By Robert Milligan and Joshua Salinas
In connection with proposed Congressional amendments to the federal Computer Fraud and Abuse Act (CFAA), on November 15, 2011, Department of Justice Deputy Chief Richard W. Downing (Computer Crime and Intellectual Property Section) emphasized the importance of an expansive CFAA before the House Committee on the Judiciary and came out against attempts by critics of the CFAA to restrict employers’ ability to use the CFAA against employees who steal company data in violation of company computer usage policies. The Department of Justice prepared a statement in advance of Mr. Downing’s live testimony.
Mr. Downing stressed that a restrictive reading of the CFAA would make it difficult or impossible to deter and address serious insider threats, including threats by rogue employees working for competitors to steal their employers’ data. Technology has become so pervasive that nearly every employee is required to access database with large amounts of information. Mr. Downing highlighted the importance of protecting the nation’s economic security and not just national security. Indeed, businesses should have confidence that their confidential, proprietary, and/or trade secret information is protected.
Mr. Downing provided several examples in which a restrictive reading of “exceeds authorized access” would allow violators to escape any liability for their wrongdoings. For example, in 2006 a contract systems administrator for a medical services provider used his authorized computer access to download thousands of employee names and social security numbers. See United States v. Salum, 578 F. 3d 682 (7th Cir. 2009). In 2008, nine employees of Vangent, Inc. used their authorized computer access to obtain and disclose loan records and confidential information regarding President Obama and other well known political figures, celebrities, and sports figures. A restrictive reading of the CFAA would not only hurt employers, but would also hurt the public and customers whose information is often the subject of data theft.
Mr. Downing highlighted that the use of employer agreements and internal computer usage policies are routinely used for prosecuting offenders in such cases. Mr. Downing reiterated the Department of Justice’s growing concern that advancements in computer technology have increased the vulnerability of businesses which rely on trade secret, confidential, and/or proprietary information. In the age of Wikileaks, Facebook, Twitter, and rapidly evolving social media, employees are able to leak company information to the entire world in only a matter of minutes. Mr. Downing and the Department of Justice support the ability of companies to be proactive and clearly communicate the restrictions on computer usage to employees and hold them accountable in civil and criminal court for violations of such policies. Restricting the CFAA to only hackers (rather than insiders) through proposed amendments to the CFAA would provide employees a license to steal company data and weaken a company’s defenses in protecting its data.