In today’s data-driven world, the 1980s-era Computer Fraud and Abuse Act (CFAA) continues to be an important legal tool in a company’s toolbox, alongside technical and procedural controls, to protect itself and its electronic infrastructure from unauthorized users and theft. But as computing increasingly shifts from on-premises solutions, servers and mainframes to cloud-based solutions, companies may need to consider how the CFAA fits into their toolbox and their electronic infrastructure.
Why it matters: The shift to cloud-based computing brings benefits and risk. Two district courts recently have split over what constitutes a computer under the CFAA, and if the narrower reading of a computer were adopted widely, it may alter the approach to the factual development of CFAA claims in the modern era.
Enacted in 1986 and inspired in part by the movie “WarGames,” the CFAA prohibits unauthorized access to protected computers and other access that exceeds what is authorized. Applying the CFAA to modern computing has been a challenge. For example, one issue recently revisited by courts has been the fit between how the CFAA defines the term “computer” and current computing and infrastructure design. Under the CFAA, a “computer” is “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” (18 U.S.C. § 1030(e)(1)). Is a web-based data storage solution a computer? What about a virtual desktop run on an employee’s BYOD device? In the past two months, starting with that definition and a 2018 Northern District of Illinois decision (Hill v. Lynn), two district courts reached opposite conclusions.
In March, in Abu v. Dickson, a judge in the Eastern District of Michigan determined that a cloud-based email account qualified as a “computer” under the CFAA, based on the weight of authority and the statutory definition’s inclusion of the term “data storage facility.”
Yet in February, in Graham Engineering Corp. v. Adair, a judge in the Middle District of Pennsylvania determined that the cloud-based SharePoint platform—which, like cloud-based email, is an online data storage facility—was not a “computer” because, to that court, it lacks the physical characteristics of a computer. In doing so, that court rejected the idea that the CFAA protects against unauthorized access to web-based accounts.
These decisions are recent examples of this confusion. Both Abu and Graham Engineering begin with Hill and diverge from there, citing a number of recent decisions. The courts of appeal may resolve the issue, but until then, these decisions highlight the importance of tying back the system at issue to the statutory definition of a computer.