[About the author: Scott Lesowitz is a Harvard Law School graduate and former Assistant United States Attorney based in Los Angeles, California. His e-mail address is firstname.lastname@example.org, and his phone number is 323-452-9909.]
What the Computer Fraud and Abuse Act Is
The Computer Fraud and Abuse Act (the CFAA) allows certain victims of theft, use, or disclosure of information to sue the wrongdoer. 18 U.S.C., § 1030(g). Usually, the victim must have suffered at least $5,000 in damages to sue.
An important aspect of the Computer Fraud and Abuse Act is that it applies to information that does not constitute a trade secret. Not all proprietary and confidential qualifies as a protected trade secret.
The Computer Fraud and Abuse Act bars a wide variety of conduct. It is not limited to sophisticated acts of hacking. It can include, for example, a vendor downloading information from a computer that he or she no longer has permission to access. It would include downloading emails from someone’s computer (including a coworker’s) that is left open and unattended.
Available Damages and Court Orders
The Computer Fraud and Abuse Act bars unauthorized access to a computer system. It does not bar the subsequent use or disclosure of any information. U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012).
Therefore, the available monetary damages include things such as repairing computer systems, restoring data, ending unauthorized accesses, investigating how the information was accessed, etc. Damages may also include lost profits during any time period when there was an interruption in service. Brown Jordan International, Inc. v. Carmicle, 846 F.3d 1167, 1174 (11th Cir. 2017). However, Available damages do not include lost profits resulting from information being taken beyond the time-period when systems were interrupted. Capitol Audio Access, Inc. v. Umemoto, 980 F.Supp.2d 1154 (E.D. Cal. 2013).
It is clear from the text of the statute that future violations of the CFAA may be prohibited in a preliminary injunction or permanent injunction.
However, an open question is whether a court may issue an injunction barring the use or disclosure of information acquired in violation of the CFAA. This is different than the ability to collect monetary damages for use or disclosure. Injunctions can be effective at preventing future damages. Violating an injunction can lead to severe consequences.
The appellate courts have dodged the question of the scope of injunctions regarding the use or disclosure of information. E.g., Fiber Systems Intern., Inc. v. Roehrs, 1159 (5th Cir. 2006) (“We need not address the question of whether an injunction may issue against the use of the information obtained through a past violation of § 1030(a)(4).”) The consensus among the district courts seems to be to allow an injunction barring the use or disclosure of information that was obtained through unauthorized access. E.g., Reliable Property Services, LLC v. Capital Growth Partners, LLC, 1 F.Supp.3d 961 (D. Min. 2014); PLC Trenching Co., LLC v. Newton, 2012 WL 760744 (N.D.N.Y. 2012); Facebook, Inc. v. Power Ventures, Inc., 2017 WL 3394754 (N.D. Cal. 2017).
What Constitutes Accessing a Computer “Without Authorization or Exceeding Authorized Access”
The Ninth Circuit, which includes California, has a narrow view of what constitutes a violation of the Computer Fraud and Abuse Act. The Ninth Circuit holds that one may only be held liable (lose a lawsuit) if he or she accesses a computer system without authorization. One is not liable in litigation if he or she accesses a computer system that he or she is normally allowed to access and then uses, takes, or transfers information or data for a purpose that will harm the victim in the future. U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012).
This is a minority view, and most other circuits disagree. The Fourth Circuit seems to be the one circuit in agreement with the Ninth Circuit. WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (former employees who had downloaded customer information while still employed in order to leave the employment and compete with the employer were not liable for a violation of the CFAA).
Thus, within the Ninth Circuit, a current employee does not violate the CFAA when he or she downloads proprietary and confidential information for the purpose of competing against the employer so long as he or she would generally have access to the information. However, a former employee who logs into the network of his or her former e-mail would be liable. (The same distinction would apply to outside vendors or others who are given temporary access to a computer system or e-mail.)
However, an employee who accesses information or systems that he or she is never allowed to have access to, would be liable. Nosal, 676 F.3d at 865.
[About the author: Scott Lesowitz is a Harvard Law School graduate and former Assistant United States Attorney based in Los Angeles, California. His e-mail address is email@example.com and his phone number is 323-452-9909. This page is for educational purposes only. No legal advice or assistance are given.]