While the federal Computer Fraud and Abuse Act (“CFAA”) permits seven causes of action to be brought by individuals or companies who have been victims of violations of the statute, practitioners lose sight of the fact that the CFAA is at its core a criminal statute. Nyack Hospital v. Moran, 2010 WL 4118355 (S.D.N.Y. June 1, 2010) neatly illustrates the importance of being able to prove the criminal elements of the statute in order to obtain a civil remedy – damages or injunctive relief.
The defendant, Kevin Moran, had been employed by Nyack Hospital as its Manager of Organizational Development. After Nyack Hospital terminated Moran’s employment, Moran allegedly “sent e-mails, including a 17-page attachment, to over ‘100 Hospital senior managers and employees’ and others and misrepresented the source of the e-mails as David Freed, the president of the hospital.” The complaint asserted that the “emails ‘leaked certain aspects of an internal confidential employee survey, defamed the Hospital’s reputation and the reputations of the several Hospital employees … and urged the … recipients to report the alleged wrongdoings to the Hospital’s Board of Trustees and the Rockland Journal New News.’ Id. at *1.
The Hospital sued Moran, for among other things, that section of the CFAA which makes it a crime to “knowingly caus[e] the transmission of … information … and as a result of such conduct intentionally caus[e] damage without authorization [ ] to a protected computer [.]” 18 U.S.C. § 1030(a) (5)(A). The fatal defect with the Hospital’s complaint was that it did not allege that Moran had “intentionally caused any damage to the hospital’s computers, but rather that . . . [Moran] knew that the sending of bulk e-mail ‘could result in a ‘denial of service’ or ‘spamming’ attack against the Hospital’s information system.’” Id. at 6.
The best the Hospital could say was that “Moran accessed the Hospital’s e-mail system and server by creating a fake Yahoo account … to trick Hospital employees into reading [the e-mail].” Id. The court dismissed the CFAA claim on the ground that the Hospital failed to allege that Moran “acted with the specific criminal intent required to establish a violation of” the CFAA.” Id. The court also found the Hospital’s failure to allege damage resulting from Moran’s alleged conduct with specificity rather than as a possibility was “inadequate to support a cause of action for a violation of the CFAA.” Id. at 7.
This decision drives home the principle that the only difference between a criminal violation of the CFAA and a civil violation is the standard of proof – the government must prove the criminal violation beyond a reasonable doubt and the civil litigant must prove the violation by a preponderance of the evidence. In both instances there must be proof of the same criminal elements of the CFAA.