The 1986 Computer Fraud and Abuse Act (18 U.S.C. § 1830) made criminal intentionally accessing a protected computer without authorization or exceeding authorized access to that computer and thereby obtaining information from it. The Act defines a “protected computer” as any computer which is used in or affects interstate or foreign commerce or communication. Therefore, the Act applies to any computer or even a smartphone connected to the Internet. See http://www.chicagotrademarkattorney.net/9th-circuit-rules-california-dreamin-online-not-a-federal-crime/.
Violations of the Act also include knowingly causing the transmission of code, and as a result of such conduct, intentionally causing damage without authorization to a protected computer as well as trafficking in a password or similar information through which a computer may be accessed without authorization. It is also a violation of the Act to access a computer with the intent to extort from any person any money or other thing of value, or demand or request money or other thing of value in relation to damage to a protected computer. So ransomware is covered by this statute as well.
If the value of the information exceeds $5,000.00, punishment may include a fine or imprisonment for up to five years.
Violations of this Act may be a civil offense as well. There’s a two-year statute of limitations which commences upon the date of the act complained of or the date of discovery of the damage and compensatory damages or injunctive relief may be sought. To obtain relief there must be at least a $5,000 loss or the modification of a medical exam or diagnosis or physical injury to a person or a threat to public health or safety or damage affecting 10 or more protected computers and recoverable losses may include response costs, restoration of data or programs, lost sales or advertising from a website or harm to reputation or goodwill.
Cases have held that it is not a civil violation of the Act when revenue is lost due to theft of proprietary data if the Plaintiff still had access to the data just as it had before the Defendant’s actions. Also, one does not appear to have a civil claim under the Act if the misappropriated data remains intact on the originating computer. On the other hand, having a single user subscription to an online publication and providing the confidential username and password to that subscription to numerous other employees for two and a half years has been held to constitute unauthorized access or access in excess of authorization to a computer system that can be redressed under the Act.
The 9th Circuit in the Nosal case took a limited view of the applicability of the Act holding that it “target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation” and interpreted the statute’s meaning of “exceeding authorized access” to exclude violations of use restrictions. See U.S. v. Nosal, 676 F.3d 854. That Circuit has held that a claim under the statute depends on whether a person has received permission to use the computer for any purpose or if an employer has rescinded permission to access the computer and the defendant uses the computer anyway. In the latter case the defendant would be liable but in the former case he would not be. In the 9th Circuit civil liability under the statute has been interpreted to apply to violations of technical rules, not written ones, i.e., the Computer Fraud and Abuse Act is intended to punish hacking or the circumvention of technical access barriers and not violations of use restrictions. As I wrote in http://www.chicagotrademarkattorney.net/9th-circuit-rules-california-dreamin-online-not-a-federal-crime/ in Nosal Judge Kozinski wrote, “Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the [Computer Fraud and Abuse Act], such minor dalliances would become federal crimes.”
But, beware, here in Illinois, the Seventh Circuit Court of Appeals has taken a broader interpretation as to the applicability of the Computer Fraud and Abuse Act in civil cases, holding whenever an employee breaches his duty of loyalty or a contractual obligation to his employer and has knowingly accessed that employer’s computer without authorization or has exceeded his authorized access he is liable under the Act, or otherwise acquires an adverse interest to the employer, the employee’s authorization to access information stored on an employer’s computer terminates, and all subsequent access is unauthorized or exceeds the scope of authorization even if that access is still technologically enabled. In other words, one is civilly liable whether one accesses a computer without authorization or uses such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. See International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).