The Computer Fraud and Abuse Act (“CFAA”) is the embodiment of Congress’s first attempt to draft laws criminalizing computer hacking. It is rumored that the Act was influenced by the 1983 movie WarGames, in which a teenager unintentionally starts a countdown to World War III when he hacks into a military supercomputer.
The law as originally drafted was aimed at hackers who use computers to gain unauthorized access to government computers. But Congress has amended it numerous times over the years, drastically expanding it to cover unauthorized access of any computer “used in or affecting interstate or foreign commerce or communication,” as well as a variety of other illicit computer activities such as committing fraud using a computer, trafficking in passwords, and damaging computer systems such as through a virus.
The CFAA also provides a private right of action allowing compensation and injunctive relief for anyone harmed by a violation of the law. It has proved very useful in civil and criminal cases of trade secret misappropriation where the trade secret information was obtained by accessing a computer “without authorization or exceed[ing] authorized access.” It is this language that provides the statute with so much flexibility to be used in trade secret cases; and which the Supreme Court has decided to take a closer look at in its next term.
Opponents have long argued that the “without authorization or exceeds authorized access” language is so unreasonably broad that it criminalizes everyday, insignificant online acts such as password‑sharing and violations of websites’ Terms of Service. Tim Wu, a professor at Columbia Law School, has called it “the worst law in technology.” While it is true that CFAA violations have been, at times, over-aggressively charged, the Supreme Court’s decision could drastically curtail how the CFAA can be used to curb trade secret misappropriation.
The Computer Fraud and Abuse Act
As computer technology has proliferated and become more powerful over the years, Congress has expanded the CFAA—both in terms of its scope and its penalties—numerous times since its enactment. In 1984, Congress passed the Comprehensive Crime Control Act, which included the first federal computer crime statute, later codified at 18 U.S.C. § 1030, even before the more recognizable form of the modern Internet, i.e., the World Wide Web, was invented. This original bill was in response to a growing problem in counterfeit credit cards and unauthorized use of account numbers or access codes to banking system accounts. H.R. Rep. No. 98-894, at 4 (1984). Congress recognized that the main issue underlying counterfeit credit cards was the potential for fraudulent use of ever-expanding and rapidly-changing computer technology. Id. The purpose of the statute was to deter “the activities of so-called ‘hackers’ who” were accessing “both private and public computer systems.” Id. at 10. In fact, the original bill characterized the 1983 science fiction film WarGames as “a realistic representation of the automatic dialing and access capabilities of the personal computer.” Id.
Two years later, Congress significantly expanded the computer crime statute, and it became known as the Computer Fraud and Abuse Act. Congress has further amended the statute over the years to expand the scope of proscribed violations and to provide a civil cause of action for private parties to obtain compensatory damages, injunctive relief, and/or other equitable relief. For example, in the most recent expansion of the CFAA, in 2008, Congress (1) broadened the definition of “protected” computers to include those “used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States,” which includes servers and other devices connected to the Internet; (2) criminalized threats to steal data on a victim’s computer, publicly disclose stolen data, or not repair damage already caused to the computer; (3) added conspiracy as an offense; and (4) allowed for civil and criminal forfeiture of real or personal property used in or derived from CFAA violations.
The CFAA covers a broad range of unlawful computer access and, in relevant part, provides: “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer,” commits a federal crime and may face civil liability. 18 U.S.C. § 1030(a)(2), (c), (g). The phrase “without authorization” is not defined in the statute, but the phrase “exceeds authorized access,” is defined as: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).
A “computer” can be any “electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” Id. § 1030(e)(1). Courts across the country have interpreted “computer” extremely broadly to include cell phones, Internet-connected devices, cell towers, and stations that transmit wireless signals. E.g., United States v. Kramer, 631 F.3d 900, 902-03 (8th Cir. 2011) (basic cellular phone without Internet connection); United States v. Valle, 807 F.3d 508, 513 (2d Cir. 2015) (restricted databases); United States v. Drew, 259 F.R.D. 449, 457-58 (C.D. Cal. 2009) (Internet website); United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005) (computer-based radio system); United States v. Nosal, 844 F.3d 1024, 1050 (9th Cir. 2016) (Reinhardt, J., dissenting) (“This means that nearly all desktops, laptops, servers, smart-phones, as well as any iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device, including even some thermostats qualify as “protected.” (some internal quotations omitted)). A “protected computer” is any computer that “is used in or affect[s] interstate or foreign commerce or communication of the United States.” 18 U.S.C. § 1030(e)(2)(B). Again, courts have construed this term very broadly to include any computer connected to the Internet. E.g., United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012) (en banc); United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007).
Violations of the CFAA can result in both criminal and civil liability. A criminal conviction under the “exceeds authorized access” provision is typically a fine or a misdemeanor for a first offense, but can be a felony punishable by fines and imprisonment of up to five years in certain situations, such as where the offense was committed for “commercial advantage or private financial gain” and “the value of the information obtained exceeds $5,000.” 18 U.S.C. § 1030(c)(2)(A), (B). The CFAA also authorizes civil suits for compensatory damages and injunctive or other equitable relief by parties who show, among other things, that a violation of the statute caused them to “suffer[ ] damage or loss” under certain circumstances. Id. § 1030(g).
Using the CFAA in Trade Secret Cases
A CFAA claim can be a nice complement to a trade secret misappropriation claim if the act of misappropriation included taking information from a computer system. One key advantage that the CFAA adds to a trade secret misappropriation case is that it is not subject to some of the more restrictive requirements of federal and state trade secret laws. To assert a claim under the Defend Trade Secrets Act, 18 U.S.C. § 1836, et seq., the claimant must (among other things): (1) specifically identify the trade secret that was misappropriated; (2) prove that the claimant took reasonable measures to keep the information secret; and (3) prove that the information derives independent economic value from not being generally known or readily ascertainable. See 18 U.S.C. § 1839(3).
These requirements can present traps for the unwary, and potential defenses for a defendant. For example, a defendant accused of trade secret misappropriation will often put the plaintiff through its paces to specifically identify the trade secrets that were allegedly misappropriated because failure to do so to the court’s satisfaction can lead to an early dismissal. E.g., S & P Fin. Advisors v. Kreeyaa LLC, No. 16-CV-03103-SK, 2016 WL 11020958, at *3 (N.D. Cal. Oct. 25, 2016) (dismissing for failure to state a claim for violation of the DTSA where plaintiff failed to sufficiently state what information defendants allegedly misappropriated and how that information constitutes a trade secret).
Similarly, whether the information was protected by “reasonable measures” can become a litigation within the litigation. To establish this requirement, the plaintiff typically must spell-out all of its security measures, supply evidence of the same, and provide one or more witnesses to testify to the extent and effectiveness of the security measures. Failure to adequately establish reasonable measure has been the downfall of many trade secret claims. E.g., Gov’t Employees Ins. Co. v. Nealey, 262 F. Supp. 3d 153, 167-172 (E.D. Pa. 2017) (dismissing plaintiff’s DTSA claim for failure to state a claim when it included much of the same information it claimed to be a trade secret in a publicly filed affidavit).
Lastly, the requirement to establish that the information derives independent economic value from not being generally known or readily ascertainable can also be a significant point of contention. Establishing this prong often requires the use of a damages expert and the costly expert discovery that goes along with that. And as with the other requirements of a DTSA claim, failure to establish it adequately can doom the claim. E.g., ATS Grp., LLC v. Legacy Tank & Indus. Servs. LLC, 407 F. Supp. 3d 1186, 1200 (W.D. Okla. 2019) (finding plaintiff failed to state a claim that the information designated as trade secrets derived independent value from remaining confidential when the complaint only recited language from DTSA without alleging, for example, that the secrecy of the information provided it with a competitive advantage).
The elements of a CFAA claim in a civil action—generally, intentionally accessing a protected computer without authorization or exceeding authorization and causing at least $5,000 in losses—are, in comparison, less burdensome to establish and less perilous for the claimant. Access is typically established through computer logs or forensic analysis. The level of authorization the defendant had is usually easily established from company records and/or a manager’s testimony, and the requisite damages of $5,000 is so low that it is easily met in the vast majority of cases. Lastly, the element of intent can be the most contentious, but as with any intent requirement, it can be established through circumstantial evidence. E.g.Fidlar Techs. v. LPS Real Estate Data Sols., Inc., 810 F.3d 1075, 1079 (7th Cir. 2016) (“Because direct evidence of intent is often unavailable, intent to defraud [under the CFAA] may be established by circumstantial evidence and by inferences drawn from examining the scheme itself which demonstrate that the scheme was reasonably calculated to deceive persons of ordinary prudence and comprehension.”) (citations and internal quotation marks omitted). Often, the mere fact that the defendant bypassed controls and security messages on the computer is sufficient to establish intent. E.g.Tyan, Inc. v. Garcia, No. CV-15-05443-MWF (JPRx), 2017 WL 1658811, at *14, 2017 U.S. Dist. LEXIS 66805 at *40-41 (C.D. Cal. May 2, 2017) (finding defendant had intent to defraud when he accessed files with a username and password he was not authorized to use).
The Controversy Surrounding the CFAA
Over the years, opponents of the CFAA have argued that it is so unreasonably broad that it effectively criminalizes everyday computer behavior:
Every day, “millions of ordinary citizens” across the country use computers for work and for personal matters. United States v. Nosal, 676 F.3d 854, 862-63 (9th Cir. 2012) (en banc). Accessing information on those computers is virtually always subject to conditions imposed by employers’ policies, websites’ terms of service, and other third-party restrictions. If, as some circuits hold, the CFAA effectively incorporates all of these limitations, then any trivial breach of such a condition—from checking sports scores at work to inflating one’s height on a dating website—is a federal crime.
Petition for Writ of Certiorari, Van Buren v. United States, No. 19-783, at 2.
The most infamous example of overcharging the CFAA is the tragic case of Aaron Swartz. Swartz—an open-Internet activist—connected a computer to the Massachusetts Institute of Technology (“MIT”) network and downloaded academic journal articles from the subscription database, JSTOR. Federal prosecutors charged him with multiple counts of wire fraud and violations of the CFAA, sufficient to carry a maximum penalty of $1 million in fines and 35 years in prison. United States v. Swartz, No. 11-1-260-NMG, Dkt. No. 2 (D. Mass, July 14, 2011); see also id. at Dkt. No. 53 (D. Mass, September 12, 2012). After lengthy discussions with the prosecutors, and resolving the case with JSTOR, but unable to come to an agreement with the prosecutors, Aaron committed suicide.
In 2014, partly in response to public pressure from the Swartz case and in an attempt to provide some certainty to its prosecution of CFAA offenses, the Department of Justice issued a memorandum outlining its charging policy for CFAA violations. Under the new policy, the DOJ explained:
When prosecuting an exceed-authorized-access violation, the attorney for the government must be prepared to prove that the defendant knowingly violated restriction on his authority to obtain or alter information stored on a computer, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it.
Department of Justice’s Intake and Charging Policy for Computer Crime Matters (Charging Policy), Memorandum from U.S. Att’y Gen. to U.S. Att’ys and Asst. Att’y Gens. for the Crim. and Nat’l Sec. Divs. at 4 (Sept. 11, 2014) (available at https://www.justice.gov/criminal-ccips/file/904941/download). Perhaps unsurprisingly, opponents of the law were not sufficiently comforted by prosecutorial promises to not overcharge CFAA claims.
The Supreme Court Is Expected to Clarify What Actions Constitute Violations of the CFAA Uniformly Across the Country
Nathan Van Buren was a police sergeant in Cumming, Georgia. As a law enforcement officer, Van Buren was authorized to access the Georgia Crime Information Center (GCIC) database, which contains license plate and vehicle registration information, “for law-enforcement purposes.” An acquaintance, Andrew Albo, gave Van Buren $6,000 to run a search of the GCIC to determine whether a dancer at a local strip club was an undercover police officer. Van Buren complied and was arrested by the FBI the next day. It turned out, Albo was cooperating with the FBI and his request to Van Buren was a ruse invented by the FBI to see if Van Buren would bite.
Following a trial, Van Buren was convicted under the CFAA and sentenced to eighteen months in prison. On appeal, he argued that accessing information that he had authorization to access cannot “exceed authorized access” as meant by statute, even if he did so for an improper or impermissible purpose. The Eleventh Circuit disagreed, siding with the government that United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) was controlling. In Rodriguez, the Eleventh Circuit had held that a person with access to a computer for business reasons “exceed[s] his authorized access” when he “obtain[s] . . . information for a nonbusiness reason.” Rodriguez, 628 F.3d at 1263.
In denying Van Buren’s appeal, the Eleventh Circuit noted the split that the Supreme Court has now decided to resolve. As with the Eleventh Circuit, the First, Fifth, and Seventh Circuits have all held that a person operates “without authorization” or “exceeds authorized access” when they access information they otherwise are authorized to access, but for an unauthorized purpose. SeeEF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-83 (1st Cir. 2001) (defendant exceeded authorized access by collecting “proprietary information and know-how” to aid a competitor); United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (“exceed[ing] authorized access” includes “exceeding the purposes for which access is ‘authorized.’”); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (CFAA violated when defendant accessed data on his work computer for a purpose that his employer prohibited). Those who favor the broader interpretation argue that an expansive interpretation of the statute is more consistent with congressional intent of stopping bad actors from computer‑facilitated crime as computers continue to proliferate, especially in light of the consistent amendments that Congress has enacted to broaden the application of the CFAA. See Guest-Tek Interactive Entm’t, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009) (“a narrow reading of the CFAA ignores the consistent amendments that Congress has enacted to broaden its application . . . in the past two decades by the enactment of a private cause of action and a more liberal judicial interpretation of the statutory provisions.”).
Numerous trial courts have applied these circuits’ more expansive interpretation in civil cases against alleged trade secret misappropriators. For example, in Merritt Hawkins & Assocs., LLC v. Gresham, 79 F. Supp. 3d 625 (N.D. Tex. 2015), the court relied on the Fifth Circuit’s controlling case, United States v. John, 597 F.3d 263 (5th Cir. 2010), to deny summary judgment to a defendant who was accused of exceeding his authorization when he deleted hundreds of files on the company’s computer before terminating his employment. In finding disputed issues of fact, the trial court specifically noted that “the Fifth Circuit agree[d] with the First Circuit that the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized.’” Merritt Hawkins, 79 F. Supp. 3d at 634. Likewise, in Guest-Tek Interactive Entm’t, , the court noted both interpretations and opted for the broader one in view of guidance from the First Circuit. Guest-Tek Interactive Entm’t Inc., 665 F. Supp. 2d at 45-46 (noting that the First Circuit “has favored a broader reading of the CFAA”) (citing EF Cultural Travel BV, 274 F.3d at 582-84).
On the flip side, three circuits have held that the CFAA’s “without authorization” and “exceeds authorized access” do not impose criminal liability on a person with permission to access information on a computer who accesses that information for an improper purpose. In other words, a person violates the CFAA in these circuits only by accessing information he has no authorization to access, regardless of the reason. Valle, 807 F.3d at 527 (CFAA is limited to situations where the user does not have access for any purpose at all); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012) (rejecting CFAA imposes liability on employees who violate a use policy and limiting liability to individuals who access computers without authorization or who obtain or alter information beyond the bounds of their authorized access); Nosal, 676 F.3d at 862-63 (holding that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions). These courts have all relied on statutory construction plus some version of the rule of lenity—that, when a criminal statute is susceptible to a harsher construction and a less-harsh construction, courts should opt for the latter. For example, as Van Buren pointed out in his petition:
“every March, tens of millions of American workers participate in office pools for the NCAA men’s basketball tournament (“March Madness”). Such pools typically involve money stakes. When these employees use their company computers to generate their brackets or to check their standing in the pools, they likely violate their employers’ computer policies. Again, the answer to the question presented determines whether these employees are guilty of a felony.”
Petition for Writ of Certiorari, Van Buren v. United States, No. 19-783, at 12-13; see also Nosal, 676 F.3d at 860-63 (applying “use restrictions” would turn “millions of ordinary citizens” into criminals). Numerous trial courts in these jurisdictions have followed suit. See, e.g., Shamrock Foods v. Gast, 535 F. Supp. 2d 962, 967 (D. Ariz. 2008) (concluding that “the plain language, legislative history, and principles of statutory construction” support “the restrictive view of ‘authorization’”); Lockheed Martin Corp. v. Speed, et al., No. 6:05-cv-1580, 2006 U.S. Dist. LEXIS 53108 at *24 (M.D. Fla. 2006) (finding that the narrow construction “follows the statute’s plain meaning, and coincidently, has the added benefit of comporting with the rule of lenity.”).
So at bottom, the Supreme Court will decide whether the CFAA, in addition to access restrictions, also encompasses use restrictions.
What Future Impact May the Supreme Court’s Decision Have on Trade Secret Cases?
If the Supreme Court adopts the narrower access-restriction-only enforcement of the CFAA, then the nature and extent of the alleged misappropriator’s authorization to access the trade secrets will determine the applicability of the CFAA. Even with this narrower interpretation, however, employers can still proactively take certain steps to improve their chances of being able to assert CFAA claims in the future.
Misappropriation of trade secrets under federal and state statutes, and breach of employment or nondisclosure agreements, are potential claims an employer can assert against an employee who accepts a job offer with a competitor and downloads trade secret information to take with him before leaving the company. Whether the company can also have a claim against this former employee under the CFAA depends on the level of access he had to the employer’s computer sources during the course of his employment. If (under the narrower interpretation of the CFAA) the employee downloaded the trade secrets from computer sources he had access to in the course of his ordinary job duties, then the company may not have a CFAA claim because the employee’s actions were neither “without authorization” nor “exceed[ing] authorized access.” But if the employee did not have permission to access those computer sources in the course of his normal job duties, then he may be guilty of exceeding his authorized access. See Nosal, 676 F.3d at 858 (accessing a computer “without authorization” refers to a scenario where a user lacks permission to access any information on the computer, whereas “exceeds authorized access” refers to a user who has permission to access some information on the computer but then accesses other information to which her authorization does not extend).
There are certain steps employers can take that can determine whether they can assert a CFAA claim against an employee if need be in the future. First, employees’ computer access should be limited to need-to-know. In other words, employees should not be able to access computer resources and information that are not necessary for them to perform their duties. For example, an employee may be provided access to customer and price lists (economic trade secrets), but not have access to servers where source code and technical information (technical trade secrets) are stored. Even within technical areas, an employees’ access privileges should be limited as much as possible to their specific areas of work. In addition, employment agreements, confidentiality agreements (with both employees and third parties), and company policies should make clear that employees (and business partners, where applicable) do not have permission to access resources that are not necessary in the performance of their job responsibilities. This may entail some additional IT overhead in tightening up employees’ access privileges, but any steps employers can take proactively to convert potential use restrictions into access restrictions will go a long way in preserving the viability of a CFAA claim.
Lastly, without use restrictions, if the Supreme Court decides those are overreach, a company’s employment agreements, nondisclosures agreements, and computer use policies may still save the day. Under one line of thought which may survive even if the Supreme Court adopts the narrower interpretation, when an employee breaches one of these agreements or policies, or even just violates her duty of loyalty to the company, that can instantly and automatically extinguish her agency relationship with the company and, with it, whatever authority she had to access the company’s computers and information. See Int’l Airport Ctrs., 440 F.3d at 420-21 (relying on employee’s “breach of his duty of loyalty [which] terminated his agency relationship…and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”); see also Shurgard Storage, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (“the authority of the plaintiff’s former employees ended when they allegedly became agents of the defendant. Therefore, for the purposes of this 12(b)(6) motion, they lost their authorization and were ‘without authorization’ when they allegedly obtained and sent the proprietary information to the defendant via e-mail.”). Accordingly, it may be possible to bring a CFAA claim where an employee exceeds his authority by, for example, violating a policy that prohibits downloading confidential company files to portable media (essentially, a use restriction), which then automatically forfeits his access rights resulting in an access restriction violation.
The Supreme Court may drastically narrow application of the CFAA when it decides the Van Buren case. But there are proactive measures employers can take now to potentially preserve their ability to use the CFAA in cases of trade secret misappropriation.
 CFAA claims in civil trade secret misappropriation cases are typically brought under 18 U.S.C. §§ 1030(a)(2) or (a)(4). The former states, “Whoever—
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;…
shall be punished as provided in subsection (c) of this section.” The latter states, “Whoever—
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period…. shall be punished as provided in subsection (c) of this section.”
These are the portions of the CFAA that are usually more applicable to an employee or former employee who steals his employer’s trade secrets. The CFAA includes other provisions directed to “outside hacker” situations. For example, 18 U.S.C. § 1030(a)(5)-(7) address scenarios such as malicious hacking with intent to cause damage or loss, trafficking in passwords, and ransomware.
The opinions expressed are those of the authors on the date noted above and do not necessarily reflect the views of Fish & Richardson P.C., any other of its lawyers, its clients, or any of its or their respective affiliates. This post is for general information purposes only and is not intended to be and should not be taken as legal advice. No attorney-client relationship is formed.