As the digital landscape in the United States evolves, federal courts are reexamining federal cybersecurity laws enacted during an era before individuals, companies, and the government had easy access to computers and the internet. In particular, the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, a cybersecurity bill enacted in 1986 as an amendment to an existing computer fraud law, has come under significant scrutiny. In this blog post, we will review the CFAA and recent federal court activity regarding the law.
What Is the CFAA?
In 1986, concerned about growing criminality through the use of computers in the United States, Congress enacted the CFAA, making it a crime to “intentionally access a computer without authorization or exceed authorized access, and thereby obtain . . . information from any protected computer” (the Access Provision). In 1994, the CFAA was amended and private parties were permitted to bring causes of actions and obtain damages thereunder.
Over the years, Congress has continued to broaden the scope of the CFAA, most recently in 2008, in order to more accurately address more contemporary issues, including extortion and ransomware. Today, the CFAA protects computers, smart devices, and databases, among other things, from different types of computer fraud, including data breaches, hacking, and intentional interruptions of service.
Challenges to the CFAA
The CFAA has been the subject of significant legal challenges over the years, and federal circuit courts have been divided on how to interpret certain areas of the law. For example, in the employment context, courts are split on whether an employee’s violation of company policy constitutes a CFAA violation; the US Supreme Court recently granted certiorari in Van Buren v. United States to potentially resolve this split.
The employment context is not the only area of the law that has been challenged. In Sandvig v. Barr academic researchers from Boston brought a pre-enforcement challenge in the US District Court for the District of Columbia, arguing that the CFAA would chill their First Amendment right to free speech on a research project they intended to perform. The researchers planned to test whether employment websites discriminate on the basis of race and gender, and intended to provide false information to target certain websites to test their hypothesis, which would be in violation of those websites’ online terms of service. Concerned about potential exposure to criminal claims under the CFAA, the researchers brought a challenge in federal court before beginning their research.
Without reaching the First Amendment issue or ruling on the employers’ computer-use policy that will be decided by the Supreme Court, the DC District Court adopted a narrow interpretation of the Access Provision, stating that “the CFAA does not criminalize mere terms-of-service violations on consumer websites, and, thus, [the] plaintiffs’ proposed research plans are not criminal under the CFAA.” In support of its decision, the court reasoned that (1) “the consumer website terms of services do not provide adequate notice for purposes of criminal liability,” (2) “criminalizing violations of private websites’ terms of services raises considerable nondelegation issues,” and (3) “the rule of lenity and the constitutional avoidance canon weigh against a broad interpretation of the ‘exceeds authorized access’ as encompassing terms-of-service violations.”
As the digital landscape continues to develop, we expect to see more challenges under the CFAA appear on docket sheets across the federal court system. We will provide further updates on this developing area of the law in future posts in Tech & Sourcing @ Morgan Lewis.