Extraterritorial Application of the Computer Fraud and Abuse Act

“The Computer Fraud and Abuse Act’s potential reach goes beyond U.S. borders and packs a jurisdictional punch that can bring a foreign bad actor into an American court.”

Computer Fraud and Abuse - https://depositphotos.com/2539359/stock-photo-internet-fraud.htmlIntangible assets today make up nearly 84% of enterprise value for companies listed on the S&P 500. This material growth in intellectual property as an asset on U.S. company balance sheets has placed increased demands on the office of General Counsel. Protecting intangible assets against computer theft and pursuing litigation against wrongdoers has become a major and timely concern, especially in the context of an increasingly virtual world due to the global pandemic. A recent brazen and sophisticated computer intrusion into the records of over 145 million Americans launched from computer hackers based in China led to criminal prosecutions under the Computer Fraud and Abuse Act (CFAA). Courts often are willing to extend American law beyond U.S. boundaries when criminal misconduct takes place overseas that injures Americans. The Constitution grants Congress broad powers to enact laws with extraterritorial scope. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), is one such statute that provides criminal and civil remedies resulting from unauthorized access to computers used in interstate commerce or communications. And it further provides for extraterritorial jurisdiction for criminal or civil violations of the CFAA. Increasingly, U.S.-based companies have become victims of significant computer misconduct launched from overseas. With the increased widespread use of social media platforms during the Covid-19 pandemic, computer mischief in an effort to gain confidential business information is on the rise.

History of the CFAA

The CFAA was enacted in 1986, in an effort to combat computer crime that mail and wire fraud statutes could not reach. The statute, as first enacted, criminalized unauthorized access to “federal interest” computers. Since “federal interest” under the Act included all instances of interstate computer crime—and virtually all computer use is interstate in nature—it effectively criminalized any unauthorized computer access. Amendments in 1994 quietly added civil remedies and expanded the coverage of the statute to include unauthorized transmissions. Amendments in 1996 changed the phrase “federal interest computer” to “protected computer,” thereby significantly broadening the Act’s reach. (18 U.S.C. § 1030), 174 A.L.R. Fed. 101, 2a (2007).

The CFAA’s expansion into civil litigation led to varied interpretations of the CFAA. And, “courts continue [to] grapple with the specifics of construing and applying particular provisions of the Act” LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009). This struggle to understand the Act’s scope is exacerbated by “new abuses that spring from the misuse of new technology,” which make it difficult to address the computer abuse problems through a traditional framework. In one of the first cases to use the CFAA in conjunction with a state statutory trade secrets theft claim, International Airport Centers v. Citrin, the Seventh Circuit sustained a CFAA claim where a real estate development company employee used his employer’s computers to pilfer confidential development plans for a large scale industrial real estate project on the East Coast. See 18 U.S.C. Sec. 1836 et seq. The court found that at the point the employee began to prepare to leave his employer, his authority to access its computers and information was no longer “authorized”. His subsequent taking of electronic information and efforts to cover his tracks through computer wiping software was sufficient to show the necessary injury to support a claim under the CFAA.

Extraterritoriality

The fact that computer abuse is largely intangible and can be launched from anywhere in the world presents the jurisdictional question whether the CFAA can be applied extraterritorially to prosecute those who perpetrate computer abuse in the United States from a foreign land. In deciding whether a U.S. statute may be applied extraterritorially, courts look to two potential foundations for jurisdiction: first, the jurisdictional basis, “territoriality, nationality, passive personality, universality, or the protective principle”; and second, legislative intent (35 U.C. Davis L. Rev. 267, 282 (2002)). The CFAA can arguably be applied extraterritorially on either foundation. Although case law here is sparse, a Connecticut district court concluded that it had jurisdiction to hear a claim against a Russian national under the Act. The court found “. . . first, because the intended and actual detrimental effects of [the defendant’s] actions in Russia occurred within the United States, and second, because each of the statutes under which [he] was charged with a substantive offense were intended by Congress to apply extraterritorially” United States v. Ivanov, 175 F. Supp. 2d 367, 370 (D. Conn. 2001).

This first reason encompasses passive personality and protective basis for international jurisdiction. The second relies upon the legislative intent behind the 1996 amendments to the Act. Notably, the amendments changed “the definition of ‘protected computer’ so that it included any computer ‘which is used in interstate or foreign commerce or communication.’”  The Connecticut court concluded that “Congress has clearly manifested its intent to apply § 1030 to computers used in interstate or in foreign commerce,” reasoning that “[i]n order for the word ‘foreign’ to have meaning, and not be superfluous, it must mean something other than ‘interstate[,]’ . . . [so] ‘foreign’ in this context must mean international.”

Even if the international jurisdictional basis and the legislative intent behind the 1996 amendments do not provide a justification for applying the CFAA extraterritorially, the Patriot Act may provide jurisdiction. The Patriot Act amended the CFAA with a change in the definition of “protected computer.” The Patriot Act modified a “protected computer” to include “a computer which is used in interstate or foreign commerce or communication” and the words “including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” The Patriot Act thus expanded the definition of “protected computer” under the CFAA to “expressly include computers located outside the United States.”

Packing a Punch

The CFAA’s potential reach goes beyond U.S. borders and packs a jurisdictional punch that can bring a foreign bad actor into an American court. Thus, a computer hacker outside the U.S. who causes injury here is likely not immune from a civil or criminal action. Most recently, videoconferencing applications that have become de facto communication platforms for the Coronavirus era—have become weaponized by foreign nationals and employed for shocking imagery, racial epithets and profanity to derail video conferences taking place in the U.S. and abroad. The frequency and reach of videoconferencing hacking has prompted the FBI to issue a warning stating that it had “received multiple reports of conferences being disrupted by pornographic or hate images and threatening language” nationwide. An analysis by The New York Times, Zoombombing Becomes a Dangerous Organized Effort,” found at least 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize harassment campaigns, sharing meeting passwords and plans for sowing chaos in public and private meetings. This recent activity is on top of a few years of concerted computer espionage campaigns against American business from foreign actors.

Foreign based hackers often freelance for companies competing against U.S. corporations. With the recent massive shift to online communication platforms for day-to-day business operations, and almost all American businesses now operating in a digital world, U.S. business is exposed more than ever to off-shore computer competitive threats. The CFAA’s international jurisdictional reach is rarely considered in a civil context and may provide one avenue of relief against foreign competitors taking unfair aim at American businesses.

Image Source: Deposit Photos
Copyright: Author SkyNet
Image ID: 2539359 

The Author

William Kane

William Kane is a partner in the Business Trials practice group in Sheppard, Mullin, Richter & Hampton’s Chicago office.

For more information or to contact William, please visit his Firm Profile Page.

William Kane

Melissa Mikail is an associate in the Business Trials practice group in Sheppard Mullins' Century City office.

For more information or to contact Melissa, please visit her Firm Profile Page.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently No Comments comments.