§ 7.07 Specific Criminal Offenses and Civil Violations Under the CFAA

• Jurisdiction: United States
• Publication year: 2020

§ 7.07 Specific Criminal Offenses and Civil Violations Under the CFAA

[1] Introduction

The Supreme Court has held that where a statute "has both criminal and noncriminal applications," courts should interpret the statute consistently in both criminal and noncriminal contexts.⁴⁵⁵ Thus, this section applies to both criminal offenses and civil violations under the CFAA except for those subsections that only apply to the criminal offenses such as Section 1030(a)(1).

The government and plaintiffs have most often alleged violations of (1) Section 1030(a)(2)(C), which involves obtaining information from a protected computer without authorization or in excess of authorization; (2) Section 1030(a)(4), which, in addition to involving accessing a protected computer without authorization or in excess of authorized access, requires that the defendant acted with the intent to defraud and obtain something of value; (3) Section 1030(a)(5), which involves causing damage to a protected computer; and (4) Section 1030(6), which involves trafficking in computer passwords.

In the civil context, while it is better practice to allege in a complaint which specific CFAA subsection that defendant violated, courts have found that a party does not forfeit claims under the CFAA simply by not pleading those subsections explicitly so long as the plaintiff properly pleads the elements of one subsection.⁴⁵⁶ Each of these subsections is discussed below.

[2] Protection of Classified Government Information (§ 1030(a)(1))

Subsection 1030(a)(1) protects against the knowing access of government computers to obtain classified information.⁴⁵⁷ The government has rarely brought charges under this subsection. This subsection criminalizes transmitting classified government information, to the detriment of the United States or to the benefit of a foreign country that was obtained by accessing government computer files without authority or by exceeding authority. This specifically covers the conduct of a person who deliberately breaks into a computer without authority, or an insider who exceeds authorized access and thereby obtains classified information⁴⁵⁸ and then communicates the information to another person, or retains it without delivering it to the proper authorities with the belief that the classified information so obtained could be used to the injury of the United States or to the advantage of any foreign nation. The subsection therefore is similar to Title 18, Section 793(e) of the United States Code that also protects classified information⁴⁵⁹ but is different in that it also requires proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information.⁴⁶⁰ It is the use of the computer that is proscribed, not the unauthorized possession of, access to, or control over the classified information itself.⁴⁶¹

[3] Protection of Financial, Government, and Other Computer Information (§ 1030(a)(2))

Subsection 1030(a)(2) is concerned with the protection of information. It prohibits the intentional access of a protected computer⁴⁶² without authorization⁴⁶³ or in excess of authorized access⁴⁶⁴ for the purpose of obtaining information⁴⁶⁵ from financial institutions, the federal government, or private sector computers involved in interstate commerce or foreign communications—essentially any computer connected to the Internet.⁴⁶⁶

In order to prove a violation of Section 1030(a)(2)(c), the government or the plaintiff must show that the defendant (1) intentionally accessed a computer,⁴⁶⁷ (2) without authorization (or exceeded authorized access), and (3) thereby obtained information, (4) from any protected computer from a computer that qualifies as a "protected computer," and (5) defendant's conduct involved an interstate or foreign communication.⁴⁶⁸ The elements unique to this subsection of the CFAA are (i) that defendant acted intentionally in accessing a computer, (ii) obtained information, and (iii) the conduct involved an interstate or foreign communication.

In addition, in a civil action, a plaintiff must also prove that there was loss to one or more persons during any one-year period aggregating at least $5,000 in⁴⁶⁹ value.⁴⁷⁰ Thus, this section merely requires a showing that by engaging in unauthorized access or exceeded authorized access, defendant obtained information from a protected computer. For example, a court held that Ticketmaster had stated a cause of action under this section where defendants used bots to obtain tickets without Ticketmaster's authorization.⁴⁷¹ The court found that the "tickets are 'information' in two senses: (1) the tickets contain information on the face of the ticket that grants the bearer entrance to a particular event; and (2) the tickets themselves are transmitted through the internet in the form of computer code, which is itself information."⁴⁷²

It is unclear what the term "obtaining information" means. In United States v. Aur-enheimer,⁴⁷³ the court held that a violation of this section "is complete even if the offender never looks at the information and immediately destroys it, or the victim has no idea that information was ever taken."⁴⁷⁴ However, at least one other court has questioned such a broad understanding of Section 1030(a)(2), but ultimately did not reach a conclusion on the issue.⁴⁷⁵ The requirement that defendant obtain information from a computer used in interstate or foreign commerce (protected computer) is satisfied whenever a person using a computer contacts an Internet website and reads any response from that site.⁴⁷⁶

The government or the plaintiff need not also prove that the defendant had the intent to defraud in obtaining the information or that the information was used to any particular ends.⁴⁷⁷

With regard to the "intentional" element, the CFAA, in general, and Subsection 1030(a)(2), requires "intentional" conduct giving rise to a statutory violation. At least one court borrowing heavily from the legislative history of the Electronic Communications Privacy Act held that the definition of "intentional" under the CFAA is narrower than the dictionary definition of intentional and that intentional conduct must involve the "conscious objective or desire to commit a violation."⁴⁷⁸ Thus, under this standard, the court held that a company cannot be held liable for an employee's violation of the CFAA because the plaintiff failed to allege that the employer had knowledge of the employee's violation. The court said that neither the fact that the alleged CFAA violation was committed with the company's computer facilities nor the fact that the hacker was a company employee supplied the requisite intent.⁴⁷⁹

The requirement that the communication involve an interstate or foreign communication is generally not an issue because courts have generally found that it is satisfied, for example, in such typical situations as where the plaintiff's computer system is connected to the Internet or where the plaintiff had offices in two different states and defendant accessed information maintained in its secured database.⁴⁸⁰ Similarly, a court found that even though the records accessed by defendant were stored only on the hard drive of a computer that was not connected to the Internet, defendant's conduct involved interstate communications where defendant accessed plaintiff's online bank account, obtained financial information, and diverted plaintiff's assets.⁴⁸¹ At least one court has held that simply receiving unwanted text messages violates 1030(a)(2)(C).⁴⁸² In a notorious case, involving a thirteen-year-old girl who committed suicide after a mother of a classmate of hers posted disparaging remarks on a MyS-pace account using the fictitious alias of a sixteen-year-old- boy, the court overturned the mother's misdemeanor conviction under Section 1030(a)(2)(C). The government charged that the mother had violated the section by violating MySpace's terms of service. However, the court agreed with the defendant that the charge violated the void-for-vagueness doctrine because individuals of "common intelligence" do not have notice that:

"a breach of a terms of service contract can become a crime under the CFAA. . . . Here, the language of section 1030(a)(2)(C) does not explicitly state (nor does it implicitly suggest) that the CFAA has 'criminalized breaches of contract' in the context of website terms of service. Normally, breaches of contract are not the subject of criminal prosecution."⁴⁸³

The court further found that the terms of service do not acceptably distinguish between those violations of the terms of service that form the basis for a criminal violation and those that do not:

"If any violation of any term of service is held to make the access unauthorized, that strategy would probably resolve this particular vagueness issue; but it would, in turn, render the statute incredibly overbroad and contravene the second prong of the void-for-vagueness doctrine as to setting guidelines to govern law enforcement."⁴⁸⁴

The court also found that government's charging approach in this matter would, essentially, make the website operator the ultimate decision-maker as to the type of conduct that is criminal.⁴⁸⁵ Thus, the court concluded:

"Treating a violation of a website's terms of service, without more, to be sufficient to constitute 'intentionally accessing a computer without authorization or exceeding authorized access' would result in transforming section 1030(a)(2)(C) into an over-whelming overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals."⁴⁸⁶

Subsection 1030(c)(2)(A) provides for misdemeanor penalties for violations of subsections (a)(2), (a)(3), or (a)(6), except violations under (a)(2) may enhanced to a felony (1) by committing the offense for "commercial advantage or private financial gain"; (2) by committing an offense "in furtherance of any criminal or tortious act in...