bots automated intrudersBots are everywhere. As every aspect of society becomes more dependent on technology, these automated programs have become increasingly important in our everyday lives. Bots help social media companies curate user feeds and search engines rank search results. Digital “personal assistants” have automated travel booking and the processing of expense accounts. Bots add value by facilitating the execution of online tasks at speeds and scales unreachable by human users.

But the ubiquity of bots has a dark side, threatening both governmental and commercial institutions. Russian actions during the 2016 U.S. election put a spotlight on the negative effects of bots, which were used to flood social media feeds with propaganda intended to influence voters. Bots are also used for an array of market-damaging practices, including the exploitation of new account promotions, the fraudulent reservation of blocks of airline seats, website slowdowns, distributed denial-of-service attacks (DDoS), rogue online reviews, content scraping, and other harmful practices. Bots are particularly threatening to businesses with an online presence because they can extract value and information from a company without consent.

This dark side shows no signs of abating. A recent study found that almost 20% of worldwide website traffic was from malicious bot activity. The beneficial aspects of certain bots makes a single uniform legislative fix impractical, yet issue-specific legislation has been slow to catch up with the dangers posed by bots in particular contexts. Therefore, uncertainties remain regarding the application of existing laws to these new situations. Against this backdrop, businesses must familiarize themselves with the legal landscape and tools available to defend themselves against unwanted bot activity. Bots are here to stay, but businesses can fight back.

The U.S. Legal Landscape

There is no single comprehensive U.S. law addressing the rise of bots. Instead, like in many substantive areas of the U.S. legal system, a patchwork of laws intended for different scenarios together form a body of law full of nuance. The Computer Fraud and Abuse Act (CFAA) is the primary federal legislation that governs cybercrime in the United States. Originally enacted in 1984 as a criminal law to protect classified information in government systems, the CFAA was expanded ten years later with a private right of action for parties to seek compensatory damages and injunctive relief. Under the CFAA, a plaintiff has to demonstrate two key elements in order to bring a claim: (1) that the defendant accessed the plaintiff's computer without authorization or while exceeding their authorization; and (2) that the intrusion resulted in one of a variety of harms, including a loss of at least $5,000. Businesses can usually satisfy the threshold loss amount by referencing costs associated with the internal damage assessment, or the cost of any response to the offense.