The CFAA generally makes two acts illegal, if certain other conditions are met: accessing a protected computer "without authority" or exceeding authorized access. One of the other conditions in certain cases is that there must be some form of "damage." One form of damage is the potential modification or impairment of a medical diagnosis, examination, treatment or care of one or more persons, so those in the health care industry should consider this law, and its potential remedies in cases where computer systems are inappropriately accessed. 

The concept of "without authority" has been one that has been difficult for courts to sort through, particularly in the context of employees taking confidential information, typically at a time where they are still employed but, in a very real sense, acting on behalf of themselves and adverse to the interests of their current employer. The exceeding authorized access element of the CFAA has also been argued by Web site owners to be met when a person uses a Web site in excess of the authority granted to users under the relevant license agreement (or terms of service) of the Web site. This is particularly true in the case of Web site owners or operators who maintain trade secret or other confidential information on their Web site under a restrictive license agreement. 

A recent high-profile case involved a user of MySpace who was convicted of three misdemeanor counts of the CFAA for misrepresenting her identity in violation of the terms of service, allegedly thereby causing a minor to commit suicide. This case has implications for businesses beyond those in the social networking space because the underlying legal issue in the case was the violation of the MySpace terms of service due to a misrepresentation of the user's identity, which is a common tactic used by competitors and others who seek to wrongfully obtain confidential or other proprietary information from Web sites or other electronic systems. Companies should review terms of service on their Web sites, as well as their internal technology use policies, to ensure that all appropriate limitations are present to minimize the chance of mischief and maximize the chances of appropriately protecting and enforcing your company's rights, or those of your users. The main argument offered in defense was that the user did not read the terms of use. Also, some are suggesting that this case might result in duties being placed on companies to police their Web sites, though the Communications Decency Act would seem to run counter to that argument.

In many cases state computer crime laws are broader, and offer your company more protection, so these laws should be assessed as part of that process as well. More detail on the CFAA and cases addressing these issues can be found in my book, Information Security and Privacy:  A Practical Guide to Federal, State and International Law, in Chapter 3, in sections 3:16, 3:18 and 3:19. The Communications Decency Act is discussed in Chapter 2 of my book.

When security breach laws first hit the scene, starting in California, the focus was on the misuse of financial information (in the form of credit or debit cards) or Social Security or driver's license numbers.  As more security breach laws were enacted (47 at last count), the focus shifted, at least in part, to also focus on medical information.  California previously amended its security breach law to include medical information, but several other states and territories, including Arkansas, Delaware, and Puerto Rico, include medical information in their security breach laws.  All of these laws focused on the unauthorized acquisition of information, which focuses on the actual taking, even in the form of a copy, of data.

Now, California has added new requirements in recent legislation, AB 211 and SB 541,which require reporting of unauthorized "access" to patients' medical information.  This new law seems to impose new burdens on health care providers and individuals in certain cases because the law appears to require only that data be viewed, not acquired, to trigger a violation.  There are also new reporting requirements that providers must meet in the event of unauthorized access.  There are significant fines and penalties for violation of these laws, so restricting unauthorized access to medical information is something that must be a top-of-mind priority for health care providers in California.