Is Planting a Virus in a Computer a Federal Crime?

Full Question:

I am 50% owner of Buy and Ship International. Recently our site had a virus placed on it which completely rendered it useless, and it Norton has given our site an unsafe rating with 79 threats. Yesterday our entire site was wiped off. I contacted our dedicated server people, Single Hop, and they were able to obtain the ftp log and proof of the party who did this. It was Autxloo, a company we were going to do business with, but we declined to do so. What are our legal options? We now have everyone afraid to go to our site. Should we report this to the FBI? I am waiting for legal advice.
02/02/2010   |   Category: Internet ยป Hacking   |   State: California   |   #20755

Answer:

The answer will depend on the charges and all the facts and circumstances involved. Hacking is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer and is covered under federal and varied state criminal statutes. The computer crime of hacking is committed when a person willfully, knowingly, and without authorization or without reasonable grounds to believe that he or she has such authorization, attempts or achieves access, communication, examination, or modification of data, computer programs, or supporting documentation residing or existing internal or external to a computer, computer system, or computer network. Hacking may also occur when a person willfully, knowingly, and without authorization or without reasonable grounds to believe that he or she has such authorization, destroys data, computer programs, or supporting documentation residing or existing internal or external to a computer, computer system, or computer network. Besides the destruction of such data, hacking may also be defined to include the disclosure, use or taking of the data.

There is a common-law tort of invasion of privacy, which may be pursued when a person obtains information in a way considered “highly offensive to a reasonable person.” This common-law tort may exist even if the action is not prohibited by the state wiretap laws.

RESTATEMENT (SECOND) OF TORTS, §652B (1977) provides:

“One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another, or his private affairs or concerns, is subject to liability to the other for the invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.”

If interstate commerce is involved, federal laws in the. the Computer Fraud and Abuse Act (CFAA), may apply.

The most common civil causes of action under the CFAA are brought under either:

1. 18 U.S.C. 1030(a)(2)(C), which requires a showing that a person
(1) "intentionally,"
(2) accessed a computer,
(3) "without authorization" or "exceeded authorized access,"
(4) and obtained information from any "protected computer,"3
(5) if the conduct involved an interstate or foreign communication;

2. 18 U.S.C. 1030(a)(4) which requires a showing that a person has
(1) "knowingly and with intent to defraud,"
(2) accessed a "protected computer,"
(3) "without authorization," and thus
(4) has furthered the intended fraudulent conduct and obtained "anything of value"; or


3. 18 U.S.C. 1030(a)(5) which requires a showing that a person
(1) "knowingly,"
(2) caused transmission of a program, information, code or command and,
(3) as a result, "intentionally"
(4) caused damage,
(5) "without authorization,"
(6) to a "protected computer," or
(7) "intentionally,"
(8) accessed a "protected computer,"
(9) "without authorization," and
(10) caused damage" and "loss" aggregating at least $5,000.00.


n Bunnell v. Motion Picture Association of America , the plaintiff's complaint alleged misappropriation of trade secrets, conversion, unfair competition, violations of the Computer Fraud and Abuse Act (CFAA), tortious interference with a business expectancy, and sought injunctive relief and damages.


Because of the evolving nature of the law and complexity of evidence and laws involved, it is recommended to consult with an attorney. I am prohibited from giving legal advice, as this service provides information of a general legal nature. You may consult our attorney directory at the link below:

http://lawyers.uslegal.com/internet-law/california/

Please see the following CA statute:

§ 502 Penal

(a) It is the intent of the Legislature in enacting this
section to expand the degree of protection afforded to
individuals, businesses, and governmental agencies from
tampering, interference, damage, and unauthorized access to
lawfully created computer data and computer systems. The
Legislature finds and declares that the proliferation
of computer technology has resulted in a concomitant
proliferation of computer crime and other forms
of unauthorized access to computers, computer systems, and
computer data.

The Legislature further finds and declares that protection
of the integrity of all types and forms of lawfully created
computers, computer systems, and computer data is vital to
the protection of the privacy of individuals as well as to
the well-being of financial institutions, business concerns,
governmental agencies, and others within this state that
lawfully utilize those computers, computer systems, and
data.

(b) For the purposes of this section, the following terms
have the following meanings:

(1) "Access" means to gain entry to, instruct,
or communicate with the logical, arithmetical, or memory
function resources of a computer, computer system,
or computer network.

(2) "Computer network" means any system that provides
communications between one or more computer systems and
input/output devices including, but not limited to, display
terminals and printers connected by telecommunication
facilities.

(3) "Computer program or software" means a set
of instructions or statements, and related data, that when
executed in actual or modified form, cause a computer,
computer system, or computer network to perform specified
functions.

(4) "Computer services" includes, but is not limited to,
computer time, data processing, or storage functions,
or other uses of a computer, computer system, or computer
network.

(5) "Computer system" means a device or collection
of devices, including support devices and excluding calculators
that are not programmable and capable of being used in
conjunction with external files, one or more of which
contain computer programs, electronic instructions, input
data, and output data, that performs functions including,
but not limited to, logic, arithmetic, data storage and
retrieval, communication, and control.

(6) "Data" means a representation of information, knowledge,
facts, concepts, computer software, computer programs
or instructions. Data may be in any form, in storage media,
or as stored in the memory of the computer or in transit
or presented on a display device.

(7) "Supporting documentation" includes, but is not limited
to, all information, in any form, pertaining to the design,
construction, classification, implementation, use,
or modification of a computer, computer system, computer
network, computer program, or computer software, which
information is not generally available to the public and is
necessary for the operation of a computer, computer system,
computer network, computer program, or computer software.

(8) "Injury" means any alteration, deletion, damage,
or destruction of a computer system, computer network, computer
program, or data caused by the access, or the denial
of access to legitimate users of a computer system, network,
or program.

(9) "Victim expenditure" means any expenditure reasonably
and necessarily incurred by the owner or lessee to verify
that a computer system, computer network, computer program,
or data was or was not altered, deleted, damaged,
or destroyed by the access.

(10) "Computer contaminant" means any set of computer
instructions that are designed to modify, damage, destroy,
record, or transmit information within a computer, computer
system, or computer network without the intent or permission
of the owner of the information. They include, but are not
limited to, a group of computer instructions commonly called
viruses or worms, that are self-replicating
or self-propagating and are designed to contaminate other
computer programs or computer data, consume computer
resources, modify, destroy, record, or transmit data, or in
some other fashion usurp the normal operation of the
computer, computer system, or computer network.

(11) "Internet domain name" means a globally unique,
hierarchical reference to an Internet host or service,
assigned through centralized Internet naming authorities,
comprising a series of character strings separated by
periods, with the rightmost character string specifying the
top of the hierarchy.

(c) Except as provided in subdivision (h), any person who
commits any of the following acts is guilty of a public
offense:

(1) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either (A) devise or execute any scheme or artifice to
defraud, deceive, or extort, or (B) wrongfully control
or obtain money, property, or data.

(2) Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal
or external to a computer, computer system, or computer
network.

(3) Knowingly and without permission uses or causes to be
used computer services.

(4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal
or external to a computer, computer system, or computer
network.

(5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network.

(6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or computer network in violation of this section.

(7) Knowingly and without permission accesses or causes to
be accessed any computer, computer system, or computer
network.

(8) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.

(9) Knowingly and without permission uses the Internet
domain name of another individual, corporation, or entity in
connection with the sending of one or more electronic mail
messages, and thereby damages or causes damage to a
computer, computer system, or computer network.

(d)(1) Any person who violates any of the provisions
of paragraph (1), (2), (4), or (5) of subdivision (c) is
punishable by a fine not exceeding ten thousand dollars
($10,000), or by imprisonment in the state prison for
16 months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.

(2) Any person who violates paragraph (3) of subdivision (c)
is punishable as follows:

(A) For the first violation that does not result in injury,
and where the value of the computer services used does not
exceed four hundred dollars ($400), by a fine not exceeding
five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine and
imprisonment.

(B) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000)
or in an injury, or if the value of the computer services used
exceeds four hundred dollars ($400), or for any second
or subsequent violation, by a fine not exceeding ten thousand
dollars ($10,000), or by imprisonment in the state prison
for 16 months, or two or three years, or by both that fine
and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.

(3) Any person who violates paragraph (6) or (7)
of subdivision (c) is punishable as follows:

(A) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand
dollars ($1, 000).

(B) For any violation that results in a victim expenditure
in an amount not greater than five thousand dollars
($5,000), or for a second or subsequent violation, by a fine
not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.

(C) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000), by
a fine not exceeding ten thousand dollars ($10,000), or by
imprisonment in the state prison for 16 months, or two
or three years, or by both that fine and imprisonment, or by a
fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.

(4) Any person who violates paragraph (8) of subdivision (c)
is punishable as follows:

(A) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.

(B) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in a county
jail not exceeding one year, or in the state prison, or by
both that fine and imprisonment.

(5) Any person who violates paragraph (9) of subdivision (c)
is punishable as follows:

(A) For a first violation that does not result in injury, an
infraction punishable by a fine not one thousand dollars.

(B) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding five
thousand dollars ($5,000), or by imprisonment in a county
jail not exceeding one year, or by both that fine and
imprisonment.

(e)(1) In addition to any other civil remedy available, the
owner or lessee of the computer, computer system, computer
network, computer program, or data who suffers damage
or loss by reason of a violation of any of the provisions
of subdivision (c) may bring a civil action against the
violator for compensatory damages and injunctive relief
or other equitable relief. Compensatory damages shall include
any expenditure reasonably and necessarily incurred by the
owner or lessee to verify that a computer system, computer
network, computer program, or data was or was not altered,
damaged, or deleted by the access. For the purposes
of actions authorized by this subdivision, the conduct of an
unemancipated minor shall be imputed to the parent or legal
guardian having control or custody of the minor, pursuant to
the provisions of Section 1714.1 of the Civil Code.

(2) In any action brought pursuant to this subdivision the
court may award reasonable attorney's fees.

(3) A community college, state university, or academic
institution accredited in this state is required to include
computer-related crimes as a specific violation of college
or university student conduct policies and regulations that
may subject a student to disciplinary sanctions up to and
including dismissal from the academic institution. This
paragraph shall not apply to the University of California
unless the Board of Regents adopts a resolution to that
effect.

(4) In any action brought pursuant to this subdivision for a
willful violation of the provisions of subdivision (c),
where it is proved by clear and convincing evidence that a
defendant has been guilty of oppression, fraud, or malice as
defined in subdivision (c) of Section 3294 of the Civil
Code, the court may additionally award punitive or exemplary
damages.

(5) No action may be brought pursuant to this
subdivision unless it is initiated within three years of the date of the
act complained of, or the date of the discovery of the
damage, whichever is later.

(f) This section shall not be construed to preclude the
applicability of any other provision of the criminal law
of this state which applies or may apply to any transaction,
nor shall it make illegal any employee labor relations
activities that are within the scope and protection of state
or federal labor laws.

(g) Any computer, computer system, computer network, or any
software or data, owned by the defendant, that is used
during the commission of any public offense described in
subdivision (c) or any computer, owned by the defendant,
which is used as a repository for the storage of software
or data illegally obtained in violation of subdivision (c)
shall be subject to forfeiture, as specified in
Section 502.01.

(h)(1) Subdivision (c) does not apply to punish any acts
which are committed by a person within the scope of his
or her lawful employment. For purposes of this section, a
person acts within the scope of his or her employment when
he or she performs acts which are reasonably necessary to
the performance of his or her work assignment.

(2) Paragraph (3) of subdivision (c) does not apply to
penalize any acts committed by a person acting outside
of his or her lawful employment, provided that the employee's
activities do not cause an injury, as defined in
paragraph (8) of subdivision (b), to the employer or another,
or provided that the value of supplies or computer services,
as defined in paragraph (4) of subdivision (b), which are
used does not exceed an accumulated total of one hundred
dollars ($100).

(i) No activity exempted from prosecution under
paragraph (2) of subdivision (h) which incidentally violates
paragraph (2), (4), or (7) of subdivision (c) shall be
prosecuted under those paragraphs.

(j) For purposes of bringing a civil or a criminal action
under this section, a person who causes, by any means, the
access of a computer, computer system, or computer network
in one jurisdiction from another jurisdiction is deemed to
have personally accessed the computer, computer system,
or computer network in each jurisdiction.

(k) In determining the terms and conditions applicable to a
person convicted of a violation of this section the court
shall consider the following:

(1) The court shall consider prohibitions on access to and
use of computers.

(2) Except as otherwise required by law, the court shall
consider alternate sentencing, including community service,
if the defendant shows remorse and recognition of the
wrongdoing, and an inclination not to repeat the offense.