The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.
Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week.
Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.
Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.
Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants
The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”