Data Security

Computer Fraud and Abuse Act (CFAA) Revisions on the Way?

Published: Sep. 08, 2011

Updated: Oct. 05, 2020

Calls for an update to the Computer Fraud and Abuse Act (CFAA) were heard on Capitol Hill yesterday, in part because of claims that the CFAA may allow law enforcement agencies to take action against people who violate websites’ terms of service or their employers’ computer use policies and due to concerns over mandatory minimum sentences.  During the Sept. 7 hearing of the Senate Judiciary Committee, committee chair Sen. Patrick Leahy of Vermont expressed support for strong cybercrime penalties, but he did appear to have concerns that a mandatory minimum could be abused.  A cybersecurity bill that he intends to be introduced would lack a mandatory minimum.

Senators at the hearing also believe that the law’s definition of illegal access to computers should be tightened up and that the administration’s proposal should reflect this.  The U.S. Department of Justice should use discretion when applying the law, Leahy said during the hearing. “We want you to concentrate on the real cybercrimes, and not the minor things,” he told James Baker, the DOJ’s associate deputy attorney general.  Sen. Al Franken took this to an extreme, saying that under the CFAA, employees could be charged with a crime if they access personal email or check the weather online in violation of their companies’ computer use policies.

Mr. Baker stated that the DOJ has brought cybercrime charges in “a responsible way” but he also voiced concerns that changes to the CFAA may expose U.S. companies or government agencies to more insider threats.  While Sen. Franken raised concerns about nuanced and somewhat extreme scenarios of “exceeding authorized access” (a specifically defined term under the CFAA), Mr. Baker pointed out that attempts to narrow the definition “to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider… would make it difficult or impossible to deter and address serious insider threats through prosecution.”  He went on to state that “[e]mployers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose.”

In Mr. Leahy’s written remarks, he stated that “the Committee will consider these proposals and other privacy measures in my comprehensive data privacy and security legislation.”  In light of the numerous bills pending before the current Congress, cybersecurity has certainly become a hot button issue.  Unfortunately, while bipartisan support appears to exist as to the macro level issues, when we get down to specific details and granular proposals more work needs to be done.