Locks, the saying goes, keep honest people honest. Good physical security will keep out the

curious passer-by or casual miscreant, but no lock is perfect and the determined thief will

always find a way in. In recent years, it has become obvious that the same is true of the

Internet. As a practical matter, no connected computer system is impenetrable, and

password surveys routinely show that most people don't even have decent locks on their

doors. Yet individuals and businesses place vast amounts of crucial, sensitive information

online, assuming that it will remain secure. And when the locks fail, they turn to the law.

There are, of course, a number of legal protections against the misappropriation and misuse

of personal data, identity or intellectual property. They include federal and state statutes, as

well as common law claims of misappropriation, unfair competition and breach of duty, to

name a few. But the great majority of those protections focus on the information that's taken,

not the act of taking it. In the electronic universe, the damage from an intrusion often

includes not only the loss of data, but the costly disruption to the system itself. There is no

physical analog to that harm. A burglary victim is concerned about the assets in the safe, not

the damage to the safe itself. But online, the calculation may be different: The "safe" is often

a computer system or network that is vital to the victim's personal or business livelihood.

When dealing with computer intrusions, the law has to address that potential loss as well.

To address these unique concerns, Congress enacted the Computer Fraud and Abuse Act

(CFAA), which criminalizes the unauthorized access to certain kinds of computer systems

and also creates a private right of action to remedy damage caused by such access. But the

CFAA is a complex statute, and its language is not a model of clarity. Practitioners and

courts alike have consistently disagreed about the scope of conduct it addresses and the

accrual of actions arising out of that conduct. A recent Second Circuit decision clarifying the

latter issue offers an opportunity to examine the CFAA, its function and limitations, and its

utility as a tool for protecting electronic assets.

Read more.