Employees who use corporate- orgovernment-issued digital devices to check sports scores or publish personalsocial media posts are technically in violation of the Computer Fraud and Abuse Act(CFFA) as it is currently written, underscoring the need to reform and clarify the law, according to an article published inrecognition of the act's 30th anniversary.
The CFFA was created in 1986 to defendgovernment assets, financial institutions and interstate commerce againstcomputer-based fraud. But in a Law360article published earlier this month, Peter J. Toren, partner at Washington, D.C., law firm Weisbrod Matteis & Copley PLLC, argued that the law remainsdangerously vague and therefore vulnerable to prosecutorial over-reach.
At the crux of the debate is how tointerpret whether or not an accused party's digital action meets the benchmarkfor “exceeding authorized access,” making it a violation of the CFAA. Unfortunately, U.S. federal courts are spliton the issue, with some Circuits ruling that a defendant's intent must befactored into the judgment, while others have proclaimed that only the actitself is relevant.
While posting a cat video on Facebookcould theoretically be interpreted as a draconian or pedantic CFAA violation,Toren told SCMagazine.com in aninterview that a criminal case involving such circumstances are extremelyunlikely. On the other hand, he said, employees who migrate digital assets fromtheir former companies when transitioning from one job to another couldrealistically be the target of CFAA-based civil action, depending on whichfederal circuit court has jurisdiction over that region.
“The problem is: at what point is theline crossed?” said Toren. “Because the whole idea of criminal law is thatpeople have to be put on notice and have an understanding of what is criminaland what isn't criminal.”