On October 7, 2015, former Tribune Company employee Matthew Keys was convicted of three felonies stemming in part from assistance he provided to the hacking collective Anonymous to alter content on the LA Times’ website. According to federal prosecutors, two months after being fired by the Tribune Company, Keys took a series of actions aimed at disrupting his former employer’s data systems (Keys worked at a television station owned by the Tribune Company, which also owns the LA Times). Specifically, Keys altered access credentials of other employees, obtained emails of television viewers, and sent those viewers disparaging emails about the company. In addition, Keys provided Tribune Company server login credentials to members of Anonymous and asked Anonymous to disrupt the company’s websites. A subsequent “hack” by Anonymous members altered content on the LA Times’ website and forced the newspaper to shut down the website for a day. Keys was convicted under the Computer Fraud and Abuse Act (“CFAA”) and faces a combined maximum sentence of 25 years in prison and fines of up to $750,000.
The CFAA prohibits individuals from intentionally taking or aiding in any action that causes damage “without authorization to a protected computer,” provided that the government can prove that a defendant’s actions caused more than $5,000 worth of damages. In the Keys case, the government successfully alleged that the Tribune Company spent more than $900,000 conducting a damage assessment relating to the unauthorized access and restoring its system to its prior condition.
This case demonstrates that hackers and cyber-vandals face criminal prosecution and serious penalties for their actions, and that the Department of Justice is willing to pursue cases against individuals. Nevertheless, criticism of the government’s prosecution and conviction of Keys has begun, with some commentators arguing that the harm caused by Keys’ actions was relatively minor when compared to the lengthy jail time and financial penalties he faces at sentencing. Businesses, however, may take comfort in the lengths the government was willing to go to prosecute violations of the CFAA, and that such aggressive application of the statute could deter similar conduct in the future.