Employees who use corporate- or government-issued digital devices to check sports scores or publish personal social media posts are technically in violation of the Computer Fraud and Abuse Act (CFFA) as it is currently written, underscoring the need to reform and clarify the law, according to an article published in recognition of the act's 30th anniversary.
The CFFA was created in 1986 to defend government assets, financial institutions and interstate commerce against computer-based fraud. But in a Law360 article published earlier this month, Peter J. Toren, partner at Washington, D.C., law firm Weisbrod Matteis & Copley PLLC, argued that the law remains dangerously vague and therefore vulnerable to prosecutorial over-reach.
At the crux of the debate is how to interpret whether or not an accused party's digital action meets the benchmark for “exceeding authorized access,” making it a violation of the CFAA. Unfortunately, U.S. federal courts are split on the issue, with some Circuits ruling that a defendant's intent must be factored into the judgment, while others have proclaimed that only the act itself is relevant.
While posting a cat video on Facebook could theoretically be interpreted as a draconian or pedantic CFAA violation, Toren told SCMagazine.com in an interview that a criminal case involving such circumstances are extremely unlikely. On the other hand, he said, employees who migrate digital assets from their former companies when transitioning from one job to another could realistically be the target of CFAA-based civil action, depending on which federal circuit court has jurisdiction over that region.
“The problem is: at what point is the line crossed?” said Toren. “Because the whole idea of criminal law is that people have to be put on notice and have an understanding of what is criminal and what isn't criminal.”