New Tools for Companies Against Cybercrime

In January, the Obama administration announced a series of proposals to strengthen the country's response to cyberattacks ' including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). These changes are not only significant to the cybercrime-fighting efforts of federal prosecutors, but also to private companies.

This is because the CFAA allows companies victimized by violations of the statute to bring civil actions against the perpetrators. 18 U.S.C. 1030(g). The CFAA, among other things, makes it a crime when an individual “accesses” a computer “without authorization or exceeds authorized access” to steal data. “Without authorization” typically relates to an outside hacker, whereas “exceeds authorized access” typically relates to a company insider, like any employee who has authority to access the company computer but exceeds that authorized access.

There is a split among the circuit courts of appeals over whether employees who access company computers to steal data exceed their authorized access. The Fourth Circuit (following the Ninth Circuit), for example, in WEC Carolina Energy Solutions v. Miller, No. 11-1201 (4th Cir. July 26, 2012, cert dismissed Jan. 2, 2013) narrowly interpreted “exceeds authorized access” not to apply to employees who are “authorized to access a computer when his employer approves or sanctions his admission to that computer.” In contrast, the Seventh Circuit, in International Airport Ctrs. v. Citrin, No. 06-2073 (7th Cir. July 25, 2006), applied the CFAA to an employee who accessed the company computer for the purpose of “further[ing] interests that are adverse to his employer,” i.e., stealing company data to take to a competitor. The Fifth and Eleventh circuits follow this interpretation.

The administration's proposal would settle this split in the circuits in favor of applying the CFAA to employees by redefining “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in such computer (A) that the accesser is not entitled to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner.”

Thus, the proposed law would cover employees who steal data from company computers and would incentivize employers to institute written policies and employee agreements delineating precisely the scope of permissible authorization to the company computers.

Valuing Damage

From the standpoint of private employers, another significant change would be the addition of a requirement that “the value of the information obtained [by an insider employee accessing the computer] exceeds $5,000.” This requirement would be in addition to the jurisdictional prerequisite for CFAA civil actions that require the plaintiff to allege and prove $5,000 in “loss,” a term defined by the statute to include costs of “responding to any offense” and “consequential damages incurred because of interruption of service.” The $5,000 minimum would not constrain criminal prosecutions directed at a computer “owned or operated by or on behalf of a government entity.” Thus, a case like United States v. Teague, 646 F.3d 1119 (8th Cir. 2011) in which the defendant was criminally prosecuted for viewing (not copying or taking) President Barack Obama's record in the National Student Loan Data System, would still be a viable prosecution.

The value of the stolen data would not be a critical factor for private companies under the proposed amendments if the violation “was committed in furtherance of any felony violation of the laws of the United States or of any state.” Thus, if an employee steals his employer's trade-secrets data in violation of the Economic Espionage Act, 18 U.S.C. 1831, there would be no burden on the employer to show that the value of the trade secrets exceeded $5,000. Because the Economic Espionage Act does not provide for a civil cause of action, this would be a significant expansion in federal law that would supplant the state trade-secrets laws.

Setting limits on insider data thefts to a minimum value of $5,000 and felony violations directly addresses the concerns expressed by the Ninth Circuit in United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151(9th Cir. Apr. 10, 2012), that the CFAA could be interpreted “to criminalize any unauthorized use of information obtained from a computer.” Also, the proposed changes in the law would address the additional concern of the Nosal court that the CFAA could “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Thus, the Obama proposal adds the requirement of willfulness to the statute, defining it to mean “intentionally to undertake an act that the person knows to be wrongful.”

With respect to trafficking in passwords, the proposed law would limit the crime to instances where the violator knew or had reason “to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section [the CFAA] as the result of such trafficking.” With an eye to changing technologies, the proposed statute also would expand on passwords to include “any other means of access” to a computer.

Finally, the proposed amendments would strengthen law enforcement by increasing penalties for CFAA violations, provide injunctive relief and forfeitures and make felony violations of the CFAA predicate acts for the Racketeer Influenced and Corrupt Organizations statute, 18 U.S.C. 1961. This proposed amendment to RICO is long overdue. RICO was enacted in 1970, years before the advent of the information age in which computers have become ubiquitous and the targets and instruments of criminals. Because RICO, like the CFAA, provides victims with a civil remedy, this proposed amendment would similarly enhance the ability of companies to fight cybercriminals.

Nick Akerman is a partner in the New York office of Dorsey & Whitney. His practice focuses on cases involving the Computer Fraud and Abuse Act, the Racketeer Influenced and Corrupt Organizations Act, federal trade secrets law and post employment restrictive covenants.

In January, the Obama administration announced a series of proposals to strengthen the country's response to cyberattacks ' including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). These changes are not only significant to the cybercrime-fighting efforts of federal prosecutors, but also to private companies.

This is because the CFAA allows companies victimized by violations of the statute to bring civil actions against the perpetrators. 18 U.S.C. 1030(g). The CFAA, among other things, makes it a crime when an individual “accesses” a computer “without authorization or exceeds authorized access” to steal data. “Without authorization” typically relates to an outside hacker, whereas “exceeds authorized access” typically relates to a company insider, like any employee who has authority to access the company computer but exceeds that authorized access.

There is a split among the circuit courts of appeals over whether employees who access company computers to steal data exceed their authorized access. The Fourth Circuit (following the Ninth Circuit), for example, in WEC Carolina Energy Solutions v. Miller, No. 11-1201 (4th Cir. July 26, 2012, cert dismissed Jan. 2, 2013) narrowly interpreted “exceeds authorized access” not to apply to employees who are “authorized to access a computer when his employer approves or sanctions his admission to that computer.” In contrast, the Seventh Circuit, in International Airport Ctrs. v. Citrin, No. 06-2073 (7th Cir. July 25, 2006), applied the CFAA to an employee who accessed the company computer for the purpose of “further[ing] interests that are adverse to his employer,” i.e., stealing company data to take to a competitor. The Fifth and Eleventh circuits follow this interpretation.

The administration's proposal would settle this split in the circuits in favor of applying the CFAA to employees by redefining “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in such computer (A) that the accesser is not entitled to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner.”

Thus, the proposed law would cover employees who steal data from company computers and would incentivize employers to institute written policies and employee agreements delineating precisely the scope of permissible authorization to the company computers.

Valuing Damage

From the standpoint of private employers, another significant change would be the addition of a requirement that “the value of the information obtained [by an insider employee accessing the computer] exceeds $5,000.” This requirement would be in addition to the jurisdictional prerequisite for CFAA civil actions that require the plaintiff to allege and prove $5,000 in “loss,” a term defined by the statute to include costs of “responding to any offense” and “consequential damages incurred because of interruption of service.” The $5,000 minimum would not constrain criminal prosecutions directed at a computer “owned or operated by or on behalf of a government entity.” Thus, a case like United States v. Teague, 646 F.3d 1119 (8th Cir. 2011) in which the defendant was criminally prosecuted for viewing (not copying or taking) President Barack Obama's record in the National Student Loan Data System, would still be a viable prosecution.

The value of the stolen data would not be a critical factor for private companies under the proposed amendments if the violation “was committed in furtherance of any felony violation of the laws of the United States or of any state.” Thus, if an employee steals his employer's trade-secrets data in violation of the Economic Espionage Act, 18 U.S.C. 1831, there would be no burden on the employer to show that the value of the trade secrets exceeded $5,000. Because the Economic Espionage Act does not provide for a civil cause of action, this would be a significant expansion in federal law that would supplant the state trade-secrets laws.

Setting limits on insider data thefts to a minimum value of $5,000 and felony violations directly addresses the concerns expressed by the Ninth Circuit in United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151(9th Cir. Apr. 10, 2012), that the CFAA could be interpreted “to criminalize any unauthorized use of information obtained from a computer.” Also, the proposed changes in the law would address the additional concern of the Nosal court that the CFAA could “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Thus, the Obama proposal adds the requirement of willfulness to the statute, defining it to mean “intentionally to undertake an act that the person knows to be wrongful.”

With respect to trafficking in passwords, the proposed law would limit the crime to instances where the violator knew or had reason “to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section [the CFAA] as the result of such trafficking.” With an eye to changing technologies, the proposed statute also would expand on passwords to include “any other means of access” to a computer.

Finally, the proposed amendments would strengthen law enforcement by increasing penalties for CFAA violations, provide injunctive relief and forfeitures and make felony violations of the CFAA predicate acts for the Racketeer Influenced and Corrupt Organizations statute, 18 U.S.C. 1961. This proposed amendment to RICO is long overdue. RICO was enacted in 1970, years before the advent of the information age in which computers have become ubiquitous and the targets and instruments of criminals. Because RICO, like the CFAA, provides victims with a civil remedy, this proposed amendment would similarly enhance the ability of companies to fight cybercriminals.

Nick Akerman is a partner in the New York office of Dorsey & Whitney. His practice focuses on cases involving the Computer Fraud and Abuse Act, the Racketeer Influenced and Corrupt Organizations Act, federal trade secrets law and post employment restrictive covenants.