review the Ninth Circuit’s Nosal decision. The Supreme Court therefore has not had an opportunity to resolve the circuit split. In addition, the government’s choice not to seek further review of the Ninth Circuit’s decision caused the Nosal case to be remanded to the district court for trial on the three remaining CFAA charges.

    On remand, the district court in the Nosal case (Judge Edward Chen) considered the question whether “unauthorized access” under the CFAA requires the government to prove that a defendant circumvented technological access barriers. He held that technological barriers need not be breached. Rather, “access” under the CFAA “encompasses not only the moment of entry, but also the ongoing use of a computer system.” Trial followed the district court’s decision, and on April 24, 2013, a San Francisco jury found Nosal guilty of conspiracy, trade secret misappropriation and CFAA violations. The jury found that, in violation of the CFAA, he had directed former coworkers to use their credentials and passwords to access his former employer’s computers and copy client information for his own personal use in a rival business.

    Pending Amendments to the CFAA

    At the end of March, the House Judiciary Committee drafted proposed amendments to the law that would resolve the disagreement over the meaning of “authorization” and expand the scope of the CFAA. The suggested amendments would:

    • Re-define the critical term “exceeds authorized access” to include accessing information for an impermissible purpose by taking the definition of “exceeds authorized access,” which states “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” by adding the phrase “even if the accesser may be entitled to obtain or alter the same information in the computer for other purposes” after the word “alter” at the end of the definition

    • Increase maximum penalties for many violations to 20 years or more

    • Expressly include CFAA violations as a RICO predicate

    • Provide the same penalty to someone who conspires to commit a CFAA violation as someone who has “completed” the offense

    When and if the amendments will be voted on by legislators is unclear. Opponents fear that expanding the scope of the CFAA will give prosecutors and civil litigants too much power to go after employees, social networking users and other computer users for common online activities. However, liability under the CFAA is a fact-dependent conclusion drawn from the totality of the circumstances. It seems unlikely that courts would find that common online activities violate the CFAA, even with the proposed amendments. The proposed amendments would at least clarify an issue on which the courts are currently split and resolve the disagreements over the scope of the Act.

    The proposed amendments and the jury’s decision in Nosal only continue to underscore that whether the CFAA should be interpreted narrowly to focus on access or expanded to cover improper use is still up for debate and may end up with the Supreme Court.