Who says D.C. is completely gridlocked?
The CFAA is a hybrid criminal-civil law, passed originally as a purely anti-hacker criminal statute, which prohibits wrongful access to computers. It has been used with varying success by employers to deal with internal data breaches and misappropriation by employees.
This bipartisan tweak to the CFAA would specify that each instance of “unauthorized access” (the lynchpin of liability under the CFAA) of a cloud computing account is a separate offense. Loss is presumed to be the greater of the value of the loss of use or information, or a minimum of $500 multiplied by the number of cloud computing accounts accessed.
A “cloud computing account” is defined as information stored on a cloud computing service that requires a password and is attributable to an individual. A “cloud computing service” means a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.
Critics of the bill may argue the CFAA is already incoherent due to repetitive amendments that have not kept up with advances in technology, and that the bill’s definitions of the “cloud” are weak and overreaching. Nonetheless, this close to an election, the bill may be unlikely to pass.
Regardless of the fate of this particular bill, employers who encounter misappropriation of proprietary or confidential information by disloyal employees authorized to access the employer’s information resources should not expect clarity or comprehensive assistance from federal law or courts in the near future. The CFAA is not as flexible as state trade secret statutes or common law, and the U.S. Supreme Court has yet to resolve the split of opinion among the federal appellate courts concerning whether the CFAA applies to inside employee misappropriation.