The Computer Fraud and Abuse Act—A Survey of Recent Cases

Author(s): Molly Eichten

Source: The Business Lawyer , November 2010, Vol. 66, No. 1 (November 2010), pp. 231-
236
Published by: American Bar Association

Stable URL: https://www.jstor.org/stable/25758538

JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms

American Bar Association is collaborating with JSTOR to digitize, preserve and extend access to
The Business Lawyer

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms
The Computer Fraud and Abuse Act?A Survey
of Recent Cases

By Molly Eichten*

I. Introduction
The criminal statutory provisions commonly referred to as the Computer Fraud
and Abuse Act ("CFAA") were first enacted in 19841 as a means to prosecute com
puter crimes related to hacking.2 However, the scope of prohibited actions in the
CFAA extends well beyond traditional hacking. More generally, the CFAA crimi
nalizes conduct that involves accessing computers without authorization or in ex
cess of authorization, and the subsequent use of such access to obtain information
that causes loss or damage or defrauds another or the government.3 The CFAA
also provides a private cause of action for persons who suffer damage or loss as a
result of such computer access, and it provides for damages and equitable relief.4
This survey focuses on the most litigated provisions of the CFAA in cases de
cided between June 1, 2009, and June 1, 2010.

II. Authorization
Many of the cases decided under the CFAA in the last year involved civil causes
of action between employers and their erstwhile employees. The fact patterns un
derlying these civil claims are often quite similar: an employee obtains confiden
tial information from the employer's computer system while employed, and then
uses the information to the employer's detriment.5 Upon discovery, the employer

* Molly Eichten is an attorney with Larkin Hoffman Daly & Lindgren Ltd. in Minneapolis, Min
nesota, practicing in the areas of intellectual property law and commercial transactions.
1. The popular name "Computer Fraud and Abuse Act" was created in a 1986 amendment to 18
U.S.C. ? 1030. See Pub. L. No. 99-474, 100 Stat. 1213, 1213 (1986). Section 1030 was initially cre
ated by the Comprehensive Crime Control Act of 1984. See Pub. L. No. 98-473, 98 Stat. 1976, 2190
(1984). Section 1030 as a whole is commonly referred to as the Computer Fraud and Abuse Act. See
Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1561
n.2 (2010). Therefore, this survey refers to 18 U.S.C. ? 1030 as the Consumer Fraud and Abuse Act
("CFAA").
2. See LVRC Holdings LLC v. Brekka, 581 F3d 1127, 1130-31 (9th Cir. 2009) (citing H.R. Rep. No.
98-894 (1984), reprintedin 1984U.S.C.C.A.N. 3689, 3694).
3. 18 U.S.C. ? 1030(a)(l)-(7) (2006).
4. Id. ? 1030(g).
5. See, e.g., Bell Aerospace Servs., Inc. v. U.S. Aero Servs., Inc., 690 E Supp. 2d 1267, 1271 (M.D.
Ala. 2010); Vurv Tech. LLC v. Kenexa Corp., No. l:08-cv-3442-WSD, 2009 WL 2171042, at *2 (N.D,
Ga. July 20, 2009).

231

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms
232 The Business Lawyer; Vol. 66, November 2010

asserts a cause of action under the CFAA (and often other claims) against the
former employee, alleging that the employee intentionally accessed a computer
without authorization or in excess of authorized access and obtained and used
information accessed from the computer.6
However, courts have struggled with the element of "authorization," which has
led to a circuit split. The CFAA defines "exceeds authorized access" to mean "to
access a computer with authorization and to use such access to obtain or alter in
formation in the computer that the accesser is not entitled so to obtain or alter."7
However, the CFAA does not define "without authorization," and courts differ
on the meaning and scope of "without authorization," as well as whether use (or
misuse) of information even implicates the CFAA.8 Two federal circuits weighed
in on these controversial issues last year.
In February 2010, in United States v. John, a criminal case, the U.S. Court of Ap
peals for the Fifth Circuit resolved an issue related to the statutory interpretation
of "exceeds authorized access."9 The court examined whether information ob
tained by permitted access to a computer system, but used beyond limits placed
on the use of such information, falls within the definition of "exceeds authorized
access" under the CFAA.10 In this case, an employee of a financial institution had
access to customer account information and passed it along to others, who then
incurred fraudulent charges on those customers' accounts.11 The employee was
convicted because she exceeded her "authorized access" to a computer system and
obtained information from a financial record of a financial institution.12 The court
held that "the concept of 'exceeds authorized access' may include exceeding the
purposes for which access is 'authorized.'"13 Affirming the conviction,14 the court
held that the employees access to her computer was limited and that she exceeded
her authorization when she accessed information for use in a fraudulent scheme,
which she knew or should have known was unauthorized.15
In LVRC Holdings LLC v. Brekka, an employee e-mailed confidential documents
to his home computer while he was still employed, intending to use the informa
tion to compete with the employer after termination.16 The employer brought a
CFAA action against the employee, asserting that the employee exceeded his "au
thorized access" or was "without authorization" at the moment he decided to use
the computer contrary to the employer's interest.17 The U.S. Court of Appeals for

6. See, e.g., Consulting Prof 1 Res., Inc. v. Concise Techs. LLC, No. 09-1201, 2010 WL 1337723,
at *2 (WD. Pa. Mar. 9, 2010) (magistrate judges report and recommendation, which was adopted as
the opinion of the court).
7. 18 U.S.C. ? 1030(e)(6) (2006).
8. See Vurv Tech., 2009 WL 2171042, at *6 (describing split).
9. 597 E3d 263, 273 (5th Cir. 2010).
10. Id. at 271.
11. Id. at 269.
12. Id. at 269-70 (discussing violations of 18 U.S.C. ? 1030(a)(2)(A), (Q).
13. Id. at 272.
14. Id. at 289.
15. Id. at 272-73.
. 16. LVRC Holdings LLC v. Brekka, 581 E3d 1127, 1129-30 (9th Cir. 2009).
17. Id. at 1131.

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms
 The Computer Fraud and Abuse Act?A Survey of Recent Cases 233

the Ninth Circuit rejected that argument,18 and held that "without authorization"
means "without permission,"19 reasoning that to expand the meaning of "without
authorization" beyond that would give no effect to "exceeds authorized access" in
the CFAA.20 Applying its new rule, the court held that the employee had autho
rization (i.e., permission) to access the computer because his job required him to
use the computer.21 The court noted that had the employee accessed the computer
after he was terminated from employment, he would have undoubtedly accessed
a computer "without authorization."22
This decision is in direct contrast to International Airport Centers, LLC. v. Citrin,
a decision by the U.S. Court of Appeals for the Seventh Circuit in 2006.23 In that
case, the Seventh Circuit held that an employee's authorization to access an em
ployer's computers ended at the time the employee breached his duty of loyalty to
the employer.24 The court found that such a breach occurred when the employee
decided to erase from his laptop all company data and other incriminating infor
mation showing that he started a competing business in violation of his employ
ment agreement.25 Using agency principles, the court held that the employee's
breach of his duty of loyalty terminated his authorization to access the laptop.26
There is a similar split among district courts.27 Courts in Alabama, Florida,
Georgia, and Tennessee are in agreement with the Ninth Circuit, holding that
"without authorization" means that initial access to the computer was not permit
ted.28 Those same courts in Alabama and Tennessee, along with courts in Pennsyl
vania and Texas, addressed the issue of information misuse, holding that "without
authorization" or "exceeds authorized access" does not extend to circumstances
involving improper use of information that one was authorized to access.29 All

18. Id. at 1133.

19. Id. at 1135.
20. Id. at 1133.
21. Id. at 1135.
22. Id. at 1136.
23. 440 F.3d 418 (7th Cir. 2006).
24. Id. at 420.
25. Id.
26. Id. at 420-21.
27. Compare, e.g., Condux Int'l, Inc. v. Haugum, No. 08-4824 ADM/JSM, 2008 WL 5244818, at *6
(D. Minn. Dec. 15, 2008) (holding that claims of misappropriation, as opposed to access, do not fall
under the CFAA), with, e.g., Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F Supp. 2d
1121,1124-25 (WD. Wash. 2000) (holding that the plaintiff properly alleged a claim under the CFAA
even though the employees of the defendant had access to the information in question).
28. ReMedPar, Inc. v. AllParts Med., LLC, 683 F. Supp. 2d 605, 613 (M.D. Tenn. 2010) (citing
Black & Decker (US), Inc. v. Smith, 568 F Supp. 2d 929, 935-36 (WD. Tenn. 2008)); Bell Aerospace
Servs., Inc. v. U.S. Aero Servs., Inc., 690 F Supp. 2d 1267,1272 (M.D. Ala. 2010); Mortgage Now, Inc. v.
Stone, No. 3:09cv80/MCR/MD, 2009 WL 4262877, at *9 (N.D. Fla. Nov. 24, 2009); Vurv Tech. LLC v.
Kenexa Corp., No. l:08-cv-3442-WSD, 2009 WL 2171042, at *7 (N.D. Ga. July 20, 2009).
29. ReMedPar, 683 F. Supp. 2d at 613 (citing Black & Decker, 568 F Supp. 2d at 936); Bell Aerospace
Servs., 690 F Supp. 2d at 1272 ('"Exceeds authorized access' should not be confused with exceeds au
thorized use."); Consulting Prof'l Res., Inc. v. Concise Techs. LLC, No. 09-1201, 2010 WL 1337723,
at *2 (WD. Pa. Mar. 9, 2010) (magistrate judge's report and recommendation, which was adopted as
the opinion of the court); Joe N. Pratt Ins. v. Doane, No. V-07-07, 2009 WL 3157337, at *4 (S.D. Tex.
Sept. 25, 2009) ("The mere misuse of information to which a defendant had authorized access is not
enough.").

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms
234 The Business Lawyer; Vol. 66, November 2010

of these courts either dismissed the CFAA claims or granted summary judgment
to the defendants, as applicable, because the defendants in each case clearly had
permission to access the obtained information.30
However, two district courts appear to have aligned themselves with the Sev
enth Circuit in holding that improper use of information was sufficient to allege
"without authorization" or "exceeding authorized access."31 Each court denied
the employee-defendant's motion to dismiss the employer-plaintiff's CFAA claim,
holding that the employers sufficiently alleged that the employees acted "with
out authorization" or exceeded their "authorized access" when the employees ob
tained information that they were authorized to access but later misused.32

III. Loss and Damage

Section 1030(g) of the CFAA provides a civil remedy for any person who suffers
"damage or loss by reason of a violation" of the CFAA.33 The CFAA defines the
term "loss" to mean "any reasonable cost to any victim, including the cost of re
sponding to an offense, conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the offense, and any
revenue lost, cost incurred, or other consequential damages incurred because of
interruption of service."34 The CFAA cases in this survey show that district courts
have strictly interpreted the meaning of "loss," refusing to expand the definition
beyond the plain language of the statute. For example, some courts held that eco
nomic costs and lost revenue unrelated to computer systems did not fall within
the CFAA's definition because such losses were not incurred due to an "interrup
tion of service."35 Others held that the cost of examining a defendant's improper

30. See ReMedPar, 683 F Supp. 2d at 616 (dismissing claim because it was clear the defendant
was authorized to access the plaintiffs computers); Bell Aerospace Servs., 690 E Supp. 2d at 1272-73
(granting summary judgment to former employees because employees each had valid permission to
access the company's computers); Consulting Proj'l Res., 2010 WL 1337723, at *8 (dismissing claim
because employee had permission to access confidential information on the employer's computers);
Mortgage Now, 2009 WL 4262877, at *9-10 (dismissing claim because employer admitted employees
had access to trade secret information while employed); Joe N. Pratt Ins., 2009 WL 3157337, at *4
(granting summary judgment to the defendant because it was undisputed that the defendant had ac
cess to information at issue); Vurv Tech., 2009 WL 2171042, at *7 (dismissing claim covering period
of employment because employee had access to employer's computers and information).
31. Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 E Supp. 2d 42, 45-46 (D. Mass. 2009);
Lasco Foods, Inc. v. Hall & Shaw Sales, Mktg. & Consulting, LLC, No. 4:08CV01683 JCH, 2009 WL
3523986, at *4 (E.D. Mo. Oct. 26, 2009).
32. Guest-Tek, 665 F. Supp. 2d at 45-46; Lasco, 2009 WL 3523986, at *4.
33. 18 U.S.C. ? 1030(g) (2006).
34. Id. ? 1030(e)(ll).
35. See ReMedPar, 683 F Supp. 2d at 614 (holding that lost revenue from misappropriation of
plaintiff's trade secrets was not actionable because it was not incurred due to an "interruption of ser
vice"); Doyle v. Taylor, No. CV-09-158-RHW, 2010 WL 2163521, at *3 (E.D. Wash. May 24, 2010)
(holding that the cost of examining other parties' computers was not a cost incurred because of an "in
terruption of service"); TelQuest Int'l Corp. v. Dedicated Bus. Sys., Inc., No. 06-5359 (PGS), 2009 WL
3234226, at *1 (D.N.J. Sept. 30, 2009) (holding that lost revenue resulting from defendant's unfair
business competition was not lost revenue because of an "interruption of service"); ES & H, Inc. v. Al
lied Safety Consultants, Inc., No. 3:08-cv-323, 2009 WL 2996340, at *4 (E.D. Tenn. Sept. 16, 2009)

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms
 The Computer Fraud and Abuse Act?A Survey of Recent Cases 235

actions and examining other parties' computers were not losses that related to the
investigation or repair of a computer system.36
Additionally, the term "damage" under the CFAA means "any impairment to the
integrity or availability of data, a program, a system, or information."37 In the last
year, courts treated the definition of "damage" similar to that of "loss," refusing
to expand the definition beyond the plain language of the statute. For example,
courts held that merely copying information from a computer system or utilizing
a computer's resources does not fall within the CFAA's definition of "damage."38

IV. Constitutional Challenges

Last year's criminal cases brought two constitutional challenges to the CFAA
under the void-for-vagueness doctrine. In United States v. Drew39 the defendant
used a fictitious account on the social networking site MySpace to befriend and
subsequently reject a thirteen-year-old girl who later committed suicide.40 The
defendant was convicted of misdemeanor violations of the CFAA.41 The court
found that the defendant's creation and use of a fictitious MySpace account to
impersonate another and commit a tort was in direct violation of the MySpace
terms of service.42 The court held that an intentional breach of the MySpace
terms of service constituted access to the MySpace computers "without autho
rization" or in excess of the defendant's authorization to MySpace under the
CFAA because a website's terms of service define the scope of authorized access
to the website.43 However, the court concluded that prosecution and convic
tion for a CFAA misdemeanor violation based upon the conscious violation of
a website's terms of service was void for vagueness.44 The court held that de
ficiencies in actual notice and an absence of minimal guidelines to govern law
enforcement meant that individuals were not reasonably on notice that a breach
of the terms of service could constitute a criminal violation of the CFAA.45 As

(holding that lost revenue from misappropriation of plaintiff's information was not lost revenue be
cause of an "interruption of service").
36. Mintel Int'l Group, Ltd. v. Neergheen, No. 08-cv-3939, 2010 WL 145786, at *10 (N.D. 111.
Jan. 12, 2010) (fees paid to expert who assessed the defendant's improper actions were not losses that
related to the investigation or repair of a computer system); TelQuest Int'l, 2009 WL 3234226, at *2
(costs of hiring computer expert to find evidence of disloyal conduct was not related to discovering or
remedying damage to a computer).
37. 18 U.S.C. ? 1030(e)(8) (2006).
38. See Volk v. Zeanah, No. 608CV094, 2010 WL 318261, at *3 (S.D. Ga. Jan. 25, 2010) ("[M]ere
copying of data does not create a cognizable claim for damage under the CFAA."); Mintel Int'l Group,
2010 WL 145786, at *10 (copying and e-mailing of employer's computer files did not impair the
integrity or availability of the employer's computer system); Czech v. Wall St. on Demand, Inc., 674 F.
Supp. 2d 1102, 1117-18 (D. Minn. 2009) (refusing to expand the definition of "damage" under the
CFAA to include any use or consumption of a device's finite resources).
39. 259 F.R.D. 449, 452 (CD. Cal. 2009).
40. Id.
41. Id. at 453.
42. Id. at 454.
43. Id. at 461-62.
44. Id. at 464.
45. Id. at 465-67.

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms
236 The Business Lawyer; Vol. 66, November 2010

a result, the court granted the defendant's motion for judgment of acquittal for
the misdemeanor.46
In United States v. Powers,*7 a void-for-vagueness challenge arose out of a crimi
nal indictment alleging that the defendant accessed a woman's e-mail account to
which he had previously been given the password.48 The defendant then forwarded
previously sent, partially nude photos of the woman to others.49 The defendant
challenged the indictment, asserting that the section prohibiting accessing a com
puter and obtaining information from the computer "without authorization" or
by "exceed [ing] authorized access" is unconstitutionally vague because it does not
provide reasonable notice of what conduct is prohibited.50 The court concluded
that the CFAA defines the statutory terms with sufficient particularity to provide
adequate notice of prohibited conduct under the statute,51 and held that the de
fendant exceeded his "authorized access" when he obtained compromising images
from past e-mail messages and sent those images to others.52

V. Conclusion
Regardless of the outcome of the hotly contested issues reported in this survey,
business lawyers should consider reexamining company policies that define ac
ceptable uses of business computer systems and company information, and, when
necessary, consider if reliance on the CFAA as a cause of action against rogue
employees is justified. Continued controversy over the parameters of the CFAA
can be expected to continue until there is more uniformity and consistency in its
interpretation and application.

46. Id. at 468.

47. No. 8:09CR361, 2010 WL 1418172 (D. Neb. Mar. 4, 2010).
48. Id. at *1.
49. Id.
50. Id. at *3.
51. Id. at*4.
52. Id.

This content downloaded from

41.60.96.25 on Thu, 10 Nov 2022 14:33:54 UTC
All use subject to https://about.jstor.org/terms