Seth Rosenblatt writes on PARALLA:
“In June 1983, President Ronald Reagan attended a screening at Camp David of WarGames, a movie in which a hacker inadvertently almost starts World War III. Intrigued, the movie star-turned politician asked Gen. John W. Vessey Jr., chairman of the Joint Chiefs of Staff, if the WarGames scenario could become a reality.
A week later, Vessey returned with an answer: Yes, he said, according to new research published in Dark Territory: The Secret History of Cyber War, a book by Fred Kaplan.
Later that year, six antihacking bills began working their way through Congress, as the Reagan administration demanded legislation to address computer security risks suggested in WarGames. By 1986, the president signed into law the regulations he wanted as the Computer Fraud and Abuse Act, an amendment to the existing computer fraud law, the Comprehensive Crime Control Act of 1984.
The CFAA was revolutionary in that it criminalized, for the first time, most forms of computer hacking in the United States, regardless of hackers’ intentions or results. Penalties for computer hacking reached the point at which people convicted on charges of illegal hacking could be locked up with sentences far worse than those of people convicted on charges of aggravated physical assault.” Read more…
Image above © Pinguino Kolb/The Parallax 2016
In December of 2015, the Second Circuit joined the dispute over whether an employee can be sued under the Computer Fraud and Abuse Act (CFAA) when they use their employer’s computer system in a way that is outside the scope of employment. With the Second Circuit weighing in, seven of the twelve Federal Courts of Appeals have taken up a position in the fight, with four courts on one side of the split and three in opposition. And while the Second Circuit’s interpretation of the disputed part of the CFAA appears sound, the disturbing facts surrounding the case may cause further polarization.
What’s the problem?
The CFAA can be used to prosecute anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S. Code § 1030(a)(2). Under this provision of the statute, several employers have sued their former employees for misappropriating certain information for personal benefit, such as trade secrets or customer contacts. Even though the employee may have had authorized access at the time when they extracted the information, employers argue that authorized access is exceeded when the use of that information falls outside the scope of employment. In other words, the employee may have authorized access for work purposes, but they exceed that authorization when they abuse that access.
Using the CFAA to prosecute former employees in this way makes sense when an employee is surreptitiously collecting confidential information from their current employer with the intent of quitting that job to go work for a competitor. This sort of misappropriation may result in substantial profit loss for the former employer.
However, the same liberal interpretation of the CFAA would also potentially criminalize employees who casually misuse a company computer for personal reasons that is outside the scope of their employment, such as to check their personal email, use social media platforms, or even pay their bills online. The contention among the Circuit courts is whether to employ a broad or narrow interpretation of “exceeding authorized access.”
The following is a synopsis of Undercutting Employee Mobility: The Computer Fraud and Abuse Act in the Trade Secret Context by Glenn Schieck.
When “rogue employees” misappropriate trade secrets via computer before leaving to work for a competitor, the victim company currently has the option to pursue civil actions against the employee under either the state’s trade secret statute or the CFAA. Glenn Schieck’s article argues that this “reliance on the CFAA threatens to undercut policy considerations of trade secret law.”
The problem is that the CFAA does not accommodate for competitive markets where employees move freely between companies with an accepted risk of some knowledge being compromised, whereas trade secret law does. This article proposes that the CFAA should be amended “to adopt some limited substantive elements of trade secret law” to avoid companies potentially abusing the statute to circumvent trade secret law when it does not accommodate their means.
Schieck explains how the CFAA came to be used in lieu of trade secret litigation after it was drastically amended in 1996 to include all “protected computer[s],” whereas the CFAA was previously limited to protecting computers of “federal interest.” With this amendment, companies found it easier to bring a claim under the CFAA rather than state trade secret law because the latter requires the plaintiff to show that a trade secret exists, there were reasonable efforts to keep that information ‘secret,’ and that there was wrongful appropriation of the information. In contrast, the CFAA only requires that the plaintiff show wrongful appropriation. In addition to lowering the bar for pleading requirements, the CFAA provides federal jurisdiction, unlike state trade secret law, which allows for certain elements of relief that state level jurisdiction may not provide. The CFAA also may allow some plaintiffs to enforce non-compete clauses in states where they would otherwise be unenforceable. Finally, supplemental jurisdiction enables a plaintiff to bring both CFAA and trade secret claims in tandem, occasionally resulting in double recovery for damages.
Schieck’s article proposes legislative amendments to the CFAA to narrow certain interpretations of the statute to avoid the aforementioned contentions with trade secret law. The main issue raised is the CFAA’s broad use of the word “authorization,” which creates liability when an individual’s use of a computer system is either “without authorization or exceeds authorized access.” For now, liability is created when an authorized user of a computer system breaches a written computer use policy, such as an agency agreement between an employer and employee. Schieck supports proposed reform to the CFAA to include an additional barrier to define a breach, such as a physical barrier or possibly a confidentiality/non-compete agreement. He further suggests the addition of a “reasonable efforts” provision that would prevent frivolous claims to be brought against appropriation of information that is not confidential. With these proposed amendments, Schieck believes that the CFAA could be better managed to avoid subverting the policy goals of trade secret law.
Glenn Schieck is a 2014 JD graduate of Brooklyn Law School and is currently an Associate at Harter Screts & Emery LLP in Rochester, New York.
From the Electronic Frontier Foundation:
“After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron’s Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law.
The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what “without authorization” actually means. The statute does attempt to define “exceeds authorized access,” but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the statute.” Read more…
This awesome interactive timeline detailing amendments to the CFAA was created by students at Stanford Law. Thanks to Andrea Matwyshyn for sharing it.