Standing Under the Computer Fraud and Abuse Act

01 Jun 2020

The Computer Fraud and Abuse Act (“CFAA”) provides civil and criminal penalties for computer intrusion. Current scholarship seeks to determine when a putative defendant has accessed a system without authorization. But no academic articles address who can bring suit for the intrusion. The system owner seems the natural complainant; after all, the CFAA punishes cyber-trespass. But the few courts to address the issue thus far have come to a surprising and contrary conclusion: anyone with confidential information on the system may bring suit. This turns the CFAA from a cyber-trespass statute into a more expansive tool, guarding against trade secret theft and other offenses normally governed by very different case law. Resolving this question has profound implications in an era when confidential documents get routinely stored on Dropbox, Google Drive, Amazon Web Services, and similar platforms. This Article will examine whether courts are correct to accord such broad standing to complainants and whether this comports with the Supreme Court’s views on constitutional standing. This Article will also consider whether this broad concept of CFAA standing makes sense in light of the statute’s history and purpose, and what effect it has on ideas about digital ownership generally.