Georgia has garnered national attention in the last few weeks with the news that Governor Deal vetoed SB 315, which would have codified a new crime in Georgia for the unauthorized access of a computer or computer network. But don’t be fooled: the Georgia Computer Systems Protection Act (the “GCSPA”) – the Act that would have been modified by SB 315 – still provides robust protections against and penalties for improper computer access in Georgia.
The GCSPA, codified at O.C.G.A. section 16-9-93, currently makes it illegal to: use a computer without authorization and with the intent of taking the property of another; use a computer without authorization and with an intent to delete or remove data from said computer; use a computer with the intent of examining another person’s personal data without authorization; or disclose a password or passcode without authority, among other provisions. The GCSPA provides for civil relief against anyone that violates its provisions. In other words, the victim of a GCSPA violation can file a civil lawsuit for damages against the bad actor.
The GCSPA defines “without authority” to include “the use of a computer or computer network in a manner that exceeds any right or permission granted by the owner of the computer or computer network.” O.C.G.A. § 16-9-92(18). Georgia courts have construed this definition broadly, upholding GCSPA convictions when former employees improperly take electronic information in conjunction with their resignations. DuCom v. State, 288 Ga. App. 555, 654 S.E.2d 670 (2007).
SB 315 would have broadened the GCSPA, making it illegal to access a computer without proper authority. The law would not have required any intention of performing any other illegal act on the accessed computer (such as removing data). Instead, mere unauthorized access would have been enough to constitute a crime and subject the user to civil penalties.
Perhaps unsurprisingly, the bill was met with significant resistance from the tech community due to how broadly the new provision could be interpreted. For example, information security firms were concerned that performing “white hat” hacking – hacking to find weaknesses on computer networks to repair those weaknesses – would be illegal under the new law.
In reaction to pressure from the tech community, Governor Deal vetoed the proposed law. Thus, for an act of unauthorized access to violate the GCSPA, the law remains that the user must also be acting with some intent to perform some additional action, such as taking, manipulating, or deleting data on the computer. Of course, even with Governor Deal’s veto, victims of computer misconduct may also have remedies under the federal Computer Fraud and Abuse Act, which prohibits accessing a computer or computer system and obtaining information from that computer without authorization or by exceeding authorized access.
As the digital world becomes more perilous and data security becomes paramount, Georgia businesses, employees, and computer users should be aware of their rights, obligations, and remedies under both state and federal law. As always, if you have questions about the GCSPA or other related laws, the attorneys at Berman Fink Van Horn P.C. are here to help.