Go to Top

Computer Fraud and Abuse Act (CFAA) Does it still make sense?

Good laws badly applied are still good laws.

cfaa_tThere has been much-needed debate over the relevance of the Computer Fraud and Abuse Act (CFAA) in light of Aaron Swartzʼ recent tragic suicide. Mr. Swartz, you will recall, was a young technology entrepreneur accused of inappropriately downloading millions of scientific journals from MIT and JSTOR, a journal storage repository. Swartz, 26, had been an advocate for open access and the freedom of information online. Swartz was being prosecuted under the CFAA, and apparently took his life as a result of the impending prosecution and potential lengthy prison sentence. [1]

One can certainly argue that Mr. Swartz was being bullied, and that the intent of the law, when it was initially crafted in 1986, was to thwart malicious hackers…not well-intended activists. In this case, I agree the law may have been misapplied, or at least pursued with undo vigor. But before we toss this baby out with the bathwater, letʼs pause and consider the powerful attributes of CFAA when applied with good measure, by decent lawyers and prosecutors, and with that often allusive common sense.

Businesses suffer billions of dollars in damages each year because of hackers, employees stealing trade secrets, and vandals wreaking havoc on company networks. These crimes hit the pocket books of all consumers as the costs of combating them (security, insurance, litigation, etc.) are passed along to everyone. Beyond that, one of Americaʼs most vital assets – its Intellectual Property – is under constant siege by those that wish to gain an unlawful competitive advantage. Artists, inventors, and developers of Intellectual Property deserve to receive the economic rewards for their creative minds. Trade secret / IP laws and the CFAA are effective and necessary tools to combat this.

Proponents of doing away with CFAA have argued that its central criminal element, that a computer user “Exceeds authorized access” is too vague, and that this component of the law could be used to prosecute employees checking their Facebook account from a work computer. Really? I do not know a single prosecutor or civil attorney that would touch a case like that. Our judicial system certainly has the intellect required to determine the difference between Aunt Clara checking her Facebook page while on lunch break at work and an employee downloading hundreds of software code files to take to his next employer.

Whether or not CFAA was rightly applied to the Swartz case is a matter of honest debate, and I sincerely hope positive change to CFAA is the result. But removing the teeth from this law serves no one.

The Take-Aways

No one knows if CFAA will survive, particularly in light of the Ninth Circuitʼs relatively recent narrow interpretation. [2]   Regardless, companies can still effectively protect themselves from the misuse or theft of their valuable company data.

 

  1. Tort Remedies.  Even if CFAA goes away, attorneys still have civil contractual and tort remedies.
  2. Criminal Prosecution.  Use state trade secret statutes when appropriate.
  3. Policy. Donʼt forget to have a clear policy on computer use including confidentiality agreements, employee awareness, controls, and training.

 

Want more info?
Call Jeffrey Hartman at 4Discovery
312-282-4140

As of January 2013, EDiscovery Labs has merged with 4Discovery.

You can visit 4Discovery at: 4Discovery.com

We’ve Moved!  
Our new and expanded office is located at:
215 N. Green Street
Chicago, IL 60607

Don’t forget to update our address or download a new vCard here.

, , , , , , , , , , ,

About Jeff Hartman

Jeff is a 30 year veteran of the corporate security, computer forensics, and eDiscovery community and a co-founder and partner at 4Discovery. 4Discovery is a leading provider of computer incident response and computer forensics services to attorneys, corporate security executives, and the information protection community.