Businesses in New Jersey, New York, and around the country depend on computers, computer networks, and the internet to conduct their operations. Whether a company is engaged in e-commerce or other internet-based business activities, or it merely uses computer software to assist with inventory or payroll, that company is potentially vulnerable to cybersecurity breaches. Numerous resources are available to help business owners protect their data from threats, including both hackers and insiders. The federal government is also working to enhance its ability to investigate and prosecute cybercrime. Proposals from the White House and the U.S. Department of Justice (DOJ) in the past year have called on Congress to amend the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to address the misuse of company data by insiders. Critics of these proposals claim that they go too far and could result in criminalizing ordinary business internet activity.
The CFAA applies to unauthorized access to a computer, or use of a computer that exceeds one’s authority. The term “computer” includes machines commonly known as “computers” and any related “data storage…or communications facility.” 18 U.S.C. § 1030(e)(1). A “protected computer” may be one “used in or affecting interstate or foreign commerce or communication.” Id. at § 1030(e)(2)(B).
A provision of the CFAA relevant to small businesses prohibits knowingly accessing a protected computer without, or in excess of, authorization, “with intent to defraud,” and obtaining information worth at least $5,000. Id. at § 1030(a)(4). It also prohibits knowingly sending information, such as malicious computer code, that causes unauthorized damage to a protected computer. Id. at § 1030(a)(5). The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. at 1030(e)(8). These provisions have enabled prosecutions of hackers and others outside of a company, but prosecutors claim that they have been less useful for going after insiders.
The White House issued a proposal for cybersecurity reforms in January 2015, including measures to address new technologies and tactics like botnets, and provisions allowing the prosecution of company insiders “who abuse their ability to access information to use it for their own purposes.” In a speech on cybersecurity in October 2015, the Assistant Attorney General for the DOJ’s Criminal Division made a similar proposal, asking Congress to “amend the CFAA to make sure that insider abuse of network access is a crime” under the sort of aggravated circumstances already mentioned in the statute.
Concerns over proposals such as these largely focus on the difficulty of defining an “insider” and determining when someone with authorized access to a protected computer exceeds that access to a criminal degree. Another DOJ official discussed some of these concerns in testimony before the Senate Judiciary Committee in September 2011. Access to a protected computer that exceeds a person’s authority, he noted, would likely constitute “a violation of contractual agreements with an employer or a service provider.” Dealing with a situation like that through criminal law would be difficult, but the official testified that it should not be off the table if the breach was severe enough.
Business transactions lawyer Samuel C. Berger represents businesses, small business owners, and entrepreneurs in New York City and Northern New Jersey. We offer fixed-fee legal-service packages that help our clients in a wide variety of legal matters. To schedule a confidential consultation with a member of our team, contact us online, at (212) 380-8117, or at (201) 587-1500 today.
More Blog Posts:
Cybersecurity Breaches May Result in Liability for “Unfair or Deceptive Acts or Practices” Under the FTC Act, New York & New Jersey Business Lawyer Blog, September 17, 2015
Protecting Your New York or New Jersey Business from Data Breaches, and the Liability Associated with Data Breaches, New York & New Jersey Business Lawyer Blog, June 4, 2015
New Jersey Insurance Company Not Liable to Members for Data Breach, Court Rules, New York & New Jersey Business Lawyer Blog, April 16, 2015