The Computer Fraud and Abuse Act

In 1986, U.S. Congress enacted the Computer Fraud and Abuse Act (CFAA), The CFAA was enacted to combat various types of “computer crime.” The Act criminalized, among other things, the act of intentionally accessing a computer without authorization.  In 1986, this meant “hacking or trespassing into computer systems or data.” The CFAA has been expanded and amended multiple times, as legislators attempt to keep pace with rapid advancements in technology and ingenuity.

Defining the Crime

The CFAA criminalizes the following:

  • Knowingly accessing a computer without authorization, or by exceeding authorized access, and obtaining protected information;
  • Knowingly and with intent to defraud accessing a protected computer without authorization, or by exceeding authorized access, and obtaining anything with a value of more than $5,000 in a one-year period;
  • Knowingly causing the transmission of a program, information, code, or command, and thereby intentionally causing unauthorized damage to a protected computer;
  • Intentionally accessing a protected computer without authorization and recklessly causing damage; or
  • Knowingly and with intent to defraud trafficking in passwords or access information; and extortion involving computers.

The Penalties

Conspiracies and attempts to commit these acts are also criminalized under the CFAA. Federal law provides for imprisonment of up to 10 years for a violation and up to twenty years for a second offense. Offenses include, but are not limited to, Obtaining National Security Information, Accessing a Computer and Obtaining Information, Trafficking in Passwords, and Extortion Involving Computers,

In some circumstances, the CFAA also provides for a civil cause of action if a plaintiff can demonstrate the following:

  • Loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value;
  • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
  • Physical injury to any person;
  • A threat to public health or safety;
  • Damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
  • Damage affecting 10 or more protected computers during any 1-year period.

Civil CFAA actions are on the rise. As of now, the CFAA is one of the most comprehensive federal statutes governing computer crimes and violations. It is the primary federal statute protecting computers and digital information from unauthorized intrusions.  As technology advances and new methods of computer intrusion arise, the CFAA and other criminal laws are attempting to keep pace in order to combat computer intrusion.

Posted in: