The Computer Fraud and Abuse Act, or CFAA, is the federal “anti-hacking” statute (or sometimes referred to as a “computer trespass” statute). In essence, the CFAA prohibits intentional unauthorized access into another computer, when such action directly accesses certain protected information or otherwise causes damage or loss. The CFAA provides for both criminal penalties and civil causes of action. The scope and meaning of access “without authorization” can be uncertain: last year, the 9th Circuit issued two important decisions on this issue, in U.S. v. Nosal (holding that a third party with access to a computer network of an employer cannot be used to gain authorized access by a party — a former employee — whose access was revoked) and Facebook v. Power Ventures (holding that, when Facebook sent Power Ventures, a third-party social media aggregator, a cease and desist letter, that was sufficient to revoke authorization under the CFAA). The CFAA can also potentially stand in the way of what can be broadly termed “Active Cyber Defense,” creating uncertainty in liability for companies that attempt to defend themselves from cyberattack in ways that go beyond mere perimeter defenses (such as antivirus software or firewalls). Earlier this year, Congressman Tom Graves (R-GA) introduced a discussion draft of legislation that would seek to create exceptions under the CFAA for persons using Active Cyber Defense methods in certain circumstances. The CFAA is a critically important statute that Congress will likely examine with a view to possibly amending in the relatively near future.
Read about Foley Hoag’s Cybersecurity Incident Response Team.