Robert Kain, of the intellectual property law firm of Kain Spielman, P.A. drafted and lobbied for the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“CADRA”) (CADRA Full Text) which was signed into law on May14 by Florida Governor Scott. For the past two (2) years, Robert Kain has worked with members of the Florida Bar and the Computer Law, Intellectual Property Law and Business Litigation Committees, and the Business Law Section to initially draft CADRA, and have it approved by the Business Law Section of the Florida Bar. Kain is the Task Force leader for the Employee Computer Hacking Project (now called the CADRA Task Force) and the incoming chair of the Computer Law Committee.
After CADRA was introduced into the Florida Legislature by Sen. Hukill (Ocala) and Rep. Spano (Riverview), Kain testified before the Civil Justice Committee for the House of Representatives in support of CADRA. The CADRA Task Force was formed after Kain published a Florida Bar Journal Article in 2013 titled “Federal Computer Fraud and Abuse Act – Employee Hacking: Legal in California and Virginia But Illegal in Miami, Dallas, Chicago and Boston.” Kain believes that CADRA can potentially be a national model act giving businesses the right to recover monetary damages and obtain injunctive relief against unauthorized persons who cause harm or damage to TAB protected, business computers and online systems which contain business information.
The Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“CADRA”) establishes a new civil remedy and permits monetary recovery against hackers or other unauthorized persons who cause harm or damage to business computers or systems which contain business information in Florida. CADRA was signed into law by Florida Governor Scott on May 14, 2015 and is effective as of October 1, 2015.
A person violates CADRA when he or she “knowingly and with intent to cause harm or loss: (1) obtains information from protected computer without authorization and, as a result, causes harm or loss; (2) causes the transmission of a program, code or command to a protected computer without authorization and …. causes harm or loss; or (3) traffics in any technological access barrier through which access to a protected computer may be obtained without authorization”. Such a person is liable for harm and loss to a business owner having a protected computer. See CADRA §668.803 (herein “§803″).
Coverage under CADRA is provided to the owner, operator or lessee of a protected computer used in business or the owner of information stored in the protected computer who uses the information in connection with the operation of a business. See §803. The current trend is to store and process business related data and programs in the cloud or online in the Internet. This type of data storage and processing is protected by CADRA if protected by a password or a technological access barrier (“TAB”). CADRA is strictly limited to business. See §§ 801(1) and (2); and 802(3) and (6).
Only data or programs stored or processed by “protected computers” are covered. These computers and data storage devices have an access control, such as a password, security code, key fob, keyed lock, biometric identifier (fingerprint, retina scan) or other “technological access barrier or “TAB”. See CADRA Defn. §802(7).
The issue in most computer related bad events is (a) who is permitted to access the computer and (b) who is not. Outsiders, such as hackers, are clearly not permitted to access TAB protected computers and data storage facilities. However, errant employees and ex-employees sometimes cause damage and harm to business owners.
Under CADRA, an authorized user is a “director, officer, employee, third party agent, contractor, or consultant of the owner [a DOE3] … [who] is given express permission by the owner … to access the protected computer” through a TAB. CADRA Defn. §802(1). DOE3s are not authorized users if they are “terminated upon revocation by the owner” or “upon cessation of employment, affiliation or agency with the owner.” §802(1)
Violators act “without authorization” when: (a) they are not an authorized user; (b) they steal a TAB; or (c) the violator “circumvent[s] a technological access barrier [TAB] on a protected computer without the express or implied permission of the owner.” It should be noted that some TABs are not considered to be reasonable passwords or security access tools. Examples of these “bad passwords” are “1234,” “password,” and “admin” because many systems and storage devices default to that level or the owners are not genuinely concerned about the security of the data or program. Therefore, CADRA circumvention “does not include circumventing a technological measure that does not effectively control access to the protected computer or the information stored in the protected computer.” §§802(9)(a),(b) and (c).
Remedies – What can the Business Owner get from a Violator
A business owner can collect money damages from the violator for (a) actual damages, lost profits, economic damages, violator’s profits, recover for harm and loss due to: impairment to the integrity, access or availability of data or program, the cost of conducting a damage assessment, cost of remediation (restoring the data/program), consequential damages and damages for interruption of service. §§802(5)(a) through (e), §804(1)(a) and (b) and§802(4). In addition, the owner is entitled to an injunction to prevent future CADRA violations and to recover the misappropriated information, program, or code and all copies thereof. §804(1)(c) and (d). This latter remedy, the recovery of the original and all copies of the data or program, is a new Florida remedy available to businesses. The prevailing party in a CADRA action is also entitled to attorneys fees. See §804(2).
Prior to CADRA, practitioners used Florida’s Computer Crimes Act, Fla. Stat. § 815.01 and Federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”). Both laws are criminal in nature with an appended civil remedy. However, in 2012 the federal courts caused confusion regarding the scope of the CFAA. For example, in California and Virginia, if employee ever had authorized access to the computer, then there was no violation of CFAA. If the same event occurred In Miami, Dallas, Chicago and Boston, CFAA “authorization” was judged at the time of “taking” and the use of the data by the employee or ex-employee. Typically, this resulted in a CFAA violation. Due to the divergent views of federal appeals courts, the entire scope of CFAA enforcement has been called into question.
In Florida, some businesses used Florida’s Computer Crimes Act. See Fla. Stat. § 815.06. However, the Florida Act is not effective because a civil action under the Computer Crimes Act is permitted only AFTER the person was convicted by the State.
CADRA is potentially a national model act which gives businesses the right to recover monetary damages and obtain injunctive relief against unauthorized persons who cause harm or damage to TAB protected, business computers and online systems which contain business information.