Restricted Access: What Employers Need to Know About the Computer Fraud and Abuse Act.

April 9, 2013

The Computer Fraud and Abuse Act was passed by the United States Congress in 1986, and was intended to help reduce the hacking of computer systems as well as to address federal computer related offenses.  The Act, as it was implemented, was intended to govern cases with a compelling federal interest, where computers of the federal government or certain financial institutions were involved, or the crime itself was interstate in nature.

The CFAA prohibits (1) computer trespassing (hacking) in a government computer; (2) computer trespassing resulting in exposure to governmental, credit or computer-housed information; (3) damaging a protected computer; (4) committing fraud, an integral part of which involves unauthorized access to a protected computer; (5) threatening to damage a protected computer; (6) trafficking in passwords for a protected computer; and (7) accessing a computer to commit espionage.  Though written as a criminal statute, the CFAA now exposes an individual to both civil and criminal liability and has been implemented by employers in instances which disgruntled employees damage or tamper with an employer’s computer system.

In order to maintain a civil cause of action under the Computer Fraud and Abuse act, an employer (or victim) must allege and prove that there was (1) damages caused; (2) by the person named as a defendant; (3) in violation of one of the above mentioned provisions; (4) involving at least $5,000, the impairment of a medical examination, diagnosis, treatment or care, an actual physical injury to a person, the threat to public health or safety, or damage affecting a computer used by the government.  These civil actions must be brought within two years of the date the act is complained of or the date of the discovery of the damage.

The language of the Act has been vastly expanded over the years, including the definition of “protected computers” to include any computer connected to the Internet, opening the door employers to bring private suits against employees for misuse of workplace computers.  It is important to note that courts across the country are split on the breath and expansion of this Act, specifically regarding definitions of key aspects of the law such as “without authorization” and “exceeds authorized access.”

Courts in Illinois have focused their holdings on the fact that the underlying concern of the Act is damage to data, not disloyal employees who walk off with confidential information.  However, the definitions of the “authorization” terms have been read broadly.  Most notably, finding courts have drawn a line that says when an employee has done something, or is doing something that is disloyal to an employer, their “authorized access” has ended under the law, and they therefore could be in violation of the CFAA.

With the expansion of the internet in the work place, employees today have vastly more sensitive company information easily accessible on their computers, leaving many in world of law and technology wonder where to draw the line.  Many in the legal and technology communities are hoping that the Supreme Court will take a recent California Appeals Court case in order to examine the reach of the 1980s law and determine a solid and consistent interpretation of the law.

While the law is ever evolving, the rule as it stands now for employees and employers in   Illinois remains “damage to data” not “disloyal employees.”  An employee who copies electronic files from a computer database, and even goes so far as emailing those files to themselves, is not enough to satisfy the damage requirement of the statute.  Illinois requires physical destruction of files, the network, or computer system to have a valid claim under this act. We at Rock Fusco & Connelly have the  experience to help business owners navigate the Computer Fraud and Abuse Act and other consumer fraud issues that arise.