The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.
Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week.
Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.
Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.