The world’s economic activity increasingly takes place online, facilitated by automated systems like bots, software applications that execute tasks online at speeds and scales unreachable by human users. Bots can overload databases, crash websites, scrape data, deceive search engines, inflate social media metrics, crowd out authentic content, and abuse platform access privileges, leading to network interruptions, system failures, and, ultimately, lost revenue and remediation costs. And they are ubiquitous — a recent study found that almost 20 per cent of worldwide website traffic was from malicious bot activity.  

But companies can fight back with a variety of legal tools under federal and various state laws, and counsel for companies grappling with the impact of bots should understand how to utilize the various protections available. 

1) Companies can bring a private cause of action when unauthorized access to their computer system results in a loss of at least $5,000. Under the Computer Fraud and Abuse Act , in order to demonstrate that a user’s access was not authorized, a victim of improper bot activity may need to show more than simply code-based restrictions or prohibitions in a website’s terms of service. Recent court decisions, however, suggest that additional measures - such as a cease-and-desist letter expressly revoking a user’s authorization to access a website and the implementation of other technical measures - can maximize the chances of a successful CFAA claim. In addition, the victim’s required loss can consist of “the cost of responding to an offense” or any other costs “incurred because of interruption of service,” including temporarily overloading a system beyond its intended capacity. 

2) Copyright holders can sue if an intruder circumvents technical restrictions to access their website. The Digital Millennium Copyright Act prohibits circumventing “a technological measure” that restricts access to copyright work.  Websites and their underlying code can be protected by copyright law, a presumption that is strengthened when a copyright is registered. Password restrictions are the most common anti-circumvention measure, but bot activity that circumvents measures designed to prevent only automated access such as the robot exclusion protocol robots.txt, CAPTCHA APIs, or IP-address blocking could also trigger a DMCA claim.   

3) Causes of action under state law can recover an intruder’s ill-gotten gains even if a computer system is not damaged. A number of courts have held that a temporary electronic intrusion on a computer network constitutes “trespass to chattels,” a common law cause of action in most states. As in analogous physical trespass cases, a plaintiff generally need not establish that any specific harm occurred and can rely instead on the intruder’s interference with its “possessory interest.” Rather than recovering damages, plaintiffs suing for computer trespass can recover the defendant’s ill-gotten gains via an unjust enrichment remedy. Persons using bots to scrape data from websites or networks, for example, will generally be liable for the value of the information they acquired via the intrusion.   

Bots can overwhelm even the most well-protected networks and hurt a company’s bottom line, but bringing these causes of actions can help companies protect their valuable computer systems and fight back.  

Steven W Perlstein and Beau D Barnes are litigators at Kobre & Kim, an Am Law 200 firm focusing exclusively on disputes and investigations, often involving fraud and misconduct. Mr. Perlstein and Mr. Barnes are government enforcement defense and investigations lawyers who regularly serve as counsel in data security-related disputes, particularly with regard to privacy and cybersecurity incident response matters and civil remedies available to prevent the widespread dissemination of proprietary information.