The Computer Fraud and Abuse Act and its Application in Florida Courts

Since the advent of the computer era and its infectious spread throughout the technological world we know today, the possibility for computer related fraud has always existed. With the rise of the internet, access to all kinds of information had never been easier or faster. Even top secret information from intelligence agencies of the United States were at risk and vulnerable to hackers or people simply looking for some at-home entertainment. To a hacker, the world was at their fingertips, literally. This Blog post seeks to explore some of the laws implicated by illegal hacking and what civil remedies victims are afforded.

In 2008, acting in accordance with the times, Congress released an amendment to the then-existing computer fraud law (codified in 18 U.S.C. § 1030) known as, The Computer Fraud and Abuse Act (“CFAA”). The amendment broadened the scope of the previous act by making it a crime for someone to intentionally access any “protected computer.” A “protected computer” is defined as one used exclusively for or by a financial institution of the U.S. or used in affecting interstate or foreign commerce. 18 U.S.C. § 1030(e)(2). With internet websites such as E-bay, Amazon, and Craigslist, it’s hard to imagine a computer that isn’t “affecting interstate commerce” nowadays.

Although the CFAA is a criminal statute, under the CFAA, a person has a civil cause of action if they should suffers damage or loss as a result of someone acting in violation of the act. Compensatory and injunctive relief is provided under the act so long as certain requirements are met. 18 U.S.C. § 1030(g). However, if a person seeks damages for loss aggregating $5,000 in value, they are limited to only economic damages. Id.

In Florida, the Florida Computer Crimes Act was enacted as a supplement to previously existing law against computer related crimes. It offers protection against crimes involving intellectual property, trade secret information, and computer users. The act also creates a public records exemption for public employees. Like the CFAA, the act creates a private cause of action for compensatory damages to a person who is harmed by someone found in violation of the act. Florida courts have concurrent jurisdiction along with federal courts to hear cases involving the CFAA and therefore apply the CFAA when assessing crimes related to computer abuse.

I.                   Elements of CFAA claims

There are seven categories of conduct that give rise to either civil or criminal liability as defined by the CFAA:

1. Under 18 U.S.C. § 1030(a)(1), the plaintiff must establish that the defendant: (1) knowingly; (2) accessed a protected computer without authorization or exceeds authorized access; (3) obtained protected information or restricted data to the injury of the US; (4) wilfully delivered or attempted to deliver such information or retained information; and (5) failed to deliver information back to the US.

2. Under 18 U.S.C. § 1030(a)(2), the plaintiff must establish that the defendant: (1) intentionally; (2) accessed a computer without authorization or exceeds authorized access; and (3) obtained (A) financial information, (B) information from any department or agency of the US or (C) information from any protected computer.

3. Under 18 U.S.C. § 1030(a)(3), the plaintiff must establish that the defendant: (1) intentionally; (2) accessed any nonpublic computer of a department of the US without authorization; (3) affecting the use by the government.

4. Under 18 U.S.C. § 1030(a)(4), the plaintiff must establish that the defendant: (1) knowingly; (2) with intent to defraud; (3) accessed a protected computer without authorization or exceeds authorized access; and (4) furthers intended fraud.

5. Under 18 U.S.C. § 1030(a)(5), the plaintiff must establish that the defendant: (A)(1) knowingly; (2) causes transmission of a program, information, code or command without authorization; and (3) intentionally; (4) causes damage to a protected computer; or (B)(1) intentionally; (2) accesses a protected computer without authorization; and (3) recklessly; (4) causes damage; or (C)(1) intentionally; (2) accesses a protected computer without authorization; and (3) causes damages and loss.

6. Under 18 U.S.C. § 1030(a)(6), the plaintiff must establish that the defendant: (1) knowingly; (2) with intent to defraud; (3) traffics in any password or similar information through which a computer may be accessed without authorization if (A) it affects interstate commerce or (B) the computer is used by the government of the US.

7. Under 18 U.S.C. § 1030(a)(7), the plaintiff must establish that the defendant: (1) with intent to extort any money or thing of value; (2) transmits in commerce any communication with (A) a threat to cause damage to a protected computer, (B) a threat to obtain or impair information from a protected computer without authorization or in excess of authorized access, or (C) a demand or request for money or other thing of value in relation to damage to a protected computer.

Additionally, 18 U.S.C. § 1030(g) provides that civil liability attaches once a plaintiff has suffered damage arising from one of five factors. The defendant must have engaged in one of the following: 1) loss in any one year aggregating at least $5,000 in value; 2) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of another; 3) physical injury to any person; 4) a threat to public health or safety; or 5) damage affecting a computer used by or for an entity of the U.S. government in furtherance of the administration of justice, national defense, or national security. Further, the act precludes actions brought more than two years after the date of the act in question.

II.                Defenses to enforcement

There are several defenses a defendant can raise against the allegation of a crime in violation of the CFAA. Specifically, a defendant may attack whether the plaintiff has satisfied the requisite elements listed above. One element that may be attacked is whether the defendant acted without authorization or in excess of his authorized access. The statute is very clear on prohibiting acts performed either “without authorization” or “exceeding authorized access.” However, for an employee who acts with prior authorization to access the computer from his employer, the law seems to not apply; whether the employee exceeded his authorized access can be difficult to allege if the employee sustained unrestricted access. The problem lies within the act itself as it does not properly define the term “authorization.”

Instead, it is up to the courts to interpret what Congress really intended and apply either a narrow or expansive definition of the term “authorization.” Florida has adopted the narrow definition of the term, according to the plain language of the statute, finding that violations “without authorization” occur only where initial access is not granted; violations “exceeding authorized access” occur where initial access is granted, but not to certain information. Lockheed Martin Corp v. Speed, 2006 WL 2683058, at *7 (M.D. Fla. Aug. 1, 2006); Clarity Services, Inc. v. Barney, 698 F.Supp.2d 1309, 1314 (M.D. Fla. 2010) (holding an employer’s claim for violation of the CFAA fails under the narrow definition of authorization since employee had full authorization to read email until employer suspended email account, even after termination of employment). Further, to find that an employee exceeded his authorized access, there must be an attempt to restrict certain access by the employer. See id., at 1316. Unrestricted access to all information will bar a claim alleging an employee either exceeded his authorized access or was without authorization. Id.

Another element a defendant can attack is whether the plaintiff suffered the requisite loss under the act. “Loss” is defined as “any reasonable cost to the victim, including cost of responding to an offense, conducting a damage assessment, and restoring data, program, system, or information to its condition prior to offense and any revenue lost, cost incurred or other consequential damages because of interruption of service.” 18 USC § 1030(e)(11). As the statute provides, the only measure of damages available is actual monetary loss in order to qualify as economic damages. 18 U.S.C. 1030(g); See Resdev, LLC v. Lot Builders Association, Inc.,  2005 WL 1924743, at *5 (M.D. Fla. Aug. 10, 2005) (finding damage based on the hacked information’s alleged trade secret value did not amount to actual monetary loss and thus, did not qualify as damage).

Courts have focused on the fact that loss must be due to some interruption of service. Thus, loss not attributed to an interruption of service will not qualify. See Cohen v. Gulfstream Training Academy, Inc., 2008 WL 961472, at *4 (S.D. Fla. April 9, 2008) (finding an employee who copied files and allegedly stole clients from employer did not cause an interruption of service by exceeding his authority to access computer); Continental Group, Inc. v. KW Property Management, LLC., 622 F.Supp.2d 1357, 1371 (S.D. Fla. 2009).

However, there is a split of authority among the Southern and Middle Districts of Florida on whether all losses require an interruption of service. The Southern District favors interpreting the statute as requiring an interruption of service, as noted above. The Middle District favors interpreting the statute as encompassing two types of harm: (1) costs to investigate and respond to computer intrusion and, (2) costs associated with a service of interruption. See Trademotion, LLC. v. MARKETCLIQ, Inc., 857 F.Supp.2d 1285, 1293 (M.D. Fla. 2012) (quoting Quantlabs Techs. Ltd. v. Godlevsky, 719 F.Supp.2d 766, 776 (S.D. Tex. 2010)).

For example, in Trademotion, the court found loss attributed to investigation of the issue with plaintiff’s code and its subsequent repair was adequately plead in the complaint since the statute does not relate solely to losses incurred due to an interruption of service. Id. At the present time, there are no appellate decisions published on this issue. Thus, the outcome of a complaint filed under the CFAA may differ depending on where the case is filed.

Moreover, a defendant may argue the plaintiff did not sustain the proper damage under the statute. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Integrity” requires “some diminution in the completeness or usability of data or information on a computer system.” Trademotion, 857 F.Supp.2d at 1292; Resdev, 2005 WL 1924743 at *5. “Availability” suggests a party asserting a claim under 1030(a) may prove damage by showing that a defendant’s actions somehow made certain data or program(s) not readily obtainable. Cheney v. IPD Analytics, LLC., 2009 WL 1298405, at *6 (S.D. Fla. April 16, 2009); Trademotion, 857 F.Supp.2d at 1292.

As the court noted in Cheney, permanent deletion of files from a computer without authorization may constitute damage if there is no other means by which the plaintiff may access the data. Cheney, 2009 WL 1298405 at *6. However, merely deleting files or information from a computer does not qualify as damage when there is no evidence of the defendant obtaining any information. See id.; Barney, 698 F.Supp.2d at 1316.

On the other hand, infiltrating a plaintiff’s computer network and collecting and disseminating confidential information even without altering the information, qualifies as an impairment of integrity sufficient to qualify as damages. TracFone Wireless, Inc. v. Cabrera, 883 F.Supp.2d 1220, 1228 (S.D. Fla. 2012) (quoting Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1126 (W.D. Wash. 2000)). In TracFone, the defendant, knowingly and with the intent to defraud, accessed the plaintiff’s computer system and retained prepaid airtime codes, electronic serial numbers, etc., he was not authorized to use in any way and used such access to alter information in the system and obtain stolen airtime and services from plaintiff. Id. The court found that plaintiff had thereby satisfied all requisite elements including, “intent,” “without authorization,” “loss,” and “damages,” alleging a proper cause of action under 18 U.S.C. § 1030(a)(4) against defendant. Id. (finding plaintiff spent over $20,000 investigating and assessing impairment of integrity to its computers as a result of defendant’s actions).

Further, the CFAA carves out an exception for designers or manufacturers of computer hardware, software or firmware. 18 USC § 1030(g). Therefore, designers or manufacturers are legally not liable for any claims based on negligence of their computer design under the CFAA.

In sum, the CFAA and its Florida counterpart provides a powerful tool in private litigation for persons or businesses injured by, among others, former employees, hackers, spammers and perhaps many others. Should your business find itself a victim of an unlawful cyber theft, it is advisable that you contact knowledgeable counsel to understand what rights you may have in protecting your information and pursuing remedial damages.