The Computer Fraud and Abuse Act of 1986 (“CFAA”), codified as United States Code Title 18 Section 1030, is probably best known as the primary federal law governing cybercrime in the United States today. However, the CFAA also provides for civil remedies, which some companies have seen as an way to recover monetary damages for suffered losses from data breaches or cyberattacks that the government is either unwilling or unable to prosecute due to the explosion of cybercrime in recent years. For CFAA cases pursued as civil matters, mediation can be an effective tool for resolving disputes, saving the parties time and money in a way that gets to the heart of the technical issues.
What is the CFAA?
At a high level, the CFAA prohibits unauthorized access of protected computer systems and the distribution, theft, or damage of information from a computer or network. The CFAA also includes provisions prohibiting other computer related offenses such as computer espionage, trafficking in passwords, and transmitting malicious code.
Notably, the CFAA also allows individuals to bring civil actions for violations of the CFAA. Pursuant to Section 1030(g) of the CFAA, “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The CFAA limits the right of a private individual to bring a civil action only where the violation: (1) modifies or impairs medical examination, diagnosis, treatment or care of a person or persons; (2) causes physical injury to any person; (3) causes a threat to public health or safety; or (4) causes “loss” to one or more persons during any one-year period aggregating at least $5,000 in value.
This gives entities that have been the victim of cybersecurity breaches a useful tool in situations where law enforcement does not pursue the matter. There are also advantages for the plaintiff as the “preponderance of evidence” standard of civil cases is much lower than the “beyond a reasonable doubt” standard of criminal cases.