Friday, January 22, 2016

Corporate Counsel: Florida Law Provides Businesses Civil Remedy for Hacking

By Jason Pill

        As splashy headlines of corporate hacking and cybersecurity theft continue to make front-page news, businesses are increasingly focused on protecting their critical digital assets. Legislators have taken note and passed Florida’s Computer Abuse and Data Recovery Act (CADRA), which became effective October 1. §§ 668.801-805, Fla. Stat. CADRA gives Florida businesses a new arrow in their quiver to combat unauthorized computer access by providing a cause of action for the recovery of monetary damages, injunctive relief, and attorneys’ fees.

        The legislature previously attempted to address “computer-related crime” by passing the Florida Computer Crimes Act (FCCA). §§ 815.01-07, Fla. Stat. The FCCA was largely a criminal statute that offered civil relief only after a criminal conviction. Recognizing some of the FCCA’s shortcomings, CADRA creates a cause of action for aggrieved businesses that suffer harm from unauthorized computer access by an individual who does not have access or exceeds his or her access to a business’s computer systems.

         A CADRA violation occurs when an individual “knowingly and with intent to cause harm or loss”: (i) obtains information from a protected computer without authorization, causing resulting harm or loss; (ii) causes the transmission of a program, code, or command to a protected computer without authorization, causing resulting harm or loss; or (iii) traffics in any technological access barrier through which access to a protected computer may be obtained without authorization. § 668.803(1)-(3), Fla. Stat. “Without authorization” means access to a protected computer by someone who is not an “authorized user.” Authorized users can be directors, officers, employees, third-party agents, and other individuals with a business’s express permission to access protected computers. § 668.802(1), Fla. Stat. But this authorization ends upon the business’s revocation of permission by any means.

         Importantly, CADRA’s protections extend only to a “protected computer,” which is defined as a computer that is “used in connection with the operation of a business and stores information, programs, or code in connection with the operation of the business” and “can be accessed only by employing a technological access barrier.” § 668.802(6), Fla. Stat. CADRA provides a non-exhaustive list of “technological access barriers” that must be employed, such as a “password, security code, token, key fob, access device, or similar measure.” Invariably, there will be additional technological measures that fall within this definition under the “similar measures” catchall, but in the absence of judicial guidance, businesses would be wise to rely on one or more of the enumerated “barriers” to ensure CADRA protection.

         In the event of a CADRA violation, a plaintiff may recover actual damages, including lost profits and economic damages, recovery of the violator’s profits, and injunctive relief to prevent further violations and recover stolen information. The prevailing party is entitled to recover reasonable attorneys’ fees.

          CADRA, which serves as yet another piece of the mosaic of legislation aimed at the emerging issue of cybersecurity and digital theft, comes a little over a year after the enactment of Florida’s Information Protection Act of 2014 (FIPA), § 501.171, Florida Statutes. The FIPA heightened the notification requirements for data breaches impacting Florida residents. These new laws reflect an increased emphasis on cybersecurity and are a harbinger of possible, additional legislation designed to protect businesses and consumers from evolving digital threats.