The Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) criminalizes, among other things, the act of intentionally accessing a computer without authorization. The CFAA, which is codified at 18 U.S.C. 1030, was originally enacted by Congress in 1986 to combat various forms of “computer crime.” At that time, this was largely understood to cover “hacking or trespassing into computer systems or data.” The act has since been expanded and amended multiple times, as legislators seek to keep pace with advancements in technology and ingenuity.
The CFAA criminalizes the following general conduct:
- knowingly accessing a computer without authorization, or by exceeding authorized access, and obtaining protected information;
- knowingly and with intent to defraud accessing a protected computer without authorization, or by exceeding authorized access, and obtaining anything with a value of more than $5,000 in a one-year period;
- knowingly causing the transmission of a program, information, code, or command, and thereby intentionally causing unauthorized damage to a protected computer;
- intentionally accessing a protected computer without authorization and recklessly causing damage; or
- knowingly and with intent to defraud trafficking in passwords or access information; and
- extortion involving computers.
Conspiracies and attempts to commit these acts are also criminalized under the CFAA. Federal law provides for potential imprisonment of up to 10 years for a violation of the CFAA and up to twenty years for a second offense. The chart below summarizes the various subsections of Section 1030 (CFAA) and the corresponding sentences:
|Obtaining National Security Information||(a)(1)||10 yrs (20)|
|Accessing a Computer and Obtaining Information||(a)(2)||1 or 5 yrs (10)|
|Trespassing in a Government Computer||(a)(3)||1 yr (10)|
|Accessing a Computer to Defraud and Obtain Value||(a)(4)||5 yrs (10)|
|Intentionally Damaging by Knowing Transmission||(a)(5)(A)||1 or 10 yrs (20)|
|Recklessly Damaging by Intentional Access||(a)(5)(B)||1 or 5 yrs (20)|
|Negligently Causing Damage and Loss by Intentional Access||(a)(5)(C)||1 yr (10)|
|Trafficking in Passwords||(a)(6)||1 yr (10)|
|Extortion Involving Computers||(a)(7)||5 yrs (10)|
|Attempt and Conspiracy to Commit such an Offense||(b)||10 yrs for attempt but no penalty specified for conspiracy in section (c)|
In some circumstances, the CFAA also provides for a civil cause of action if a plaintiff can demonstrate the following:
- loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
- the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
- physical injury to any person;
- a threat to public health or safety;
- damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
- damage affecting 10 or more protected computers during any 1-year period.
18 U.S.C. § 1030(c)(4)(A); see also id. at § 1030(g). Civil CFAA actions are on the rise, and can often provide strategic litigation advantages over related claim (such has misappropriation of trade secrets)—for instance, by providing for federal subject matter jurisdiction.
The CFAA is perhaps the most important—certainly the most comprehensive—federal statute governing computer crimes and violations. It is the primary federal statute protecting computers and digital information from unauthorized intrusions. As advancements in technology continue to open new doors and methods of computer intrusion, the use of the CFAA and other criminal laws to combat computer intrusion will also continue to grow.
For more on Computer-related criminal statutes, see our post: Computer Crimes.