The Computer Fraud and Abuse Act (“CFAA”) is a bill that was enacted in 1986 by Congress as an amendment to existing computer fraud law (the Comprehensive Crime Control Act of 1984). In short, the Act prohibits accessing a computer without authorization. Originally, the act was enacted to protect federal classified information maintained on federal computers, as well as financial and credit records stored on government and financial institution computers.
Original applications of the act were to prosecute mail and wire fraud, but the act has evolved since and taken on greater importance in battling other computer crimes such as hacking. This is because with the growth of technology, the federal government has sought to expand computer protection. Now, the CFAA protects all computers involved in both interstate and foreign commerce, as well as any computer connected to the internet.
What Does the Computer Fraud and Abuse Act Cover?
The Computer Fraud and Abuse Act provides a civil cause of action against any individual who “intentionally accesses a computer without authorization or exceeds authorized access” and in doing so obtains or misuses information obtained from the illegal use of the computer. The Act also creates criminal offenses in cases where individuals intentionally access a computer without authorization and obtain government information “pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations.”
For example, an individual that hacks into a government database to access federal background information on other individuals could be charged under the Act. However, an individual that has access to such a database may not be charged under the Act for doing the same, unless they exceed their authorization.
What Is A Protected Computer under the CFAA?
Protected computers under the CFAA include any computer that:
- Is exclusively for the use of a financial institution or the United States Government, or used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
- Any computer which is used in interstate or foreign commerce or communication, including computers located outside the United States that are used in a manner that affects interstate or foreign commerce or communications.
In addition to protecting government information, the Act also protects other information on computers, such as:
- Information Concerning Financial Records: The Act makes it a criminal offense for any individual to intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtain:
- Information contained in a financial record of a financial institution;
- Information of a card issuer; or
- Information contained in a file of a consumer reporting agency on a consumer.
- Information Concerning Interstate or Foreign Commerce: The Act also makes it a criminal felony offense to obtain information from any protected computer if the conduct involves interstate or foreign communications; and/or
- Valuable Information Affected By Malware: If a user intentionally transmits malware to a protected computer, and more than $5,000 damages result from such use, the individual that hacked the computer could be charged with a felony. Further, the Act also protects any information valued at over $5,000, not including the computer itself, that is obtained fraudulently.
What Are Common Examples of Computer Crime That the CFAA Covers?
As mentioned above, the CFAA has been amended multiple times since its enactment to cover a broader range of computer related crimes. The most common examples of computer crimes that the CFAA covers include, but are not limited to:
- Espionage: Once again, the CFAA prevents individuals from knowingly accessing government computers to obtain classified information that is present on those computers or accessible by those computers;
- Confidentiality of Financial Computer Data: The CFAA makes it a crime to access financial records and credit files stored on computers, such as computers contained within or maintained by public or private financial institutions;
- Unauthorized Access of Government Databases: The CFAA makes it a crime for any individual to access a government computer unauthorized, or exceed their authorization in the use of a government computer;
- Computer Fraud: The CFAA makes it a crime to access and fraudulently use a protected computer to obtain anything valued at more than $5,000 in any one-year period. It is important to note that this does not typically include the value of the computer;
- Viruses: The CFAA makes it a crime for anyone who deliberately submits a program, information, code or command which causes damages in excess of $5,000;
- Passwords: The CFAA prohibits anyone from posting or sharing passwords that may lead to another individual’s unauthorized access to computers; and/or
- Extortion: The CFAA prohibits anyone from taking money or any other thing of value by coercion or threat using a computer device.
What Are the Penalties for Violating the CFAA?
If an individual is found guilty of committing any of the crimes listed under the CFAA, they will face criminal fines and possible imprisonment. Federal law provides that first time offenders caught violating the CFAA may be punished with criminal fines of up to $5,000 per crime, imprisonment from 1 to 10 years, or a combination of both. For second time offenders, the CFAA provides that the offender will have to pay criminal fines of up to $5,000 for each violation, imprisonment for up to 20 years, or a combination of both.
For example, if an individual was found to be trespassing in a government computer, they will likely face imprisonment of 1 to 10 years depending on the information they obtained, and fines of up to $5,000. If an individual is found to be obtaining passwords without authorization, then they may face fines of up to $5,000 per criminal act, and imprisonment of 1 year.
As mentioned above, in addition to criminal punishments, the CFAA also provides a civil cause of action for individuals harmed by computer fraud or abuse. Therefore if an injured person (also known as a plaintiff) can demonstrate they were harmed by a criminal act covered under the CFAA, they may also sue that individual privately. In order to succeed in their civil case, the plaintiff will have to demonstrate that they suffered a loss during any 1 year period, which resulted in a monetary value loss of at least $5,000 in value.
Although there are other civil causes of actions which a plaintiff may bring a civil suit under, civil actions brought through the CFAA are on the rise as they provide plaintiffs with federal subject matter jurisdiction. In other words, there are strategic advantages for plaintiffs that bring a civil claim under the CFAA.
Do I Need a Lawyer for Help With the Computer Fraud and Abuse Act?
As can be seen, the criminal penalties associated with violating the Computer Fraud and Abuse Act can be severe. Therefore, if you have been accused or charged with violating the Computer Fraud and Abuse Act, then you should immediately consult with an experienced criminal defense attorney. An experienced criminal defense attorney will be able to represent you in court, as needed. Further, an attorney will also be able to help you disprove the prosecution’s case.
If you have been financially harmed as a result of another person violating the Computer Fraud and Abuse Act, you should consult with an experienced business attorney specializing in cyberspace law. An experienced business attorney can help you determine if you can bring a civil action against the individual who harmed you under the CFAA, or if you should bring your civil action under another legal theory. Finally, an attorney can also file a civil lawsuit on your behalf, and represent you in court, as necessary.