There are few cases relating the CFAA to cloud computing. Much of the case law that would be relevant centers around what is a "thing of value." One case, United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), found that simply accessing tax records beyond the defendant's authorization was not a "thing of value." A similar result was reached in P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504 (3d Cir. 2005).
Unfortunately, the CFAA has some major pitfalls. First, while it claims to reach outside the United States, realistically, the US's jurisdiction cannot reach outside its borders. This means that if data resides on a server outside the United States, it may not be protected by this law. Additionally, because the person storing data on the computers does not own those computers, it may be difficult for a person to get law enforcement agencies to investigate or prosecute a data theft if the service provider does not wish to pursue charges.
Still used occasionally in other computer crimes is the older wire fraud statute, 18 U.S.C. § 1343, but on its face it does not appear to cloud computing data theft. According to Maxim May of the SANS Institute, the Economic Espionage Act of 1996, 18 U.S.C. §§ 1831-1839, is sometimes used to prosecute theft of trade secrets or other economically-valuable property.
Some industries, like banking, are required to inform federal regulators and, in some cases, consumers if information security is breached with regards to personal information that would allow one to access the bank account. See 12 C.F.R. pt. 208, app. D-2 (2006). This gives the businesses an incentive to secure data.
Image Source: http://www.ncga.state.nc.us/Senate/Senate.html
Almost all states now have laws stating that a company that stores data for a user must notify its users if security is breached. The laws vary widely in what consumers must be told and when. North Carolina's law, the Identity Theft Protection Act, was passed in 2005, which, among other things, requires businesses operating in North Carolina to inform consumers of a breach "without unreasonable delay[.]" It is limited mostly to financial information and information that would allow someone to access one's financial records like a Social Security Number. It does not, however, provide a cause of action if the company fails to do so. New York's law, on the other hand, does provide a cause of action.
California's law, Cal. Civ. Code § 1798.83, is one of the strongest in the country. In addition to similar notification-of-breach requirements like New York and North Carolina, it requires that a notice be posted on the Website of a company doing business in California that must be called, "Your Privacy Rights," and it must inform people of their rights to notification in the event of a breach.
These state laws are given a thorough treatment by Christopher Wolf, ed., Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age (2006).
- Cal. Civ. Code § 1798.83, available at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84
- Computer Fraud and Abuse Act of 1984, 18 U.S.C. § 1030 (2006), available at http://www4.law.cornell.edu/uscode/18/1030.html.
- Economic Espionage Act of 1996, 18 U.S.C. §§ 1831-1839 (2006).
- Identity Theft Protection Act, N.C. Gen. Stat. § 75-60–66 (2009), available at http://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html.
- Interagency Guidelines Establishing Information Security Standards, 12 C.F.R. pt. 208, app. D-2 (2006), available at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=bd5fad5d08877c01561623f7fe445d3b&rgn=div9&view=text&node=12:188.8.131.52.184.108.40.206.18&idno=12
- Maxim May, Federal Computer Crime Laws, SANS Institute (Jun. 1, 2004), http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446.
- National Information Infrastructure Protection Act of 1996, Pub. L. No. 104-294, available at http://epic.org/security/1996_computer_law.html.
- N.Y. Gen. Bus. Law § 899-aa (2008), available at http://bit.ly/coA6VF.
- P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504 (3d Cir. 2005), available at http://scholar.google.com/scholar_case?case=18205138977450614418.
- Tanya L. Forsheit, Outsourcing and Cloud Computing: Privacy and Data Security Issues, Practising Law Institute, 981 PLI/Pat 479 (2009).
- United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), available at http://scholar.google.com/scholar_case?case=7274469352147073368.
- United States v. Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009), available at http://www.citmedialaw.org/sites/citmedialaw.org/files/2009-08-28-Opinion%20on%20Drew%27s%20Rule%2029%28c%29%20Motion_0.pdf.