The New Computer Abuse and Data Recovery Act: A Business Tool Against Computer Hacking
In reaction to the rampant hacking of business computers and data theft, Florida has passed a new law, the Computer Abuse and Data Recovery Act (CADRA), F.S. §668.801, which establishes new civil violations and monetary recoveries against unauthorized persons who harm or cause damage to business computers or systems that contain business information or data. As of October 1, 2015, a person violates CADRA if they:
knowingly and with intent to cause harm or loss: (1) obtain information from protected computer without authorization and, as a result, cause harm or loss; [or] (2) cause the transmission of a program, code or command to a protected computer without authorization and. … cause harm or loss; or (3) traffic in any technological access barrier through which access to a protected computer may be obtained without authorization.1
The harmed business owner can collect an expanded list of statutory damages from the violator. Other than trafficking2 a password (which is called a CADRA “technological access barrier” (TAB)), the violation must be with knowledge and with intent to cause harm or loss. In general, CADRA defines a new statutory intentional tort.
Prior to CADRA, practitioners who sought civil remedies for abuses of computerized data used two primary statutes, Florida’s Computer Crimes Act, F.S. §815.01 et seq., and the Federal Computer Fraud and Abuse Act, 18 U.S.C. §1030 (federal CFAA). Both laws are criminal in nature with an appended civil remedy. Due to the strict construction rule applied to criminal statutes, these statutes have been narrowly construed primarily due to the uncertain meaning of “without authorization.” Although practitioners sometimes used Florida’s Uniform Trade Secrets Act (FUTSA), F.S. §688.001, and Florida’s Civil Remedies for Criminal Practices Act, F.S. §772.101,3 for computer abuses, experience over several decades has not resulted in many favorable outcomes. Essentially, these later statutes do not specify, in any manner, the operations of a computer system. In contrast, Florida’s Computer Crimes Act has specific statutory language covering unauthorized access to computer data and systems, misuse of data, hacking, password theft, and password hack-ins, but provides a civil remedy only after a conviction.4
Florida-based businesses typically relied upon the Federal CFAA for relief because Florida’s Computer Crimes Act provides a relatively hollow civil action. An injured party “may bring a civil action against any person convicted” under the act.5 Therefore, a criminal conviction must precede the civil action. Civil actions after criminal proceedings are not particularly effective from a monetary perspective or for reasonably quick equitable relief. All violations of Florida’s Computer Crimes Act6 require the accused to act “without authorization.” Florida courts have interpreted “exceeds authorized access” as not necessarily “without authorization” in the criminal context.7
The federal CFAA criminalizes certain computer related behavior and, if the damage exceeds $5,000, provides a civil remedy for its victims. In 2012, the Ninth Circuit Court of Appeals held that the federal CFAA does not cover a disloyal employee or an insider who takes computer data during his or her employment and uses it in an anticompetitive manner after leaving the company.8 Three months later, the Fourth Circuit Court of Appeals agreed and held that the federal CFAA was not violated unless the employee lacks any authorization to obtain or alter the data when he or she was employed.9 In contrast, the First, Fifth, and Seventh circuits have taken an opposite view and support the concept that a disloyal employee violates the federal CFAA whether he or she uses the data with or without financial gain.10
In 2010, the 11th Circuit in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), found that a disloyal employee violated the CFAA even though he never used the data for financial gain. The scope of “exceeds authorized access” is unclear as applied in the 11th Circuit Rodriguez case. Florida U.S. district court cases include Lee v. PMSI, Inc., No. 8: 10-cv-2904-T-23TBM, 2011 WL 1742028 (M.D. Fla. 2011), in which the district court dismissed an employer’s federal CFAA counterclaim in an employment discrimination action notwithstanding that the plaintiff employee made personal use of the Internet at work by checking Facebook and sending personal emails in violation of company policy. In an unpublished case, Lockheed Martin Corp. v. Speed, No. 6:05 CV 1580 ORL 31, 2006 WL 2683058 (M.D. Fla. 2006), former employees of Lockheed Martin accessed company proprietary information while they were still authorized to do so, then went to a competitor and used the data to win a contract for their new employer, in direct competition to their former employer. The Lockheed court found that, at the time the former employees accessed the computers, they had “authorized access” and, therefore, did not exceed authorized access or violate the CFAA.
Given the deteriorating effectiveness of actions under the CFAA and the “prior conviction” requirement of Florida’s Computer Crimes Act, efforts were made to draft a statutory intentional tort that is now Florida’s Computer Abuse and Data Recovery Act.11
CADRA Violations Defined
CADRA establishes injunctive and monetary relief for business owners against unauthorized persons who harm or cause damage to business computers or systems. The systems and data must be password or technology access barrier (TAB) protected. In general, violators must act with knowledge and intent and cause harm or loss.12
The definitions section in CADRA explains the scope and meaning of terms used in the violations section and the remedies section. CADRA defines “harm,” “loss,” “authorized user,” “without authorization,” and “technology access barrier” (examples of TABs are passwords, fobs, fingerprints, etc.), “protected computer,” and several other terms in §802. A CADRA civil cause of action is available to an “owner, operator or lessee of the protected computer, or the owner of information stored in the protected computer who uses the information in connection with the operation of a business”13 and provides for both monetary and injunctive relief. Herein, an “owner” refers to a business person or entity that owns or operates a protected computer14 or an owner of business data. Therefore, the “owner” may own or lease the computer hardware system or may be an “owner of information” stored in a protected computer (for example, data or code stored or operating in the Internet cloud or online data storage). “Protected computers” are those that need a user’s TAB to gain access to computer data, program, or code.15 Importantly, CADRA is limited to violations involving protected “business” computers and “business” information.16
CADRA violations permit the owner of a TAB-protected business computer or the owner of business information stored in a protected computer17 to recover “actual damages,” including lost profits, economic damages, and violator’s profits.18 CADRA broadly defines the terms “harm” and “loss.” “Harm means any impairment to the integrity, access, or availability of data, program, system or information.”19 “Loss” is any 1) reasonable cost incurred by the owner “including the reasonable cost of conducting a damage assessment;” 2) “reasonable cost for remediation efforts, such as restoring the data, program, system, or information to the condition it was in before the violation;” 3) economic damages; 4) lost profits; 5) consequential damages, “including the interruption of service;” and 6) profits earned by the violator as a result of the violation.20
All CADRA violations are listed in §803 and require a “harm or loss” except for trafficking in a TAB.21 The remedies in §804 extend to recovery of “actual damages,” including lost profits and economic damages as well as violator’s profits.22 Such monetary remedies are meant to include the items listed in the “harm” and “loss” definitions found in §§802(4) and (5) because all CADRA violations must include a harm or loss except the TAB trafficking violation.23
In addition to monetary remedies, CADRA also permits the owner to “obtain injunctive or other equitable relief…to prevent a future [CADRA] violation.”24 Also, an important new CADRA remedy permits the owner “to recover the misappropriated information, program, or code and all copies thereof, that are subject to the violation.”25 These two equitable remedies, an injunction to prevent future violations, and the recovery of the original and all copies of misappropriated information or code are oftentimes critically important to preserve the integrity and the value of the misappropriated digital information or program. Although practitioners have utilized Florida’s Uniform Trade Secret Act (FUTSA),26 in order to obtain remedies similar to CADRA’s injunction and return original and “all copies,” a FUTSA plaintiff is required to establish that the digital information or program is a trade secret. This additional element of trade secret proof limits the use of FUTSA in connection with computer data theft because the value of digital information is difficult to establish “at the time of taking.” Its value sometimes quickly diminishes over time, and competitors can quickly amass similar troves of data independent of the owner due to high-speed processing and massive data storage systems. Further, the purloined data or program can be easily stored, concealed, and then quickly transferred without authority of the owner. CADRA’s remedy, to recover the original “and all copies thereof,” is a new remedy that goes beyond the classic remedies available to plaintiffs.
In addition to damages and equitable relief, the owner of a business system or business information can obtain reasonable attorneys’ fees for any violation.27 The recovery of fees is equally available to a defendant who successfully defeats an alleged CADRA violation under the prevailing party rule.28 CADRA’s remedies are in addition to remedies otherwise available under state or federal law.29 A final judgment or decree in favor of the state in a criminal proceeding under Florida’s Computer Crimes Act30 estops the defendant as to all matters to which the judgment or decree would be an estoppel if the CADRA plaintiff had been a party to the previous criminal action.31
With or Without Authorization
It is a §803 violation to knowingly and with intent to cause harm or loss 1) to obtain information from a protected business computer and cause harm or loss; 2) transmit a program or code without authorization and, in result, cause harm or loss; or 3) traffic in a TAB.32 All §803 violations require action without authorization. CADRA defines “without authorization” as accessing a protected computer by a person who 1) is not an authorized user;33 2) has stolen a TAB of an authorized user; or 3) “circumvented a technological access barrier on a protected computer without the express or implied permission of the owner…[but] [t]he term does not include circumventing a technological measure that does not effectively control access to the protected computer or the information stored in the protected computer.”34
CADRA defines an “authorized user” in §802(1) as a “director, officer, employee, third party agent, contractor, or consultant of the owner…[who] is given express permission by the owner…to access the protected computer through a [TAB].”35 These directors, officers, employees, third-party agents etc., are referred to herein as “DOE3.” Therefore, an authorized user is any DOE3 who “is given express permission by the owner…to access the protected computer through a [TAB].”36
A TAB is defined as any password, security code, key fob, access device, or similar measure,37 and the definition broadly covers biometric identifiers (fingerprints, retina scans, etc.) and hardware security devices, such as keys or tokens. “Without authorization” is defined in §802(9) as a person who 1) “is not an authorized user”; 2) “has stolen a…[TAB] of an authorized user”; or 3) “circumvents a…[TAB] on a protected computer without the express or implied permission of the owner.”38 There is a slight differentiation between the definition of “without authorization” and “authorized user” since an authorized user is a DOE3 who is given “express permission by the owner” whereas a person “without authorization” is one who is “not an authorized user” or, alternatively, is one who “circumvent[s] a…[TAB] on a protected computer without the express or implied permission of the owner.”39
An “authorized user” loses CADRA authorization if he or she “is terminated upon revocation by the owner” or “upon cessation of employment, affiliation or agency with the owner.”40 Therefore, DOE3s are provided a safe harbor if they are given express permission by the owner of the business computer system or the owner of business information. However, that safe harbor closes under CADRA §802(1) when the owner terminates the DOE3 or upon cessation of the employment, affiliation, or agency.
CADRA’s “without authorization” definition in §802(9)(c) is broader than those who are “not an authorized user”41 because CADRA discusses circumventing a TAB “without the express or implied permission of the owner.” Circumventing includes guessing a TAB or password, stealing a password, or surreptitiously discovering a TAB from an authorized user.42 Also there may be times when an owner permits limited use of a password by a DOE3 on a temporary basis in order to accomplish a certain business objective. As an example of “implied permission,” a manager may give a subordinate limited access to financial records to accomplish a certain transaction (pay a bill) when the manager is out of the office and cannot access the owner’s computer or financial information (the banking data being protected business data). However, after that limited implied permission for the specific business event ends (the bill has been paid), the implied use of the TAB is withdrawn. The terms “circumvent” and “express or implied permission” in CADRA are meant to cover event-driven and temporal situations.
The term “circumvent” is limited because “[t]he term does not include circumventing a technological measure that does not effectively control access to the protected computer or the information stored in the protected computer.”43 Unfortunately, some businesses use TABs or passwords that are not genuine security codes recognized in the computer industry. For example, passwords such as “1234” or “admin” or “password” are widely recognized in the computer industry as not being effective access or security controls for computer data or computer systems.44
Certain activities by law enforcement agencies and governmental actors are excluded from CADRA, such as “any lawfully authorized investigative, protective, or intelligence activities of any law enforcement agencies, regulatory agencies, or political sub-division of this state, and any other state, the United States, or any foreign country,”45 CADRA does not impose liability on a provider of an interactive computer service or an information service defined under federal law, or a communication service defined under F.S. §202.11.46 These providers have immunity under CADRA “if the provider provides the transmission, storage, or caching of electronic communications or messages of a person other than the provider, related telecommunications or commercial mobile radio services, or content provided by a person other than the provider.”47 In this manner, if these providers of interactive of computer services, information services, or communications services inadvertently inject a virus or program into the business owner’s computer system or information, the provider does not violate CADRA. Further, such acts do not violate CADRA because, other than trafficking, all CADRA violations are limited to those who “knowingly and with intent to cause harm or loss” engage in the prohibited act and cause harm or loss to the protected computer. Trafficking in a TAB is a violation that does not require a harm or loss.48 CADRA’s exclusion of interactive computer services or information services or communication services provides a safe harbor for these providers.49
In summary, business owners who suffer harm or loss by hackers, hacking events, data theft, or TAB thieves now have a civil remedy for damages and can, with an injunction, retrieve the original and all copies of the misappropriation code or information under CADRA. The act was effective October 1, 2015. Violations of CADRA must be brought within three years “after the violation occurred or within three years after the violation was discovered or should have been discovered with due diligence.”50
1 Fla. Stat. §668.803.
2 Defined at Fla. Stat. §668.802(8).
3 See particularly Fla. Stat. §772.11.
4 Fla. Stat. §815.06.
6 Fla. Stat. §815.01.
7 In Gallagher v. State, 618 So. 2d 757 (Fla. 4th DCA 1993), which was heard before the Computer Crimes Act was amended to limit civil recovery post-conviction, the court looked to the Federal legislative history of Federal CFAA §1030 and found support that the federal statute at that time was not meant to cover “exceeds authorized access” and concluded that the Florida statute should not either. In Garcia v. State of Florida, No. 3D02-3285 (Fla. 3d DCA 2006), the court did not reach the authorization issue but chose to define “modify” very narrowly, avoiding violation. In Armando Miguel Rodriguez v. State, 956 So. 2d 1226 (Fla. 4th DCA 2007), the court specifically differentiated “authorized access” from “exceeds authorized access” and found the fact that the Florida Legislature chose to narrow the stature by adding the “within the scope of…lawful employment” exclusion and not adding “exceeds authorization” as a new violation when the federal statute did, as conclusive evidence that the Florida Legislature did not intend §815.06 to apply to “exceeds authorized access.”
8 U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
9 WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (after resigning, the ex-employee used the data taken prior to his resignation in an anti-competitive manner).
10 Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (after resigning, the ex-employee used the data in an anti-competitive manner and violated the act); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 578-79 (1st Cir. 2001) (an employment agreement establishes the parameters of unauthorized access); and United States v. John, 597 F.3d 263 (5th Cir. 2010) (disloyal employee violated statute even though she rightfully had access to the computer data, but then gave the data to cohorts who incurred fraudulent credit card charges). For a more in-depth analysis, see Robert Kain, Federal Computer Fraud and Abuse Act: Employee Hacking Legal in California and Virginia, but Illegal in Miami, Dallas, Chicago, and Boston, 87 Fla. B. J. 36 (Jan. 2013).
11 The disparate meaning of without “authorized access” by the federal appeals courts since 2012 resulted in The Florida Bar Business Law Section forming a CADRA Task Force that drafted earlier versions of the act. The task force included members of the Computer Law and Technology Committee, the Intellectual Property Committee, and the Business Litigation Committee. Author Robert Kain was the task force leader and helped shepherd CADRA through the Florida Legislature. Kain testified before the House Civil Justice Committee in favor of CADRA and worked with Sen. Hukill and Rep. Spano who introduced CADRA in the Senate and the House.
12 See Fla. Stat. §668.803, Violations Section (herein §803).
13 Fla. Stat. §668.803.
14 The terms “business” and “protected computer” are defined in Fla. Stat. §§668.802(3) and (6).
15 Fla. Stat. §668.802(6).
16 CADRA’s scope is specifically limited to business events. See Fla. Stat. §§668.801(1) and (2) (the statutory purpose is to safeguard businesses from harm); Fla. Stat. §668.802(2) (defining “business”); Fla. Stat. §668.802(6) (defining “protective computer” as on used in business); Fla. Stat. §668.803 (CADRA violations involve “the operation of a business”).
17 CADRA recognizes that many businesses rent space on virtual computer servers and systems or monthly lease cloud-based computer storage and processing services. Therefore, the owner of TAB-protected business information in a cloud computer system can use CADRA to protect his or her data and programs.
18 Fla. Stat. 668.804(1)(a) and (b).
19 Fla. Stat. §668.802(4).
20 Fla. Stat. §§668.802(5)(a) through (e).
21 Trafficking does not require harm or loss to the owner. See Fla. Stat. §668.803(3).
22 Fla. Stat. §§668.804(1)(a) and (b).
23 Fla. Stat. §668.802.
24 Fla. Stat. §668.804(1)(c).
25 Fla. Stat. §668.804(1)(d).
26 Fla. Stat. §688.001.
27 Fla. Stat. §668.804(2).
29 Fla. Stat. §668.804(3).
30 Fla. Stat. §815.001.
31 Fla. Stat. §668.804(4).
32 Fla. Stat. §668.803.
33 Defined at Fla. Stat. §668.802(1).
34 Fla. Stat. §§668.802(9)(a),(b), and (c).
35 Fla. Stat. §668.802(1).
37 Fla. Stat. §668.802(7).
38 Fla. Stat. §668.802(9).
39 Fla. Stat. §668.802(9)(c).
40 Fla. Stat. §668.802(1).
41 Fla. Stat. §668.802(9)(a).
42 For example, an errant employee may “shoulder surf” and look over an authorized employee’s body and surreptitiously discover the latter’s TAB or password. In this manner, the errant employee has circumvented the system’s TAB if harm or loss is caused by use of the discovered TAB. CADRA has been violated.
43 Fla. Stat. §668.802(9)(c).
44 This limitation on circumventing a TAB is generally discussed in the Electronic Frontier Foundation’s (EFF) proposed amendments to the Federal Computer Fraud and Abuse Act, 18 U.S.C. §1030 (CFAA). EFF’s proposed amendments to the CFAA were called Aaron’s Law and introduced by Rep. Lofgren and Rep. Sensenbrenner in June 2013. See Electronic Frontier Foundation, Computer Fraud and Abuse Act Reform, http://www.eff.org/issues/CFAA.
45 Fla. Stat. §668.805.
46 47 U.S.C. §230(f); 47 U.S.C. §153; Fla. Stat. §202.11.
47 Fla. Stat. §668.805.
48 Fla. Stat. §668.803(3).
49 Fla. Stat. §668.803.
50 Fla. Stat. §668.804(5).
Robert C. Kain is a board certified intellectual property attorney with the South Florida law firm of Kain Spielman, P.A. He is currently chair of the Computer and Technology Law Committee of the Business Law Section and was chair of the CADRA Task Force. He is a registered patent attorney and handles all aspects of the law related to client’s I.P. rights including registrations, licensing, and litigation throughout the U.S. He also actively registers and enforces I.P. rights in foreign countries.
This column is submitted on behalf of the Business Law Section, Alan Howard, chair, and Stephanie C. Lieb, editor.