Congressman Sues Opponent, Claims Computer Fraud and Abuse Act Violation

September 26, 2016

LAW hammer on computer folder. 3D Icon isolated on white backgroRepresentative Mike Honda of California has sued his campaign opponent alleging violations of the federal Computer Fraud and Abuse Act (CFAA).  The CFAA provides for both criminal and civil actions.  Although we often focus on the criminal prosecutions under the CFAA, this case illustrates its important impact on civil law disputes, as well, in the context of cybersecurity breaches.

Congressman Honda represents much of Silicon Valley in Congress.  He alleges that his opponent’s former campaign manager accessed donor lists from previous Honda campaigns through the Dropbox account of a fundraising company without appropriate authorization.

Matsuura Blakeley BannerHonda’s complaint in federal district court in California contends that the campaign manager previously worked for a political fundraising company.  After that working relationship ended, Honda alleges that the campaign manager continued to access the company’s digital files, including the Dropbox account containing a list of Honda campaign donors.

Honda claims that the donor information was confidential and highly sensitive material.  Access to that information by his opponent’s campaign manager was, according to Honda, extremely harmful to his political efforts.

This dispute highlights the scope of the CFAA.  The law provides for criminal prosecution as a result of unauthorized access to computers and computer networks.  It also permits parties to raise civil claims, as well.  Civil action under the CFAA is now a popular tool in response to cyber breaches.

This case will likely also underscore the issues associated with termination of computer access when formerly authorized users are involved.  The Ninth Circuit has previously taken the position that CFAA claims have merit even if there has not been formal termination of network access.  In situations, for example, when an employment or contractor relationship has terminated, the Ninth Circuit has concluded that continuing computer access by the terminated party violates the CFAA even if no formal notice of access termination has been issued.

Best practices call for active blocking of computer access and formal notice of termination of access for all departing employees and contractors.  However, even if such best practices have not been followed, it may be possible to obtain relief successfully under the terms of the CFAA in response to cybersecurity breaches.