The new Computer Abuse and Data Recovery Act: a business tool against computer hacking.

• Author: Kain, Robert C.
• Position: Special Issue: Technology & the Practice of Law

In reaction to the rampant hacking of business computers and data theft, Florida has passed a new law, the Computer Abuse and Data Recovery Act (CADRA), F.S. [section]668.801, which establishes new civil violations and monetary recoveries against unauthorized persons who harm or cause damage to business computers or systems that contain business information or data. As of October 1, 2015, a person violates CADRA if they:

knowingly and with intent to cause harm or loss: (1) obtain[] information from protected computer without authorization and, as a result, cause[] harm or loss; [or] (2) cause[] the transmission of a program, code or command to a protected computer without authorization and.... cause[] harm or loss; or (3) traffic[] in any technological access barrier through which access to a protected computer may be obtained without authorization. (1)

The harmed business owner can collect an expanded list of statutory damages from the violator. Other than trafficking (2) a password (which is called a CADRA "technological access barrier" (TAB)), the violation must be with knowledge and with intent to cause harm or loss. In general, CADRA defines a new statutory intentional tort.

Historical Basis

Prior to CADRA, practitioners who sought civil remedies for abuses of computerized data used two primary statutes, Florida's Computer Crimes Act, F.S. [section]815.01 et seq., and the Federal Computer Fraud and Abuse Act, 18 U.S.C. [section]1030 (federal CFAA). Both laws are criminal in nature with an appended civil remedy. Due to the strict construction rule applied to criminal statutes, these statutes have been narrowly construed primarily due to the uncertain meaning of "without authorization." Although practitioners sometimes used Florida's Uniform Trade Secrets Act (FUTSA), F.S. [section]688.001, and Florida's Civil Remedies for Criminal Practices Act, F.S. [section]772.101, (3) for computer abuses, experience over several decades has not resulted in many favorable outcomes. Essentially, these later statutes do not specify, in any manner, the operations of a computer system. In contrast, Florida's Computer Crimes Act has specific statutory language covering unauthorized access to computer data and systems, misuse of data, hacking, password theft, and password hack-ins, but provides a civil remedy only after a conviction. (4)

Florida-based businesses typically relied upon the Federal CFAA for relief because Florida's Computer Crimes Act provides a relatively hollow civil action. An injured party "may bring a civil action against any person convicted" under the act. (5) Therefore, a criminal conviction must precede the civil action. Civil actions after criminal proceedings are not particularly effective from a monetary perspective or for reasonably quick equitable relief. All violations of Florida's Computer Crimes Act (6) require the accused to act "without authorization." Florida courts have interpreted "exceeds authorized access" as not necessarily "without authorization" in the criminal context. (7)

The federal CFAA criminalizes certain computer related behavior and, if the damage exceeds $5,000, provides a civil remedy for its victims. In 2012, the Ninth Circuit Court of Appeals held that the federal CFAA does not cover a disloyal employee or an insider who takes computer data during his or her employment and uses it in an anticompetitive manner after leaving the company. (8) Three months later, the Fourth Circuit Court of Appeals agreed and held that the federal CFAA was not violated unless the employee lacks any authorization to obtain or alter the data when he or she was employed. (9) In contrast, the First, Fifth, and Seventh circuits have taken an opposite view and support the concept that a disloyal employee violates the federal CFAA whether he or she uses the data with or without financial gain. (10)

In 2010, the 11th Circuit in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), found that a disloyal employee violated the CFAA even though he never used the data for financial gain. The scope of "exceeds authorized access" is unclear as applied in the 11th Circuit Rodriguez case. Florida U.S. district court cases include Lee v. PMSI, Inc., No. 8: 10-cv-2904-T-23TBM, 2011 WL 1742028 (M.D. Fla. 2011), in which the district court dismissed an employer's federal CFAA counterclaim in an employment discrimination action notwithstanding that the plaintiff employee made personal use of the Internet at work by checking Facebook and sending personal emails in violation of company policy. In an unpublished case, Lockheed Martin Corp. v. Speed, No. 6:05 CV 1580 ORL 31, 2006 WL 2683058 (M.D. Fla. 2006), former employees of Lockheed Martin accessed company proprietary information while they were still authorized to do so, then went to a competitor and used the data to win a contract for their new employer, in direct competition to their former employer. The Lockheed court found that, at the time the former employees accessed the computers, they had "authorized access" and, therefore, did not exceed authorized access or violate the CFAA.

Given the deteriorating effectiveness of...