Locks, the saying goes, keep honest people honest. Good physical security will keep out the
curious passer-by or casual miscreant, but no lock is perfect and the determined thief will
always find a way in. In recent years, it has become obvious that the same is true of the
Internet. As a practical matter, no connected computer system is impenetrable, and
password surveys routinely show that most people don't even have decent locks on their
doors. Yet individuals and businesses place vast amounts of crucial, sensitive information
online, assuming that it will remain secure. And when the locks fail, they turn to the law.
There are, of course, a number of legal protections against the misappropriation and misuse
of personal data, identity or intellectual property. They include federal and state statutes, as
well as common law claims of misappropriation, unfair competition and breach of duty, to
name a few. But the great majority of those protections focus on the information that's taken,
not the act of taking it. In the electronic universe, the damage from an intrusion often
includes not only the loss of data, but the costly disruption to the system itself. There is no
physical analog to that harm. A burglary victim is concerned about the assets in the safe, not
the damage to the safe itself. But online, the calculation may be different: The "safe" is often
a computer system or network that is vital to the victim's personal or business livelihood.
When dealing with computer intrusions, the law has to address that potential loss as well.
To address these unique concerns, Congress enacted the Computer Fraud and Abuse Act
(CFAA), which criminalizes the unauthorized access to certain kinds of computer systems
and also creates a private right of action to remedy damage caused by such access. But the
CFAA is a complex statute, and its language is not a model of clarity. Practitioners and
courts alike have consistently disagreed about the scope of conduct it addresses and the
accrual of actions arising out of that conduct. A recent Second Circuit decision clarifying the
latter issue offers an opportunity to examine the CFAA, its function and limitations, and its
utility as a tool for protecting electronic assets.