In a recent post, I suggested a way to narrow the Computer Fraud and Abuse Act, 18 U.S.C. 1030. In narrowing that law, I intentionally excluded the problem of “insiders” who might misuse computers. There are really two situations to worry about. First, there’s the Aleynikov problem: an employee at a company who is thinking of leaving the company might access the computers of his employer and copy valuable data to help start a competing business or sell the data. Second, there’s the Rodriguez problem: A government employee might misuse sensitive government databases.
I don’t think these facts should fit under 18 U.S.C. 1030 because they deal with a different kind of problem; it’s hard to fit them in to 1030 without causing incredibly broad liability. But I do think it’s fair to want to criminalize such conduct with a different statute. So I have drafted such a proposal and posted it here: Proposal for 18 U.S.C. 1031, Employee Misuse of Computer Information. My proposal isn’t perfect, and I’d want to fiddle with it a bit myself, but the idea is to enact a narrow statute to deal with the specific problems of insiders.
UPDATE: I have updated the draft a bit in response to commenters, and I thought I would add an explanation in response to this comment:
Why does the federal law and your proposal have to address the technology — computers — rather than the underlying wrongful conduct: stealing a company’s information or improper use of government property.
Presumably someone who takes hundreds of documents from Goldman Sachs’ file cabinets, and uses those documents to start a rival business, is no less culpable than the Aleynikov problem.
The reason is two-fold. For part (a), Employee Misuse of Information for Private Financial Gain, the statute is necessary because the circuit courts have interpreted the transportation of stolen goods statute, 18 U.S.C. 2314, to not apply to computer data. If an employee steals paper documents or makes a photocopy of the paper documents and carries the document or paper copy across state lines, then the emplioyee violates 18 U.S.C. 2314. See United States v. Bottone. On the other hand, if an employee makes an electronic copy and e-mails the documents across state lines, then the statute is not violated. See United States v. Aleynikov. It would be possible to amend 2314 instead to encompass valuable data, of course, but that is actually a broader approach than the proposal I have made here, and it raises all sorts of complex conceptual problems for when data counts as being “stolen.”
I think reasonable people can disagree about the need for part (b), Misuse of Personal Information by Government Employees. I don’t have particularly strong feelings about it either way. But I think a computer-specific approach makes sense here for two reasons. First, I don’t think there are paper databases of personal information anymore; the facts tend to involve computers. Second, there is no general prohibition on “improper use of government property.” There is a prohibition on theft of government property, but it would not apply in such circumstances under United States v. Collins, which is discussed in this thoughtful student case comment. Congress could try to draft a general misuse of government property statute that is not computer-specific, but again, it would seem to require a much broader statute than what I am proposing.