The slides from Shawn Tuma's presentation to the Computer Law Section of the Dallas Bar Association entitled The Evolving Computer Fraud and Abuse Act. Dated April 23, 2012.
3. History and Original Purpose of CFAA
Why?
What Does the CFAA Prohibit?
Examples of Most Common CFAA Violations
Most Controversial Issues Under CFAA
Recent CFAA Developments
www.brittontuma.com 3
7. Comprehensive Crime Control Act of 1984
Criminal statute
Wire & mail fraud
Response to movie War Games
www.brittontuma.com 7
8. Computer Fraud and Abuse Act of 1986
Hacking of “Government interest”
computers
Criminal only
3 major amendments (9 total)
Added private cause of action in ’94
2008 most recent
www.brittontuma.com 8
9. Why is the Computer Fraud
and Abuse Act important?
Primary Law for Misuse of Computers
Computers …
www.brittontuma.com 9
10. “Everything has a
computer in it nowadays.”
-Steve Jobs
www.brittontuma.com 10
12. The CFAA says
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device
performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility
directly related to or operating in conjunction with such device,
but …”
“such term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other similar
device;”
www.brittontuma.com 12
13. The Fourth Circuit says
“If a device is ‘an electronic … or other high speed data
processing device performing logical, arithmetic, or
storage functions,’ it is a computer. This definition
captures any device that makes use of an electronic
data processor, examples of which are legion.”
-United States v. Kramer
www.brittontuma.com 13
15. The Fourth Circuit says
“’Just think of the common household items that
include microchips and electronic storage devices, and
thus will satisfy the statutory definition of “computer.”’
“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3
players, refrigerators, heating and air-conditioning
units, radios, alarm clocks, televisions, and DVD
players, . . . .”
-United States v. Kramer
www.brittontuma.com 15
16. The CFAA applies only to “protected” computers
This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers
Protected = connected to the Internet
Any situations where these devices are connected?
www.brittontuma.com 16
20. CFAA prohibits the access of a protected
computer that is
Without authorization, or
Exceeds authorized access
www.brittontuma.com 20
21. Where the person accessing
Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion
www.brittontuma.com 21
22. “I am the wisest man alive,
for I know one thing, and that
is that I know nothing.”
-Socrates
Overly simplistic list
Very complex statute
Superficially it appears deceptively straightforward
Many pitfalls
www.brittontuma.com 22
23. Two Most Problematic Issues
“Loss” Requirement
• Confuses lawyers and judges alike
Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012
www.brittontuma.com 23
24. Limited civil remedy
Procedurally complex with many cross-
references
“damage” ≠ “damages”
Must have $5,000 “loss”
Loss requirement is jurisdictional threshold
www.brittontuma.com 24
25. What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service.”
Loss = cost (unless interruption of service)
www.brittontuma.com 25
26. What can qualify as a “loss”?
Investigation and response costs
• Forensics analysis and investigation
• Diagnostic measures
• Restoration of system
• Bartered services for investigation / restoration
Value of employees’ time
Attorneys’ fees if leading investigation
www.brittontuma.com 26
27. What is not a “loss”?
Lost revenue (unless interruption of service)
Value of trade secrets
Lost profits
Lost customers
Lost business opportunities
Privacy and Personally Identifiable Information
www.brittontuma.com 27
28. Privacy and Personally Identifiable Information
iTracking
Hacking / data breach
Browser cookies
REMEMBER: Loss is only required for civil remedy –
not criminal violation
www.brittontuma.com 28
29. What would you advise?
Wrongful access of your client’s
computer
Considering a CFAA claim
Your advice would be to ________?
www.brittontuma.com 29
30. Remedies
Available
• Economic damages
• Loss damage
• Injunctive relief
Not Available
• Exemplary damages
• Attorneys’ fees
www.brittontuma.com 30
31. Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized
access;
3. Obtained information from any protected
computer; and
4. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com 31
32. Procedural Points
2 year limitations
Concurrent jurisdiction
No preemption
No Rule 9 heightened pleading
www.brittontuma.com 32
34. General Access Principles
Access by informational / data use
≠ technician
Must be knowing or intentional access
≠ accidental access
www.brittontuma.com 34
35. Two Types of Wrongful Access
“without authorization” “exceeds authorized”
Outsiders Insiders
No rights Some rights
Not defined CFAA defines: access in
Only requires intent to a way not entitled
access, not harm Necessarily requires
Hacker! limits of authorization
Employees, web users,
etc.
www.brittontuma.com 35
36. First step should be “which is it”?
Instead, confusion of the two
Lawyers plead both
Courts don’t usually indicate which – or care –
go straight to the outcome
Case outcomes do not reflect Congressional
framework
www.brittontuma.com 36
37. “without authorization”
Clear when hacker
Question is whether “exceeds” morphs into
“without”
Insider authorized for some computers
Insider authorized for some locations
Insider authorized for intended use
United States v. Morris
Unauthorized system and intended use
www.brittontuma.com 37
38. When does authorization terminate?
As of April 10, 2012, there are (once again) three
general lines of cases: Trilogy of Access Theories
• Agency Theory
• Intended-Use Analysis
• Access Means Access
www.brittontuma.com 38
39. Agency Theory
Employee’s breach of duty of loyalty to his employer
terminated his right to access the computer based on
common law agency principles.
International Airport Centers, LLC v. Citrin (7th Cir. 2006)
• Seventh Circuit
• Earlier case
www.brittontuma.com 39
40. Intended-Use Analysis
Authorization continues until terminated by the grantor but
exceeding prior contractual access and use limitations exceeds
authorized access.
United States v. Teague (8th Cir. 2011); United States v. Tolliver (3rd Cir.
2011); United States v. Rodriguez (11th Cir. 2010); United States v. John (5th
Cir. 2010), EF Cultural Travel BV v. Explorica, Inc. (1st Cir. 2001), United
States v. Morris (2nd Cir. 1991)
• Majority view (overly simplified)
• Prior notice of limits is vital
• Emphasizes need for contractual limits
www.brittontuma.com 40
41. Access Means Access
Once authorization to access is granted, the authorization
continues until expressly terminated by the grantor, regardless
of how it is used.
United States v. Nosal (9th Cir. 2012); LVRC Holdings LLC v. Brekka (9th Cir.
2009)
• Ninth Circuit + trending with district courts
• April 28, 2011 moved away in Nosal I
• April 10, 2012 moved back in Nosal II
www.brittontuma.com 41
42. Ways to establish limits for Intended-Use
Contractual
• Policies: computer use, employment & manuals
• Website Terms of Service
Technological
• Login and access restrictions
• System warnings
Training and other evidence of notification
Notices of intent to use CFAA
www.brittontuma.com 42
43. Contractual limits should
Clearly notify of limits
Limit authorization to access information
Limit use of information accessed
Terminate access rights upon violation
Indicate intent to enforce by CFAA
Goal: limit or terminate authorization
www.brittontuma.com 43
44. The following examples are situations that may
constitute a wrongful access under the CFAA
I say “may” because …
• We’re talking about law!
• Evolving jurisprudence
• Access limits are huge factor
• Facts can vary greatly
www.brittontuma.com 44
45. Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Employee accesses and takes or emails confidential information
to competitor
• Employee improperly deletes data and email
• Employee deletes browser history
• Employee accessing their Facebook, Gmail, Chase accounts at
work
www.brittontuma.com 45
46. Family Law Situations
Have you ever logged into your significant other’s email or Facebook
to see what they’re saying to others?
DON’T ANSWER THAT!
• Estranged spouse in Arkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
www.brittontuma.com 46
47. Sharing Website Logins
Have you ever borrowed or shared website login credentials and
passwords?
DON’T ANSWER THAT!
• Recent case held that permitting others to use login credentials
for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the
website’s agreed to Terms of Service
www.brittontuma.com 47
48. Misuse of Websites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T ANSWER THAT!
• Myspace Mom case
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when
prohibited by TOS
• Creating fake Facebook to research opposing parties
www.brittontuma.com 48
49. Hacking & Private Information
Hacking was original purpose for CFAA
• Hacking and obtaining private information
• Tracking individuals through geo-tagging
• Website collection of private information
• All fit within the prohibitions of the CFAA
• Loss is the problem, from a civil standpoint
www.brittontuma.com 49
50. Employee Social Media Passwords
How about asking an employee or prospective employee for the
login and password to their Facebook account?
• Is this unauthorized access?
• Coerced?
• Facebook’s terms of service prohibit sharing of password with
anyone else, or anything else that may jeopardize the security
of the account
• The CFAA prohibits aiding and abetting!
• In the 5th, 1st, 2nd, 3rd, 8th, and 11th Circuits this could be a
problem
www.brittontuma.com 50
51. What about …
• Hacking a car?
• Hacking a person?
• What else?
www.brittontuma.com 51
53. Three Main Cases
• United States v. John (5th Cir. 2010)
• United States v. Rodriguez (11th Cir. 2010)
• United States v. Nosal (9th Cir. 2012)
And Two Minor Ones
• United States v. Tolliver (3rd Cir. 2011)
• United States v. Teague (8th Cir. 2011)
www.brittontuma.com 53
54. United States v. John (5th Cir. 2010)
• Intended-Use Analysis / “exceeding authorized access” case
• Citigroup had policies that clearly prohibited the unlawful use of
information obtained from computer system
• Employee used her access to customer accounts to obtain
information to give to others to commit fraud
• Rule: access to a computer may be exceeded if the purposes for
which access have been given are exceeded and the employee is
actually aware of those limitations on purpose through policies
or contractual agreements.
• Rodriguez: similar but obtained info to be a creeper to women
www.brittontuma.com 54
55. Recent Intended-Use Cases
United States v. Tolliver (3rd Cir. 2011)
• Exceeded authorized access case
• Bank employee looking up customer account information to
aid and abet a fraud scheme – the bank’s policies prohibited
looking up info without a business purpose
United States v. Teague (8th Cir. 2011)
• Exceeding authorized access case
• Employee of contractor for Dept. of Education with
privileged access to National Student Loan Data System
used that access to look up Barak Obama’s records
www.brittontuma.com 55
56. United States v. Nosal (9th Cir. 2012)
• Access Means Access / “exceeding authorized access” case
• Company had a policy that restricted use and disclosure of
information to legitimate company business
• Former employee encouraged others still there to steal trade
secret info for them to use in starting competing business
(charged with aiding and abetting)
• Rule: “‘exceeds authorized access’ in the CFAA is limited to
violations of restrictions on access to information, and not
restrictions on its use.”
www.brittontuma.com 56
57. United States v. Nosal (9th Cir. 2012)
• Why? Nosal had clear unequivocal notice that what he was
doing was wrong and prohibited by the policies and he was not
entitled to obtain that information for that purpose
• Court found the language “to access a computer with
authorization and to use such access to obtain or alter
information in the computer that the accesser is not entitled so
to obtain or alter” to be ambiguous
• Reverted to Rule of Lenity
• Looked to all the fears of hypothetical potential crimes
www.brittontuma.com 57
58. John v. Nosal Split – What Can We Do?
• John will prohibit misuse of information accessed or obtained
• Nosal will only prohibit an unauthorized access
• Conditional Authorization?
• In addition to having “John Policies” that prohibit misuse of
the information obtained,
• Provision that makes authorization to access the computer
conditional on that access being for proper purposes and
not for improper purposes, and retroactively revoking that
authorization if for an improper purpose
• Supreme Court?
www.brittontuma.com 58
59. Pulte Homes, Inc. v. Laborers’ International Union of North
America (6th Cir. 2011)
• An “intentional transmission” case – not unauthorized access
• After Pulte fired a union employee the union orchestrated a
barrage of emails, telephone calls, and faxes that were so
voluminous that it shut down Pulte’s computer system and
telephones, interfering with its business
• Violated § 1030(a)(5)(A): “knowingly cause the transmission of a
program, information, code, or command, and as a result of
such conduct, intentionally cause damage without
authorization, to a protected computer.”
• Think about the implications: emails, calls, faxes?
www.brittontuma.com 59
61. Hacking, Data Breach & Privacy
• Hacking = biggest news event of 2011
• 46 States Breach Notification Laws
• Administration & Congress want to act
• Employers asking for social media logins
• Vehicle of choice is to amend the CFAA – but has lost
a lot of steam since 2011
www.brittontuma.com 61
62. Unauthorized Access Amendment
• Proposed Amendment in Senate last Fall
• Resolve disagreements about Unauthorized Access
• Felony-level unauthorized access can’t be solely
premised on violation of a contractual obligation or
agreement
• This proposal would narrow the CFAA
www.brittontuma.com 62
63. Why? Remember what Jobs said
CFAA is very broad and covers all kinds of
computer misuse (sometimes)
CFAA is complex with lots of pitfalls
Proposed Amendments to broaden and tighten
the CFAA
Courts’ interpretation of the CFAA is changing all
the time – you must stay updated!
www.brittontuma.com 63
Good afternoon, thank you all very much for having me here to speak today. My name is Shawn Tuma and I am an attorney at BrittonTuma in Plano – excited to announce in a few weeks we will be moving in to the Shops at Legacy so anyone who needs to come have an excuse for happy hour on a patio – I mean a meeting with some attorneys – please let us know! I have a peculiar interest in the Computer Fraud and Abuse Act and have been watching as it has developed over the last several years and then, within the last 6 mos. or so has become one of the most relevant laws anywhere.
Who knows what movie this was from?Anyone remember?Early 80s – 1983
Movie War Games!
The first stab at the CFAA was this.Began to fear that with advancing technology the wire and mail fraud laws wouldn’t be sufficient.
Then we get the CFAA
Why? Because this is the primary law that is used to pursue those who misuse a computer to commit crimes, defraud, etc. Computers are everywhere and are involved in virtually everything!
CFAA’s definition of computer:Remember the “But”!!!
Protected Computer – more narrowLimits – some, for nowThink of homes where everything is automated via connection to the internet.
TI-99 was my first computer in early 80s.Daughter Clara (who started kindergarten today) has a Leapster!
To put it into perspective, compare the fastest desktop of the 80s withClara’s LeapsterCray SupercomputeriPhone 4!Now you see why, what seem silly to us today, clearly falls within the technical criteria for what the drafters initially considered to be a computer.
Now that we know what it applies to, let’s take about what the CFAA prohibits.
This is an overly broad generalization but, generally speaking, the CFAA prohibits wrongfully accessing a computer where the person
Not too long ago I was talking with someone about a case they had involving criminal indictment for the CFAA.I offered help but was rebuffed – told: “I’ve read the statute, I’ve got it”Ok – best of luck to you (and your clients!)!
What would your advice, as a lawyer, be in this situation?
Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
Presentation slides – available at www.brittontuma.comThis was taken from an article coming out in Fall 2011 in the University of South Carolina Law Review – the article will also be available once it is published.