The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 et seq., projects the common law tort of real property trespass into the virtual realm of computers.

The CFAA has been successfully invoked for creation of fake user accounts on social network sites, email spam, email phishing, robotic data mining, and unauthorized hard-drive wiping.  In effect, the CFAA prohibits the following:

  1. Unauthorized access or exceeding access of a government computer, financial institution computer, or computer designated as containing restricted data for national defense or foreign relations.  § 1030(a)(1)-(a)(3).
  2. Unauthorized access or exceeding access of a protected computer with intent to defraud unless the damage or loss is less than $5000 in a one year period.  § 1030(a)(4).
  3. Intentionally causing damage to a protected computer by way of transmission of unauthorized harmful code (virus).  § 1030(a)(5)(A).
  4. Intentional access of a protected computer resulting in damage and loss, either intentionally or recklessly.  § 1030(a)(5)(B)-(C). 
  5. Trafficking of passwords.  § 1030(a)(6).
  6. Extortion by way of threats to damage a protected computer or to impair the confidentiality of information on a protected computer.  § 1030(a)(7).
  7. Conspiracy to violate any of the above.  § 1030(b).

Civil action generally requires a showing of damages and loss of at least $5000 within a one-year period.  But loss includes the cost of responding to the offense, which includes assessing the damage, restoring any lost data, or any consequential damages because of an interruption of service.  18 U.S.C. § 1030(e)(11).  This is a relatively easy burden to meet, and often investigation of the event itself will meet the cost minimum.  See Motorola, Inc. v. Lemko Corp., 509 F. Supp. 2d 760, 768 (N.D. Ill. 2009) (acknowledging “damage and security assessments” as valid loss claims).

Though the Act provides for both civil and criminal penalties, courts have most frequently applied the CFAA in the civil arena.  This is because the terms “unauthorized access” or “exceeding authorized access” are often self-defined by way of website terms of service.  In the well-known cyber-bullying case of United States v. Lori Drew, 259 F.R.D. 449, 467 (C.D. Cal 2009), the court refused to invoke CFAA criminal penalties against a mother who created a fake Myspace profile for the purpose of bullying a teenage friend of her daughter.

When the teenage friend committed suicide, the US Attorney brought criminal charges under the CFAA.  In declining the criminal application, the court warned that reliance on a website’s terms of service to find criminal behavior would transform the CFAA into a “standardless sweep” mechanism that would allow any federal agency “to pursue their personal predilections.”  Id. at 463.  To learn more about the events that led to the CFAA, see Cliff Stoll’s best seller, The Cuckoo’s Egg (1990).

Seth Jaffe (sjaffe@fulbright.com / +1 713 651 5370) is an associate in Fulbright’sIntellectual Property Practice Group.