COMMENTARY ON LAW AND TECHNOLOGY

Human Errors and the Computer Fraud and Abuse Act (CFAA)

14-Mar-2018

Humans and computers are alike in at least one sense –both could malfunction or be compromised. On Feb. 28th, the U.S. Marine Forces Reserve announced a data breach affecting thousands of marines, sailors and civilians, putting their identities at risk,as sensitive personal information like truncated social security numbers was leaked.The investigation showed that there was no malicious intent involved and the data breach was indeed a result of human error. An email containing the unencrypted confidential information had accidentally been sent to a wrong e-mail distribution list.But data breaches are not always accidental. Besides being duped into making unintentional disclosures, people are often tricked into giving up valuable information by scammers, and these hustles are referred to as “social engineering” or “phishing” in the cyber security world.

The 2013 Target data breach case was one such example. The case was finally settled last year, and the retail company ended up paying $18.5 million in fines for the breach of 43 million records of payment card information. The Target incident started from a phishing email sent to a third-party vendor of Target. Through that vendor, the attackers gained the login credentials of Target,and subsequently obtained unrestricted access to the confidential information of Target’s customers.

Activities like phishing are not entirely new to the law. We had them before the Internet era, and they fit the criteria for common law fraud. Fraud occurs when there is a false representation which is intended to deceive another and which causes that person to act resulting in an injury.

Phishing can possibly fit into this legal definition of fraud. But phishing and fraud potentially differ when it comes to the injury. If someone deceives you into giving them your car, you have been injured by the loss of physical property. You have no car. But there is no exclusivity for information. If you receive a phishing email that links you to a fake website designed to capture your login information, and you enter your login information, have you been injured? You can still use your login information. It’s just that now they can use it too. So when does the injury occur? Is the act of deception the injury? Does the injury occur when the perpetrator actually uses the password? Or is the injury the act of using the password plus an action that brings the perpetrator some sort of illicit personal benefit, such as stolen credit card information?

The Computer Fraud and Abuse Act is the main federal cyber crime law. One of the crimes created by the CFAA requires acting with the intent to defraud and obtaining something of value from a computer that the perpetrator lacked the authority to access. The federal court of appeals in the Ninth Circuit has said that if a person’s authorization to access a computer is taken away, they cannot circumvent that access by using someone else’s password. Presumably this reasoning would also apply to phishing, where the perpetrator had no authorization to begin with. Covering phishing under the CFAA has the same problem as viewing phishing as regular fraud, though the CFAA does state that the injury occurs when the fraudulent behavior results in the access of a protected computer without authorization or in excess of authorization.

Still, one of the major uncertainties about cyber crime is that it is unclear when the injury occurs. A data breach victim may feel uneasy upon learning that their information was stolen. Administrative staff may get nervous about keeping their job if they accidentally fall for a phishing scam. The nature of cyber crime is one reason why the CFAA needs to be amended to take modern concerns and injuries into account.

I’m Jay Kesan.