This Blog post seeks to explore some of the laws implicated by illegal hacking and what civil remedies victims are afforded.In 2008, acting in accordance with the times, Congress released an amendment to the then-existing computer fraud law (codified in 18 U.S.C. § 1030) known as, The Computer Fraud and Abuse Act (“CFAA”). The amendment broadened the scope of the previous act by making it a crime for someone to intentionally access any “protected computer.”

To bring a civil action based on the federal Computer Fraud and Abuse Act (“CFAA”) a plaintiff must show that the alleged violation “caused . . . loss . . . aggregating at least $5,000 in value.” 18 U.S. C. Section 1030(c)(4)(A)(i). “Loss” is defined by the CFAA as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system , or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

As amended in September 2008, the Act establishes civil liability for anyone who, among other things, “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage…” involving “loss to 1 or more persons during any 1-year period… aggregating at least $5,000 in value.” 18 U.S.C. § 1030(g) (incorporating 18 U.S.C. § 1030 (a)(5)(B) & (c)(4)(A)(i)(I)).In recent years, employers have increasingly been using the CFAA to sue employees and former employees who make wrongful use of the employer’s computer systems or electronic devices, such as retaining, wrongfully accessing, or copying the employer’s computer systems or electronic documents without proper authorization. Such use of the CFAA in the employment context has been made possible in part by the broad definition of “protected computer” under the Act, which explicitly includes any computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States…” 18 U.S.C. § 1030(e)(2)(B).

The CFAA prohibits obtaining “information” by accessing, without authority, a protected computer. 18 U.S.C. §1030(a)(2)(C). The statute also prohibits accessing a protected computer without authorization and obtaining “anything of value” provided that it is worth $5,000 or more. §1030(a)(4).

Cyberattacks have proliferated to a degree that was unimaginable 25 years ago, and attackers are finding new ways to target companies’ and consumers’ devices at unprecedented rates. Understanding that the DOJ was focused on combating cybercrime in 1996, you can see just how significant it is to be facing charges under 18 U.S.C. Section 1030 today.“The DOJ aggressively prosecutes cases under the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse ActAs computer technology has proliferated and become more powerful over the years, Congress has expanded the CFAA—both in terms of its scope and its penalties—numerous times since its enactment. In 1984, Congress passed the Comprehensive Crime Control Act, which included the first federal computer crime statute, later codified at 18 U.S.C. § 1030, even before the more recognizable form of the modern Internet, i.e., the World Wide Web, was invented.[3] This original bill was in response to a growing problem in counterfeit credit cards and unauthorized use of account numbers or access codes to banking system accounts.

Nexans Wires’ complaint alleged, in addition to state law claims, various violations of the federal Computer Fraud and Abuse Act (CFAA), a federal criminal statute which allows for civil remedies. 18 U.S.C. 1030. The CFAA permits a company that “suffers damage or loss by reason of a violation of this…[statute to] maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. 1030(g).There is no requirement that the data be a trade secret or copyrighted information, only that it be valuable “relative to one’s needs and objectives.”

The CCCA was the first federal computer fraud law designed to address hacking in cases involving a compelling “federal interest” (that is, where computers of the federal government or certain financial institutions are involved or where the crime itself was interstate in nature). The CCCA, codified as 18 U.S.C. 1030, consisted of three new federal crimes that covered certain conduct by a person who “knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend[.]” The crimes were limited to three specific scenarios tailored to particular government interests: computer misuse to obtain national security secrets, computer misuse to obtain personal financial records, and hacking into government computers.With the CFAA, Congress broadened the protection by adding three new prohibitions.

Primarily a criminal statute, the CFAA is designed to combat hacking, making it a crime to “intentionally access[ ] a computer without authorization or exceed[ ] authorized access, and thereby obtain[ ] information from any department or agency of the United States.” 18 U.S.C. § 1030(a)(2)(B). Those who violate §1030(a)(2) face penalties ranging from fines and criminal penalties; the statute also permits a private party “who suffers damage or loss by reason of a violation of [the CFAA]” to bring a civil action for money damages and equitable relief. 18 U.S.C. §1030(g).

Finally, the announcement provides contact information and different means through which to report COVID-19 cybercrime schemes to law enforcement.U.S. Supreme Court’s April 20 Grant of Certiorari in Van Buren v. United StatesLurking behind the scenes, however, is a Supreme Court case that could derail other aspects of the DOJ’s cybercrime prosecution agenda: Van Buren v. United States. In Van Buren, the Court will have its very first opportunity to examine the CFAA, 18 U.S.C. § 1030, in the context of a federal circuit split over what it means to access a computer without authorization or to exceed authorized access to a computer.Congress enacted the CFAA in 1986, inspired in part by the Cold War-era motion picture, WarGames,3 in which a teenaged hacker unwittingly gained control of the U.S. nuclear arsenal and nearly triggered a nuclear war with the Soviet Union.4 The CFAA primarily was intended to target computer hackers attempting to infiltrate, damage, or steal information from federal government computer systems,5 though Congress amended the statute over the years to prohibit such hacking crimes against any “protected computer,” generally interpreted to mean almost any public or private Internet-connected computer or computer system.