Earlier in January, I reported that Congresswoman Lofgren has proposed amending the Computer Fraud and Abuse Act ("CFAA") in response to the prosecution and subsequent suicide of Aaron Swartz and the JSTOR academic documents hacking, and in response to criticism that the preexisting law is both vague and outdated.
According to Professor Orin Kerr, the bill currently pending before the House Judiciary Committee is "mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011." Also, I tip my hat to both Paul Rosenzweig and Peter Toren for providing analysis (on their respective blogs) on the proposed bill (which saved me a great deal of time in comparing the extant bill and the proposed bill line-by-line).
The proposed bill would, among other things:
- . . . increase maximum statutory penalties (both imprisonment and fines). The difficulty with this is that it is illusory: Under the current CFAA, there are reportedly no cases where a judge has sentenced a defendant to the maximum statutory sentence. Moreover, defendants in the federal courts are sentenced pursuant to the Federal Sentencing Guidelines, which take into account a variety of discretionary factors. Some commentators believe either Congress is unaware of the current sentencing practices under the CFAA, or it is considering increasing the statutory maximum merely to send the message that it takes computer crime seriously. An alternative view is that increasing the maximum sentencing lowers the cost of prosecution by providing the prosecution with a stronger lever in plea bargaining. See Frank Easterbrook, Criminal Procedure as a Market System, Journal of Legal Studies 12 (1983).
- . . . make a felony any violation of 18 U.S.C. § 1030(a)(2) ("exceed[ing] authorized access, and thereby obtain . . . information from any protected computer”). Presently, Section 1030(a)(2) is a felony crime only where (1) “the offense was committed for purposes of commercial advantage or private financial gain,” (2) “the offense was committed in furtherance of any criminal or tortuous act,”or (3) “the value of the information obtained exceeds $5,000." This is significant because federal prosecutors almost never charge misdemeanors, which they see as minor crimes. Rather, they charge felonies, perceived as "real" crimes. Therefore, making a 18 U.S.C. 1030(a)(2) violation a 3-year felony is likely to result in a marked increase CFAA prosecutions. One legal scholar opined, "by making conduct that previously only could be prosecuted as a misdemeanor crime into a felony crime, the draft bill would create a far greater incentive to charge a defendant with a “garden variety” CFAA crime."
- . . . amend 18 U.S.C. § 1030(a)(2) to “exceed[ed] authorized access” and obtained information and the offense: (1) “involves information that exceeds $5,000 in value; (2) was committed for purposes of obtaining “sensitive or non-public information of an entity or another individual,” including “medical records, wills, diaries, private correspondence … photographs of a sensitive and private nature, trade secrets, or sensitive or non-public commercial business information;” (3) was committed in furtherance of any federal or state crime or; (4) involves information obtained from a computer used by or for a government entity.
- Currently, the wrongful taking of trade secrets, for example, does not, by itself, fit within "damage" or "loss" under the CFAA. See, e.g., Lockheed Martin Corp. v. Speed, 2006 U.S. Dist. LEXIS 53108, 8 (M.D. Fla. Aug. 1, 2006). The CFAA currently defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information[.]" 18 U.S.C. § 1030(e)(8). The CFAA defines "loss" as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C.S. § 1030(e)(11).
- The inclusion of “trade secrets or non-public commercial business information” in the definition of covered information may cause problems. Neither term is defined in the draft, but “non-public commercial business information”is much broader than “trade secrets,” which is well-defined under the Uniform Trade Secrets Act, inter alia. Under the draft bill, the Government would be able to charge a felony for obtaining “non-public commercial business information” although the information does not rise to the level of a trade secret. Prosecutors would be able to charge a felony for theft of trade secrets without having to prove intent to convert the trade secret, as currently required by the Economic Espionage Act.
- Several scholars have taken exception regarding the description of what type of acts would constitute “exceeding authorized access.” The bill would criminalize obtaining information from a computer where the offense “involves information that exceeds $5,000 in value.” [Emphasis added], whereas the current version of §1030(a)(2) concerns obtaining information where “the value of the information obtained exceeds $5,000.” It is not clear whether the use of word “Involves,” rather than “obtained” in the draft bill was intentional, but it is likely to lead to statutory construction problems since it is unclear what it means for an offense to “involve” a type of information.
- The definition of the phrase “exceed authorized access” is not limited by the draft bill, whereas the CFAA currently defines this phrase as “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” the ambiguity of which has led to a Circuit split over what it means for an employee to access an employer’s computer system in excess of authorization. The 1st, 5th, 7th, and 11th Circuits have concluded that an employee or former employee accessing an employer’s computer with the intent to misappropriate the information exceeds authorization even if the employee had the right to access the information at the time, whereas the 4th and 9th Circuits have concluded that the statute is violated only when initial access or access of certain information is not authorized ab initio, and the statute was enacted to penalize unauthorized procurement or alteration of information rather than misuse. This draft should is the perfect opportunity to resolve this ambiguity.
- . . . broaden the type of property subject to criminal or civil forfeiture.
- . . . make violations of the CFAA predicate acts for a RICO criminal charge. Thus, if one engages in two or more instances of CFAA violations, he or she may be charged with engaging in a pattern of racketeering, subject to substantial additional criminal penalties.
- . . . create a new section that would impose a maximum 30-year sentence without eligibility for probation for one who attempts to cause damage or inflict damage on a computer that powers critical infrastructure.
- . . . require companies and other “covered entities” that acquire, store or use personal information to report a security breach to its customers within 14 days, subject to certain law enforcement or national security exceptions. Third parties and service providers would be also required to notify a covered entity about a breach, which would then be required to notify its customers. Also a company must notify federal law enforcement within 72 hours of a “major security breach,” (defined as a security breach in which it is “reasonably believed” that the “means of identification” of 10,000 or more individuals have been obtained. “Means of identification”is defined by reference to 18 U.S.C. § 1028, which defines the phrase as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual”). The section provides for a civil penalty of not more than $500,000 for a violation, and a maximum penalty of $1,000,000, where the violation is “intentional.” It also does not provide for a private cause of action and expressly preempts state law.
The bill is harshly opposed by EFF (here). Because I prefer to present both sides, I did spend a few minutes conducting Internet searches for supporters of this draft, but haven't found any just yet.