New Tools for Companies Against Cybercrime

Obama administration proposal would reduce legal ambiguities  and allow civil RICO claims.

BY NICK AKERMAN

On January 2015, the Obama administration announced a series of proposals to strength­en the country’s response to cyberattacks­ including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA).  These changes are not only significant to the cyber­ crime-fighting efforts of federal prosecutors, but also to private companies.  This is because the CFAA allows compa­nies victimized by violations of the statute  to bring  civil actions against the  perpetrators.  18 U.S.C. 1030(g).  The CFAA, among  other things, makes it a crime when an individual “accesses” a computer  “without  authorization or exceeds  authorized access” to steal  data.

“Without authorization”  typically relates to an outside hacker, whereas “exceeds authorized access” typically  relates to a company  insid­er, like any  employee who has authority to access the company computer but exceeds that authorized access.  There is a split among the circuit courts of appeals over whether employees who access company computers to steal data exceed their authorized access.  The Fourth  Circuit (fol­lowing the  Ninth  Circuit), for  example, in WEC Carolina  Energy  Solutions  v. Miller, nar­rowly interpreted “exceeds authorized  access” not  to apply to employees who are “authorized to access a computer  when his employer approves or sanctions his admission to that computer.”  In  contrast, the Seventh Circuit in International  Airport Ctrs. v. Citrin applied the CFAA to an employee who accessed the company computer for the purpose of “further[ing]  interests that are adverse to his employer,” i.e. stealing company data to take to a competitor.  The Fifth and  Eleventh cir­cuits follow this interpretation.

The administration’s proposal  would  set­tle this split in the  circuits in favor of apply­ing the CFAA to employees by redefining “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information  in such computer  (A) that  the accesser is not  entitled to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner.”  Thus, the proposed law would cover employees who steal data from company com­puters and would  incentivize employers to institute written policies and employee agreements delineating precisely the scope of permissible authorization to the company computers.

VALUING DAMAGE

From the standpoint  of private employers, another significant change would be the addi­tion of a requirement that  “the value of the information obtained [by an insider employee accessing the computer] exceeds $5,000.”  This requirement would be in addition to the juris­dictional prerequisite for CFAA civil actions that require the plaintiff to allege and prove $5,000 in “loss,” a term defined by the statute to include costs of “responding to any offense” and “conse­quential damages incurred because of interrup­tion of service.”  The $5,000 minimum  would not constrain criminal prosecutions directed at a computer “owned or operated by or on behalf of a government entity.”  Thus, a case like United States v. Teague, in which the defendant was criminally prosecuted for viewing (not copying or taking) President Barack Obama’s record in the National Student Loan Data System, would still be a viable prosecution.

The value of the stolen data would not be a critical factor for private companies under the proposed amendments if the violation “was committed  in furtherance of any felony violation of the laws of the  United  States or of any state.”  Thus, if an employee steals his employer’s  trade-secrets data  in  violation  of the Economic Espionage Act, 18 U.S.C. 1831, there would be no burden  on the employer to show that the value of the trade secrets exceeded $5,000.  Because the Economic Espionage Act does not provide for a civil cause of action, this would be a significant expansion in federal law that would supplant the state trade-secrets laws.

Setting limits on insider data thefts to a min­imum value of $5,000 and felony violations directly addresses the concerns  expressed by the Ninth Circuit in United  States v. Nosal that the CFAA could be interpreted “to criminalize any unauthorized  use of information obtained from a computer.”  Also, the proposed changes in the law would address the additional con­cern of the  Nosal court  that  the  CFAA could “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”  Thus, the Obama proposal adds the requirement of willfulness to the statute,  defining it to mean  “intentionally to undertake an act that the person knows to be wrongful.”

With respect to trafficking in passwords, the proposed law would limit the crime to instanc­es where the violator knew or had reason “to know that a protected computer would be accessed or damaged without  authorization in a manner prohibited by this section [the CFAA] as the result of such trafficking.”  With an eye to changing technologies, the proposed statute also would  expand on passwords to include “any other means of access” to a computer.

Finally, the  proposed amendments  would strengthen law enforcement by increasing penalties for CFAA violations, provide injunctive relief and forfeitures and make felony violations of the CFAA predicate acts for the Racketeer Influenced and  Corrupt Organizations statute, 18 U.S.C. 1961.  This proposed amendment to RICO is long overdue.  RICO was enacted in 1970, years  before the advent of the information age in which computers have become ubiquitous and the targets and instruments  of criminals.  Because RICO, like the CFAA, provides victims with a civil remedy, this proposed amendment would similarly enhance  the ability of companies to fight cybercriminals.