Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) is the primary federal law against computer-based and internet crimes.
The CFAA makes it a crime to "intentionally access a computer without authorization or exceed authorization, and thereby obtain information from any protected computer if the conduct involved interstate or foreign communication[.]" 18 U.S.C. § 1030(a)(2)(C) (2007). "[T]he term 'exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter[.]" 18 U.S.C. § 1030(e)(6). A protected computer is one "used in interstate or foreign commerce or communication[.]" 18 U.S.C. § 1030(e)(2)(B).
The CFAA establishes a private cause of action. Under the statute, "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. § 1030(g). "A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B)." Id. Subsection 1030(a)(5)(B)(i) imposes a requirement that the party bringing the claim must suffer a loss "during any 1-year period ... aggregating at least $ 5,000 in value[.]" "Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages." 18 U.S.C. § 1030(g).
A victim must show that it has suffered a loss in the aggregate of $5,000. Loss is defined in the statute as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damage incurred because of interruption of service[.]" 18 U.S.C. § 1030(e)(11).
The term "authorization" is not defined in the statute, but courts have used common dictionary-based meanings of the term.
In Southwest Airlines v. Farechase, Inc., 318 F. Supp. 2d 435 (N.D. Tex. 2004), the trial court held that Southwest had sufficiently stated a claim under the CFAA by showing that a person who was given access to fare and price information on Southwest's website had repeatedly used scraping software to steal that information for use on his own website. Id. at 439-40. In that case, the defendant had agreed not to scrape the information, and the court found that these facts sufficiently alleged a claim under the CFAA.
Defendants need to something more than merely using a public website in the manner it was intended to be liable under the CFAA. See Morris, 928 F.2d at 508 (transmission of worm was access without authorization); Int'l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 419-20 (7th Cir. 2006) (employee who downloaded secure erasure program to his computer at work would be exceeding authorized access under CFAA); EF Cultural Travel v. Zefer Corp., 318 F.3d 58, 62-63 (1st Cir. 2003) (explicit statement on website restricting scraping could establish that defendant who scraped information exceeded authorized access); United States v. Mitra, 405 F.3d 492, 494-495 (7th Cir. 2005) (interference with computer based radio system used by police, fire, and ambulance was unauthorized access).
- Healthcare Advocates v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627 (E.D. Pa. July 20, 2007)