Introduction
The Computer Fraud and Abuse Act (“CFAA”) is the embodiment of Congress’s first attempt to draft laws criminalizing computer hacking. It is rumored that the Act was influenced by the 1983 movie WarGames[1], in which a teenager unintentionally starts a countdown to World War III when he hacks into a military supercomputer.
The law as originally drafted was aimed at hackers who use computers to gain unauthorized access to government computers. But Congress has amended it numerous times over the years, drastically expanding it to cover unauthorized access of any computer “used in or affecting interstate or foreign commerce or communication,” as well as a variety of other illicit computer activities such as committing fraud using a computer, trafficking in passwords, and damaging computer systems such as through a virus.
The CFAA also provides a private right of action allowing compensation and injunctive relief for anyone harmed by a violation of the law. It has proved very useful in civil and criminal cases of trade secret misappropriation where the trade secret information was obtained by accessing a computer “without authorization or exceed[ing] authorized access.” It is this language that provides the statute with so much flexibility to be used in trade secret cases; and which the Supreme Court has decided to take a closer look at in its next term.
Opponents have long argued that the “without authorization or exceeds authorized access” language is so unreasonably broad that it criminalizes everyday, insignificant online acts such as password‑sharing and violations of websites’ Terms of Service. Tim Wu, a professor at Columbia Law School, has called it “the worst law in technology.”[2] While it is true that CFAA violations have been, at times, over-aggressively charged, the Supreme Court’s decision could drastically curtail how the CFAA can be used to curb trade secret misappropriation.
The Computer Fraud and Abuse Act
As computer technology has proliferated and become more powerful over the years, Congress has expanded the CFAA—both in terms of its scope and its penalties—numerous times since its enactment. In 1984, Congress passed the Comprehensive Crime Control Act, which included the first federal computer crime statute, later codified at 18 U.S.C. § 1030, even before the more recognizable form of the modern Internet, i.e., the World Wide Web, was invented.[3] This original bill was in response to a growing problem in counterfeit credit cards and unauthorized use of account numbers or access codes to banking system accounts. H.R. Rep. No. 98-894, at 4 (1984). Congress recognized that the main issue underlying counterfeit credit cards was the potential for fraudulent use of ever-expanding and rapidly-changing computer technology. Id. The purpose of the statute was to deter “the activities of so-called ‘hackers’ who” were accessing “both private and public computer systems.” Id. at 10. In fact, the original bill characterized the 1983 science fiction film WarGames[4] as “a realistic representation of the automatic dialing and access capabilities of the personal computer.” Id.
Two years later, Congress significantly expanded the computer crime statute, and it became known as the Computer Fraud and Abuse Act. Congress has further amended the statute over the years to expand the scope of proscribed violations and to provide a civil cause of action for private parties to obtain compensatory damages, injunctive relief, and/or other equitable relief. For example, in the most recent expansion of the CFAA, in 2008, Congress (1) broadened the definition of “protected” computers to include those “used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States,” which includes servers and other devices connected to the Internet; (2) criminalized threats to steal data on a victim’s computer, publicly disclose stolen data, or not repair damage already caused to the computer; (3) added conspiracy as an offense; and (4) allowed for civil and criminal forfeiture of real or personal property used in or derived from CFAA violations.
The CFAA covers a broad range of unlawful computer access and, in relevant part, provides: “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer,” commits a federal crime and may face civil liability. 18 U.S.C. § 1030(a)(2), (c), (g). The phrase “without authorization” is not defined in the statute, but the phrase “exceeds authorized access,” is defined as: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).
A “computer” can be any “electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” Id. § 1030(e)(1). Courts across the country have interpreted “computer” extremely broadly to include cell phones, Internet-connected devices, cell towers, and stations that transmit wireless signals. E.g., United States v. Kramer, 631 F.3d 900, 902-03 (8th Cir. 2011) (basic cellular phone without Internet connection); United States v. Valle, 807 F.3d 508, 513 (2d Cir. 2015) (restricted databases); United States v. Drew, 259 F.R.D. 449, 457-58 (C.D. Cal. 2009) (Internet website); United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005) (computer-based radio system); United States v. Nosal, 844 F.3d 1024, 1050 (9th Cir. 2016) (Reinhardt, J., dissenting) (“This means that nearly all desktops, laptops, servers, smart-phones, as well as any iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device, including even some thermostats qualify as “protected.” (some internal quotations omitted)). A “protected computer” is any computer that “is used in or affect[s] interstate or foreign commerce or communication of the United States.” 18 U.S.C. § 1030(e)(2)(B). Again, courts have construed this term very broadly to include any computer connected to the Internet. E.g., United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012) (en banc); United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007).
Violations of the CFAA can result in both criminal and civil liability. A criminal conviction under the “exceeds authorized access” provision is typically a fine or a misdemeanor for a first offense, but can be a felony punishable by fines and imprisonment of up to five years in certain situations, such as where the offense was committed for “commercial advantage or private financial gain” and “the value of the information obtained exceeds $5,000.” 18 U.S.C. § 1030(c)(2)(A), (B). The CFAA also authorizes civil suits for compensatory damages and injunctive or other equitable relief by parties who show, among other things, that a violation of the statute caused them to “suffer[ ] damage or loss” under certain circumstances. Id. § 1030(g).
Using the CFAA in Trade Secret Cases
A CFAA claim can be a nice complement to a trade secret misappropriation claim if the act of misappropriation included taking information from a computer system. One key advantage that the CFAA adds to a trade secret misappropriation case is that it is not subject to some of the more restrictive requirements of federal and state trade secret laws. To assert a claim under the Defend Trade Secrets Act, 18 U.S.C. § 1836, et seq., the claimant must (among other things): (1) specifically identify the trade secret that was misappropriated; (2) prove that the claimant took reasonable measures to keep the information secret; and (3) prove that the information derives independent economic value from not being generally known or readily ascertainable. See 18 U.S.C. § 1839(3).
These requirements can present traps for the unwary, and potential defenses for a defendant. For example, a defendant accused of trade secret misappropriation will often put the plaintiff through its paces to specifically identify the trade secrets that were allegedly misappropriated because failure to do so to the court’s satisfaction can lead to an early dismissal. E.g., S & P Fin. Advisors v. Kreeyaa LLC, No. 16-CV-03103-SK, 2016 WL 11020958, at *3 (N.D. Cal. Oct. 25, 2016) (dismissing for failure to state a claim for violation of the DTSA where plaintiff failed to sufficiently state what information defendants allegedly misappropriated and how that information constitutes a trade secret).
Similarly, whether the information was protected by “reasonable measures” can become a litigation within the litigation. To establish this requirement, the plaintiff typically must spell-out all of its security measures, supply evidence of the same, and provide one or more witnesses to testify to the extent and effectiveness of the security measures. Failure to adequately establish reasonable measure has been the downfall of many trade secret claims. E.g., Gov’t Employees Ins. Co. v. Nealey, 262 F. Supp. 3d 153, 167-172 (E.D. Pa. 2017) (dismissing plaintiff’s DTSA claim for failure to state a claim when it included much of the same information it claimed to be a trade secret in a publicly filed affidavit).
Lastly, the requirement to establish that the information derives independent economic value from not being generally known or readily ascertainable can also be a significant point of contention. Establishing this prong often requires the use of a damages expert and the costly expert discovery that goes along with that. And as with the other requirements of a DTSA claim, failure to establish it adequately can doom the claim. E.g., ATS Grp., LLC v. Legacy Tank & Indus. Servs. LLC, 407 F. Supp. 3d 1186, 1200 (W.D. Okla. 2019) (finding plaintiff failed...
