Hacking has become a major concern for companies across the U.S., which is why all businesses must be aware of the Computer Fraud and Abuse Act, the federal anti-hacking law in the U.S. Companies must inform employees of the ways that illegal access of a computer or network can lead to charges or civil penalties under the Computer Fraud and Abuse Act, and all companies must be aware of possible recourse through this law. If you are concerned about Computer Fraud and Abuse Act compliance or possible violations affecting your company, it may be worth speaking with an attorney from the Priori network.
Understanding the Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) is the federal anti-hacking law makes it illegal to intentionally access a computer without authorization or in excess of authorization. This law includes a wide range of behaviors, but was created to target illegally obtaining and using information contained on computers that they are not supposed to have access to.
The 7 Prohibitions
The Computer Fraud and Abuse Act prohibits seven specific acts of fraud and abuse:
- obtaining national security information,
- compromising confidentiality,
- trespassing in a government computer,
- accessing to defraud and obtain value,
- damaging a computer or information,
- trafficking in passwords, and
- threatening to damage a computer.
Technically, these acts can only be prohibited if performed on a “protected computer,” that is, a computer used by or for a financial institution or the United States Government or any computer used in interstate or foreign commerce or communications. In practice, however, this definition includes all computers and other internet-connected devices such as cell phones and tablets, due to the inherent nature of the internet.
Access Without Authorization
The CFAA does not define what “access without authorization” means in the Act, which has caused some problems in implementation and case law. Some courts have held that violations widely include any conduct that is not “in line with the reasonable expectations” of the website owner and its users, while others have determined that this definition is too wide and inherently at odds with the purpose of the Internet as a place for open exchange of ideas. This conflict, as well as the vague definition of what actions can be “in excess of authorization,” has led to the CFAA having implications beyond government and financial hacking crimes. It has also extended it into making violating a private agreement or corporate policy CFAA violations, which means that companies need to be aware of and encourage compliance with the CFAA.
Under the CFAA, there are both criminal and civil penalties for violations, although it is at its core a criminal law.
If you are found guilty of violating the CFAA, you can face harsh criminal penalties. Even first-time offenses for accessing a protected computer without sufficient authorization are punishable by up to five years in federal prison. Each access is punishable by an additional sentence, repeat offenses can lead to longer sentences of up to 10 years each, as well as fines. Violations of other parts of the CFAA are punishable by even longer sentences of up to 20 years or even life in prison.
If violations of the CFAA lead to damages or losses, companies and individuals can sue to recover compensatory damages. Losses in the CFAA are defined by “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” As it is currently interpreted, this only recognizes measurable damages, not lost potential earnings through unfair competition or lost business opportunities attributable to actions like stealing trade secrets.
If your company may have a claim under the CFAA, it is important to speak with a qualified attorney.
In order to ensure that employees do not fall afoul of the CFAA and to protect your company from hacks, computer access and use policies must be incredibly specific within any company. This includes defining what each class of employee can and cannot access and protecting prohibited data correctly so no employee can access unauthorized data by accident. In general, a large part of compliance should include informing employees of the risks and penalties of tapping into restricted data or networks beyond simply at work.
What are some criticisms of the Computer Fraud and Abuse Act and how do they affect compliance?
Many Internet activists and some law professors claim that the Computer Fraud and Abuse Act is too vague and widely applied, which makes compliance impossible, as almost any act not explicitly permitted on a computer could be considered a CFAA violation. In the wake of activist Aaron Swartz’s suicide when facing multiple CFAA charges, such criticisms have gained traction and many groups are actively campaigning for the law to be amended. If the CFAA is changed, compliance obligations would also change, but until that time, it should not directly affect the compliance requirements for any company.