The Computer Fraud and Abuse Act Understanding It's Functions

What is the Computer Fraud and Abuse Act?

The U.S. government has long been aware of the need for criminal laws regarding cybercrimes and hacking, as well as the need to adapt those laws to address the rapid advancement of technology and its many implications. The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 as an amendment to the first federal computer fraud law, and it has been amended a number of times throughout the years to cover a broad range of conduct far beyond its original intent.

Today, the Department of Justice devotes considerable resources and attention to enforcing criminal laws regarding the use of computers and the internet for unlawful purposes. Often, this is done through the patchwork of laws developed as part of the Computer Fraud and Abuse Act (18 U.S.C § 1030).

General Functions:

  • Prohibit intentional access of a computer without authorization or in excess of authorization.
  • Impose harsh penalty schemes for criminal and civil penalties.

Although the CFAA is intended to apply to computers in which the federal government has an interest, nearly any computer can be subject to the law because computing devices connected to the internet (including cell phones) transmit, receive, and exchange data across state and country lines. Expansion of the CFAA over the years, in addition to expansion of specialized cybercrime law enforcement divisions, has also resulted in its aggressive and widespread use for prosecuting a range of computer-related crimes. The scope and ambiguity of the CFAA today has made it a topic of extensive debate, especially over its constitutional vagueness and inability of courts to interpret it consistently.

What Crimes are Illegal Under the Computer Fraud & Abuse Act?

Sweeping amendments of the CFAA have broadened its scope to include a range of computer-related crimes and prohibited conduct.

Categories of Crimes

  • Computer espionage - 18 U.S.C. § 1030(a)(1)
  • Unauthorized access and obtaining information - 18 U.S.C. § 1030(a)(2)
  • Computer trespassing in a government computer - 18 U.S.C. § 1030(a)(3)
  • Committing fraud with a computer - 18 U.S.C. § 1030(a)(4)
  • Damaging a protected computer - 18 U.S.C. § 1030(a)(5)
  • Trafficking in passwords of a government or commerce computer - 18 U.S.C. § 1030(a)(6)
  • Threatening to damage a protected computer - 18 U.S.C. § 1030(a)(7)
  • Conspiracy - 18 U.S.C. § 1030(a)(b)

Based on the nature of the crime and alleged damages or losses, penalties for violating the CFAA can include substantial terms of imprisonment in a federal prison, forfeiture, restitution, and potential civil liability.

Key Aspects of CFAA Crimes

The Computer Fraud and Abuse Act imposes serious criminal penalties, as well as civil damages and remedies, in cases that generally involve intentional access of a computer without authorization (or which exceeds authorization), obtainment of information from any protected computer, or causing damage to a computer.

These terms and how they are defined by the act comprise are key aspects of these cases.

  • Access – Courts have ruled that unlawful access occurs when the use and access of a computer were contrary to the interests of the party involved. This may include access that was not authorized or permitted for any reason or access that exceeds the scope of authorization if some access was granted.
  • Damage – Damage is constituted as any impairment to the availability or integrity of a program, system, or data. This damage may also result in losses such as costs to a victim, including their response to damage, assessment of that damage, and restoration of the information to its condition prior to when the offense occurred, as well as lost revenue and other damages incurred due to service interruption. Damages and losses must be at least $5,000 to meet the statutory threshold. Physical damage is not required to allege losses or damages.

Criminal Prosecution: What the CFAA Means for Defendants

The CFAA’s breadth means that it is overwhelmingly used to charge individuals for federal crimes and to penalize those individuals with significant terms of imprisonment and hefty criminal and civil fines upon conviction.

Amendments that expanded the law in significant ways:

  • Any information of any kind – While the CFAA was originally limited to unauthorized access leading to the obtainment of financial records from financial institutions, it was expanded in 1996 to prohibit unauthorized access that leads to obtainment of any information of any kind, provided the conduct involved communication that crossed state or foreign lines (which nearly every computer can do).
  • Damage enhancement – Amendments have added felony enhancements that turn misdemeanor violations into felonies if the crime was committed to further any crime or tortious act (one that results in civil liability), was committed for financial gain, or if the value of information obtained was more than $5,000.
  • Protected computers – 1996 Amendments replaced the term “federal interest” computers to “protected computers,” which is loosely defined as a machine that “used” interstate commerce. Because every computer connected to the internet is used in interstate commerce or communication, the law can be interpreted as defining any computing device connected to the internet as a “protected computer” subject to the CFAA. The Patriot Act passed after 9/11 and 2008 amendments also expanded “protected computers” to include those which involve or affect foreign commerce or communications, and added new felony triggers, including conduct that involves or affects any computer used by or for a government entity for national security, defense, or the administration of justice.
  • More crimes – Years of amendments have expanded conduct prohibited by the CFAA. In 2008, Congress also expanded 18 U.S.C. § 1030(a)(7) to make it a crime to not only threaten damage to a computer, but also to make threats to steal data, publicly disclose stolen data, or not repair damage already caused. Certain provisions of the CFAA make it a federal offense to violate website terms of service and make it a tool that can be used to prohibit legitimate activities such as research or remove protections that would otherwise exist elsewhere in law.

These and other expansions of the CFAA, as well as its vagueness in defining what constitutes certain terms like “without authorization,” creates difficulties for defendants who argue that they were within their rights to access or obtain certain information, should have their case handled in state court, did not intend to defraud, or should otherwise not face the offense or penalties levied against them by the federal government.

Experienced Cybercrime Defense Attorneys Can Help

The Computer Fraud and Abuse Act is one of the most far-reaching criminal laws in the federal code, and it is rife with complexities that make for challenging and high stakes cases when individuals have been accused of violating its laws. Because vagueness and broad interpretation also negatively impact due process and fail to provide clear guidelines for law enforcement that investigates, arrests, and prosecutes suspects, it becomes critical that any person facing investigations or charges under the CFAA seek immediate representation from experienced defense attorneys like those at Friedman & Nemecek, L.L.C. Attorneys at Law.

Cleveland-based Criminal Defense Attorney Ian N. Friedman and our team of proven defense lawyers have extensive experience protecting the rights, freedoms, and futures of clients being investigated or charged for all types of internet and computer-related crimes, including federal cybercrimes prosecuted under the Computer Fraud and Abuse Act. This includes a recent successful case result in which our team was able to effectively argue that losses alleged by the federal government for violations of the CFAA were drastically less than claimed, which allowed our client to plead to a significantly reduced offense and receive a minimal term of probationary supervision rather than a substantial prison term.

If you wish to discuss a potential cybercrime case, contact us for an initial consultation.

  • American Board
  • Best Lawyers - Lawyer of the Year 2019
  • Super Lawyers
  • The Best Lawyers In America
  • AVVO
  • ABA
  • ACLU
  • OACDL
  • American Bar Foundation
  • Cleveland Metropolitan Bar Association