Bots are everywhere. As every aspect of society becomes more dependent on technology, these automated programs have become increasingly important in our everyday lives. Bots help social media companies curate user feeds and search engines rank search results. Digital “personal assistants” have automated travel booking and the processing of expense accounts. Bots add value by facilitating the execution of online tasks at speeds and scales unreachable by human users.

But the ubiquity of bots has a dark side, threatening both governmental and commercial institutions. Russian actions during the 2016 U.S. election put a spotlight on the negative effects of bots, which were used to flood social media feeds with propaganda intended to influence voters. Bots are also used for an array of market-damaging practices, including the exploitation of new account promotions, the fraudulent reservation of blocks of airline seats, website slowdowns, distributed denial-of-service attacks (DDoS), rogue online reviews, content scraping, and other harmful practices. Bots are particularly threatening to businesses with an online presence because they can extract value and information from a company without consent.

This dark side shows no signs of abating. A recent study found that almost 20% of worldwide website traffic was from malicious bot activity. The beneficial aspects of certain bots makes a single uniform legislative fix impractical, yet issue-specific legislation has been slow to catch up with the dangers posed by bots in particular contexts. Therefore, uncertainties remain regarding the application of existing laws to these new situations. Against this backdrop, businesses must familiarize themselves with the legal landscape and tools available to defend themselves against unwanted bot activity. Bots are here to stay, but businesses can fight back.

The U.S. Legal Landscape

There is no single comprehensive U.S. law addressing the rise of bots. Instead, like in many substantive areas of the U.S. legal system, a patchwork of laws intended for different scenarios together form a body of law full of nuance. The Computer Fraud and Abuse Act (CFAA) is the primary federal legislation that governs cybercrime in the United States. Originally enacted in 1984 as a criminal law to protect classified information in government systems, the CFAA was expanded ten years later with a private right of action for parties to seek compensatory damages and injunctive relief. Under the CFAA, a plaintiff has to demonstrate two key elements in order to bring a claim: (1) that the defendant accessed the plaintiff's computer without authorization or while exceeding their authorization; and (2) that the intrusion resulted in one of a variety of harms, including a loss of at least $5,000. Businesses can usually satisfy the threshold loss amount by referencing costs associated with the internal damage assessment, or the cost of any response to the offense.

Another important federal law is the Digital Millennium Copyright Act (DMCA). Enacted in 1998, the DMCA prohibits circumventing “a technological measure” that restricts access to copyright work without the consent of the copyright owner. Technological measures are broadly defined—prohibited acts can include decrypting an encrypted work, bypassing a password restriction, or circumventing common restrictions that prohibit automated access such as the robot exclusion protocol robots.txt, CAPTCHA APIs, or IP address blocking.

Individual states have also implemented broad legislation to address cyber-related matters. These laws focus on an array of matters, ranging from cybercrimes to biometric data security. While the applicable laws vary, statutes in Delaware and Florida are representative of the causes of action remedies available.

In Delaware, the Misuse of Computer System Information Statute provides for similar relief where a defendant knowingly accesses a computer system without authorization, but also allows a plaintiff to recover treble damages for willful and malicious conduct. A plaintiff can also receive injunctive relief after demonstrating reason to believe that a defendant “is about to” access a computer without authorization. In 2015, Florida enacted the Computer Abuse and Data Recovery Act (CADRA). The legislation provides for injunctive and monetary relief for defendants against persons who intentionally access a computer without authorization and cause harm or loss to the owner of the protected computer. Under CADRA, a defendant acts without authorization if he or she is not an authorized user or because he or she circumvented a technological access barrier without permission. Notably, CADRA requires a specific intent to cause a harm or loss.

In addition to these federal and state laws that generally prohibit unauthorized access to a computer, various federal and state laws cover specific situations where privacy intrusions and unauthorized access to computers can occur. At the federal level, one recent example is the 2016 Better Online Ticket Sales (BOTS) Act, which banned the use of computer programs to circumvent technological limitations on online ticket sales. But the BOTS Act did not provide for a private right of action, leaving enforcement to the Federal Trade Commission and state attorneys general. Similar state laws exist, including in New York.

What Businesses Can Do to Defend Against 'Bad Bots' 

These federal and state laws describe a variety of potential strategies a business can leverage when defending itself against bots. While a single statute can provide an adequate tool, considering the pros and cons of various state and federal laws can help a business calibrate an optimal response. Most likely, a combination of these national and local statutes will best position a company to properly defend itself. While bots have the capacity to overload even the most secure networks, bringing the following causes of action can best position a company to achieve the most appropriate remedies, ranging from injunctive relief and investigatory/remedial costs to exemplary damages.

A number of remedies are available to help companies recover losses caused by a network intrusion. Under the CFAA, companies can bring a private cause of action when unauthorized access to their computer systems results in a loss of at least $5,000, measured by the costs of responding to the offense or the direct costs from the interruption of service. But businesses should be sure to properly document their response costs to preempt efforts to dismiss a CFAA claim for failure to sufficiently allege the requisite “loss.” To show that access was not authorized, however, a business may need to show more than simply code-based restrictions (like CAPTCHA) and prohibitions in a website's terms of service—recent court decisions suggest that mere access to a “public” website are unlikely to constitute CFAA violations, but sending an explicit cease and desist letter can maximize the odds of a successful CFAA claim.

Under the DMCA, copyright holders can sue if an intruder circumvents technical measures that restrict access to the copyrighted material. Websites and their underlying code can be protected by copyright law and copyright claims can be strengthened when a website owner formally registers the website's copyright. Bots have the ability to go around measures designed to prevent automated access and could potentially retrieve this copyrighted information.

These federal causes of actions can be powerful instruments, but businesses may maximize their chances of recovering damages and stopping the infringing activity if they combine federal and state claims. State laws can provide a number of advantages. For example, under the Delaware Misuse of Computer System Information Act, there is no need to show harm suffered by a business owner when files are copied, the award of attorney fees is authorized for the prevailing party, and treble damages can be recovered where there has been a showing of willful and malicious conduct. Florida's CADRA similarly authorizes attorney fees for the prevailing party. Skillfully combining federal and state laws will provide a range of remedies to fully compensate victims of computer misuse and prevent further intrusions.

Plaintiffs can also buttress their claims by bringing other causes of action available in most states, including common law claims like trespass. Similar to physical trespass cases, a plaintiff suing for computer trespass doesn't need to establish that any specific harm occurred, but can rely on an intruder's interference with its “possessory interest.” In fact, numerous courts have ruled that a temporary electronic intrusion on a computer network can constitute a “trespass to chattels,” a common law cause of action in most states. And a plaintiff suing for computer trespass can recover the defendant's ill-gotten gains via a claim for unjust enrichment. If an individual were to use bots to scrape data from websites or networks, they would generally be liable for the value of the information they illicitly obtained.

The rise of automated processes such as bots is a palpable threat for companies with any sort of online presence. As with any rapidly evolving threat, both federal and state legislation is doing its best to play catch-up. But a thorough understanding of key legal remedies can equip today's businesses with the tools to mitigate and address any bot-related risks.

Steven W. Perlstein is a trial lawyer at Kobre & Kim who practices in the area of complex civil litigation. Benjamin J. Sauter is a litigator at the firm, focusing on financial products and services disputes. Beau D. Barnes represents clients in white-collar criminal defense matters, internal investigations, regulatory actions and commercial litigation.