Computer Fraud and Abuse Act

Since 1994, the federal Computer Fraud and Abuse Act (CFAA) has provided civil remedies to complement the original criminal sanctions for the theft and destruction of computer data, fraudulent use of passwords, and various means of committing fraud by unauthorized access to computers. For a typical claim under the CFAA brought against a defendant who violates the statute in an attempt to gain a competitive advantage over the plaintiff, there must be a financial loss of at least $5,000 in order to maintain a civil cause of action.

The ability to obtain injunctive relief under the CFAA is at least as valuable to an injured party as the recovery of damages. To win an injunction, however, the plaintiff must be in a position to prove not just the unauthorized intrusion into the plaintiff’s computers, but also specifics as to what information was taken by the defendant and how it was used to harm the plaintiff.

In a recent case, a former officer and an employee of a party supply store were alleged to have gathered information from their former employer’s computer without authorization, so as to get a leg up on the plaintiff in their new, competing business. The elements for the claim were in place, except for the critical proof as to what data records of the plaintiff’s were accessed and whether such records had been downloaded, copied, or printed by the defendants. The plaintiff business was denied an injunction in federal court because of this gap in its proof.

The case of the competing party-supply businesses offers object lessons for how businesses can best put themselves in a position to take full advantage of the Act if they have been victimized. One advisable technical step is to include an auditing function in a computer system that automatically records what documents have been accessed and what happens to the documents when they are accessed. The resulting “audit trail” can be a valuable piece of evidence in an action under the CFAA. When employees are allowed to work at home on their computers, employers should have policies allowing them to inspect those computers when the employment ends and to retrieve any of their data.

Although technical measures and policies on computer technology are important, simple use of imagination can also produce relevant noncomputer evidence for a CFAA claim. The court in the unsuccessful action by the party-supply store observed that the plaintiff could have presented evidence that the defendants had taken particular actions to the competitive disadvantage of the plaintiff very soon after their unauthorized access to the plaintiff’s computers. This would have allowed an inference that secrets had been taken from, and then used against, the plaintiff.