Is the Computer Fraud and Abuse Act a Failed Experiment?

            As regular readers of this blog know, the courts are split over the proper interpretation of the Computer Fraud and Abuse Act (“CFAA”), in particular whether the CFAA should apply only to “hackers,” those who truly break into a computer system, or to those who misuse someone else’s data that they lawfully accessed as well.  In a recent Forbes article, Eric Goldman argues that the CFAA is, in fact, a failed attempt to integrate the ancient legal doctrine of “trespass to chattels” to online activity.  “Trespass to chattels” is temporarily depriving a property owner of the possession of his property, like taking someone else’s car for a joyride.  Goldman argues that the CFAA has morphed by court decisions and Congressional action into “a federal prohibition on trespassing someone else’s Internet equipment by sending data to it or taking data from it.”  The result has been that “online trespass to chattels now reaches scenarios far beyond hacking scenarios, sometimes in farcical ways,” including ordinary employee activities like downloading company data onto personal devices and search engine “scraping” of website data, things the CFAA originally never was supposed to reach.   

            Goldman’s argument makes some sense, but those like Goldman who argue against a broader interpretation of the CFAA are criticized by some judges for their “far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.”  United States v. Nosal, 642 F.3d 781 (9th Cir. 2011) (Silverman, J., dissenting).  When defendants “steal[ ] an employer’s valuable information to set up a competing business with the purloined data” that was “siphoned away from the victim,” and the defendants “know[ ] such access and use were prohibited in the defendants’ employment contracts,” that’s a different story.  Id.  And the latter is the story most employers try to tell when they sue employees under the CFAA.  It’s much easier to think that the CFAA was meant to punish conniving employees than those who “access[ ] word puzzles, jokes, and sports scores while at work.”  Id.  So reform is difficult because the statute mostly punishes those who deserve to be punished, and the truly ridiculous cases largely remain hypothetical.

One thought on “Is the Computer Fraud and Abuse Act a Failed Experiment?

  1. You say, “It’s much easier to think that the CFAA was meant to punish conniving employees…” So do you think Congress intended to provide a federal trade secret cause of action when it amended the CFAA? Eric.

Leave a Reply

Your email address will not be published. Required fields are marked *