Feds focus on damage to computers as basis for Computer Fraud and Abuse Act prosecution

Robinson+Cole Data Privacy + Security Insider
Contact

Last week, a federal judge sentenced Yijia Zhang, a computer systems manager, to 31 months in federal prison for transferring thousands of his employer’s electronic files to European storage sites.  The case highlights the potential power of an overlooked clause of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

The prosecution was under the “Unauthorized Damage to a Protected Computer” clause of the CFAA, which creates criminal liability for “[w]hoever. . . knowingly causes the transmission of. . . information. . .and as a result. . . intentionally causes damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A) (emphasis added).

In a press release, the U.S. Attorney’s office admitted[1] that it did not have some of the evidence one might expect in a CFAA case.  There was “no evidence that the files had been passed to anyone else,” no evidence “that any of the information had been used to harm the company,” and “no customer information was taken.”  There was, however, evidence of damage to the company’s servers.  When Mr. Zhang allegedly deleted files from a server to cover up his transfer, he “caused the server to stop working and its log files to be overwritten.”

Charging Mr. Zhang for “Damage to a Protected Computer” is a departure from the more widely used CFAA clauses under which the prosecution must prove the employee “knowingly accessed a computer without authorization” or exceeded “authorized access.”  18 U.S.C. § 1030 (a)(1), (a)(2).  As we have reported,[2] it has become harder for prosecutors to prevail in such cases when employers gave employees access to the data.  As those cases get harder to make, you can expect more cases like U.S v. Zhang.

 

[1] http://www.justice.gov/usao-edpa/pr/judge-sentences-defendant-violation-computer-fraud-and-abuse-act

[2] https://www.dataprivacyandsecurityinsider.com/2015/12/computer-fraud-and-abuse-act-update-second-circuit-sides-with-a-narrower-reading-2/

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide