Jay P. Kesan and Linfeng Zhang

Humans and computers are alike in at least one sense – both could malfunction or be compromised. On Feb. 28th 2018, the U.S. Marine Forces Reserve announced a data breach affecting thousands of marines, sailors and civilians, putting their identities at risk, as sensitive personal information like truncated social security numbers was leaked. The investigation showed that there was no malicious intent involved and the data breach was indeed a result of human error. An email containing the unencrypted confidential information had accidentally been sent to a wrong e-mail distribution list. Besides being duped into making unintentional disclosures, people are often tricked into giving up valuable information by scammers, and these hustles are referred to as “social engineering” or “phishing” in the cybersecurity world.

The 2013 Target data breach case was one such example. The case was finally settled last year, and the retailing company ended up paying $18.5 million in fines for breaching 43 million records of payment card information. Unlike the Equifax data breach in September last year, which was caused by attackers directly hacking into the credit reporting company’s information systems, the Target incident started from a phishing email sent to a third-party vendor of Target. Through that vendor, the attackers gained the login credentials of Target, and thus obtained unrestricted access to its customers’ confidential information.

Activities like phishing are not entirely new to the law. We had them before the Internet era, and they fit the criteria for common law fraud. The legal definition of fraud requires: (1) a false statement of a material fact; (2) knowledge on the part of the perpetrator that the statement is untrue; (3) intent on the part of the perpetrator to deceive the alleged victim; (4) justifiable reliance by the alleged victim on the perpetrator’s statement; and (5) injury to the alleged victim as a result. Phishing fits into this legal definition of fraud even if phishing emails are distributed via the Internet because the medium used for delivering the false statement is irrelevant.

In contrast to conventional fraud, including phishing scams which take advantage of the vulnerabilities in human cognition, computer fraud is a bit different. Computer fraud typically involves disrupting information systems, such as spreading computer viruses, abusing computing resources, such as compromising computers for DDoS attacks and taking or altering electronic data, such as stealing data from servers. Both computer fraud and conventional fraud can serve the same purpose. For example, stealing sensitive data from the hosting server. But they achieve this goal though different means. In computer fraud, attackers gain unauthorized access or exceed their authorized access to a computer system by exploiting the vulnerabilities in those computer systems, while the attackers in a conventional fraud may trick the server administrator into disclosing her login credentials unwittingly, as we saw in the Target data breach. Computer fraud is defined and criminalized by the Computer Fraud and Abuse Act (CFAA), which was enacted by Congress in 1986. It proscribes accessing a computer without authorization or in excess of any granted authorization. Due to the nature of phishing or social engineering, these activities fit uncomfortably within computer fraud since computer access was in fact authorized–albeit mistakenly. Even if phishing is seen as circumventing a technological access barrier, such as a password, the scope of authorized access has not been exceeded under the CFAA since consent was granted. Hence, activities such as phishing do not fit comfortably within the Computer Fraud and Abuse Act. Although the CFAA has been amended a few times since 1986, it has a hard time keeping up with new and emerging technologies and badly needs updating.