The Computer Fraud and Abuse Act (CFAA) has been an increasingly popular tool for DOJ over the last few years. A recent case against the St. Louis Cardinals’ Director of Baseball Development is an easy introduction to the statute.
Christopher Correa worked for the Cardinals from 2009 to July 2015. Two other staffers who worked for him at the Cardinals left the organization in 2011 to move to the Houston Astros. According to his plea agreement, Mr. Correa took one of the departing staffers’ computer and asked for his password. He then used that password to figure out the new password for the staffer at the Astros.
Mr. Correa was able to access the staffer’s email at the Astros and a private online database operated by the Astros called “Ground Control” (Aside: RIP David Bowie: “Ground control to Major Tom.”) He obtained the Astros’ scouting information and draft reports.
In 2013, the Cardinals went the World Series and the Astros had the worst record in baseball (51-111—ouch). So, it’s not at all clear why Mr. Correa took this risk. If you are going to steal information, steal it from the Royals or the Giants, right? It reminded me of the Yogi Berra quote, “if you see a fork in the road, take it.”
Mr. Correa ultimately pleaded guilty to five counts under the CFAA. So what is this statute anyway?
You Really Should Know About the CFAA
If you haven’t dealt with the CFAA before, here’s a quick primer:
The CFAA was enacted in 1986. Think about that—DOJ is prosecuting computer hacking cases using a statute that was passed the year IBM claimed its ibm.com domain name and before any of us had internet access at all.
Needless to say, the EFF and DOJ have slightly different views of the statute. But both resources include helpful commentary and citations to key cases.
You can find the statute at 18 U.S.C. § 1030 et seq. Under the CFAA, an individual is liable if he “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2). Also, there is liability if an individual “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.” 18 U.S.C. § 1030(a)(5).
There is also a provision for civil liability under the statute, but the plaintiff must prove losses over $5000. 18 U.S.C. § 1030(g). The meaning of losses is fairly narrow. That’s the subject of another post.
A “protected computer” is one that is used by the government, or a financial institution or used in interstate or foreign commerce.
The heart of the statute is the section that prohibits computer access that is “without authorization” or that “exceeds authorized access.”
The DOJ computer crimes manual lists seven different crimes under the CFAA
|Table 1. Summary of CFAA Penalties|
|Obtaining National Security Information||(a)(1)||10 (20) years|
|Accessing a Computer and Obtaining Information||(a)(2)||1 or 5 (10)|
|Trespassing in a Government Computer||(a)(3)||1 (10)|
|Accessing a Computer to Defraud & Obtain Value||(a)(4)||5 (10)|
|Intentionally Damaging by Knowing Transmission||(a)(5)(A)||1 or 10 (20)|
|Recklessly Damaging by Intentional Access||(a)(5)(B)||1 or 5 (20)|
|Negligently Causing Damage & Loss by Intentional Access||(a)(5)(C)||1 (10)|
|Trafficking in Passwords||(a)(6)||1 (10)|
|Extortion Involving Computers||(a)(7)||5 (10)|
* The maximum prison sentences for second convictions are noted in parentheses.
An Important Circuit Split Over the CFAA
If you are at a cocktail party of lawyers talking about the CFAA, then you should find another party. (I’ll be here all week!)
Seriously, the one thing you should know about the CFAA is that there is a split among the circuits about a pivotal issue—what is the meaning of “exceeds authorized access.” That term is not defined in the statute.
The most common dispute arises when an employee of a company who has access to a computer system goes beyond company policy to access another part of the computer system or uses information obtained for a non-business purpose.
I apologize in advance that this section looks like a string cite in a dull brief. My intent is to help short-cut your research on this issue.
The Fourth and the Ninth Circuit have limited prosecutions under the CFAA, making it harder to prosecute employees.
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (employees cannot be criminally prosecuted under the CFAA if they merely violate the company’s computer use policies to access part of the computer system and do not actively circumvent company protection mechanisms to do so).
- WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (“an employee ‘exceeds authorized access’ when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”).
Four other circuits (First, Fifth, Seventh and Eleventh) have effectively given DOJ more latitude to bring charges under the CFAA.
- International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (defendant acted without authorization when he deleted data from his work computer before quitting and was in violation of his duty of loyalty to the company).
- United States v. John, 597 F.3d 263, 271-73 (5th Cir. 2010) (employee exceeded authorized access when she accessed confidential customer information to commit fraud).
- United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (government employee exceeded authorized access when he obtained confidential information about women he wanted to date from computer system).
- EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
Current CFAA Status
The CFAA is not without its detractors. Some blame the indictment of internet activist/millionaire Aaron Swartz under the CFAA for his suicide.
The Electronic Freedom Foundation has been fighting to limit the CFAA’s reach for years. There have been some efforts to limit the statute’s reach in Congress, but so far those efforts have failed.
As Mr. Correa learned, DOJ is aggressively pursuing these cases–either as standalone charges or as added-on charges when there is other misconduct based on the use of the accessed computer information. What’s particularly interesting is that many of these cases arise from what could best be termed employee misconduct and not necessarily overt criminal conduct. As usual, that’s not stopping the government.