Ashley Singrossi – “Information is the oxygen of the modern age.” The oxygen of any modern age business is its client lists, formulas, contracts, systems, codes, and financial statements. This information, or data, is stored on a business’ computers. Florida recently recognized the importance of protecting this information and enacted the Computer Abuse and Data Recovery Act (“CADRA”), Florida Statute §668.801.
CADRA is the first Florida statute to offer civil remedies, without requiring a criminal conviction, to businesses that fall victim to computer hacking or data theft. The civil remedies under CADRA include lost profits, economic damages, additional profits obtained by the violator, attorney’s fees, an injunction, and retrieval of the stolen information. Additionally, prevailing in a CADRA suit estops the violator from denying the conduct in a criminal proceeding. CADRA prohibits an unauthorized user from knowingly and intentionally obtaining information from a protected computer that results in harm of loss. CADRA’s definition of a “computer” encompasses computers, tablets, iPads, or smart phones. A “protected computer” describes any computer used in connection to the operation of a business that holds data or information related to the business and is protected by a “technological access barrier.” A “technological access barrier” is a password, security code, access device, key fob, token or any other similar security measure.
CADRA defines an “authorized user” as the owner of the protected computer or the owner of the information stored on the protected computer. An “authorized user” can also be an employee, director, consultant, officer, or third-party agent of the owner, who is given express permission by the owner to access the protected computer through a “technological access barrier” (for example, a password). Conversely, an “unauthorized user” is anyone who is not an “authorized user.” An example of an unauthorized user would be someone whose express permission was terminated by the revocation of such permission or by the end of employment, affiliation, or agency with the owner, or someone who has stolen or circumvented the technological access barrier (e.g. someone who guesses the password) without express or implied permission from the owner.
A business owner can maximize CADRA’s protection by doing a few simple things. Because CADRA does not protect a business against computer hacking and data theft if there are no effective technological access barriers in place, business owners should ensure that all computer data is protected by effective technological access barriers. Passwords like “1234,” “admin,” or “password” are ineffective access or security controls.
Additionally, CADRA does not protect against computer hacking and data theft carried out by an authorized user. Thus, business owners should only provide each employee authorized access to the specific information directly related to their tasks. For example, they should only provide the Human Resources employee access to employment folders—not legal or financial folders. Further, because CADRA only protects computers that are used in connection with the operation of a business and that store business data and information, separate devices should be used for personal use and for business use to ensure protection under CADRA.
