The Computer Fraud and Abuse Act (CFAA)

Jason B. Freeman

Managing Member

214.984.3410
Jason@FreemanLaw.com

Mr. Freeman is the founding member of Freeman Law, PLLC. He is a dual-credentialed attorney-CPA, author, law professor, and trial attorney.

Mr. Freeman has been named by Chambers & Partners as among the leading tax and litigation attorneys in the United States and to U.S. News and World Report’s Best Lawyers in America list. He is a former recipient of the American Bar Association’s “On the Rise – Top 40 Young Lawyers” in America award. Mr. Freeman was named the “Leading Tax Controversy Litigation Attorney of the Year” for the State of Texas for 2019 and 2020 by AI.

Mr. Freeman has been recognized multiple times by D Magazine, a D Magazine Partner service, as one of the Best Lawyers in Dallas, and as a Super Lawyer by Super Lawyers, a Thomson Reuters service. He has previously been recognized by Super Lawyers as a Top 100 Up-And-Coming Attorney in Texas.

Mr. Freeman currently serves as the chairman of the Texas Society of CPAs (TXCPA). He is a former chairman of the Dallas Society of CPAs (TXCPA-Dallas). Mr. Freeman also served multiple terms as the President of the North Texas chapter of the American Academy of Attorney-CPAs. He has been previously recognized as the Young CPA of the Year in the State of Texas (an award given to only one CPA in the state of Texas under 40).

What is CFAA?

The Computer Fraud and Abuse Act (CFAA) criminalizes, among other things, the act of intentionally accessing a computer without authorization. The CFAA, which is codified at 18 U.S.C. 1030, was originally enacted by Congress in 1986 to combat various forms of “computer crime.” At that time, this was largely understood to cover “hacking or trespassing into computer systems or data.” The act has since been expanded and amended multiple times, as legislators seek to keep pace with advancements in technology and ingenuity.

The CFAA criminalizes the following general conduct:

Knowingly accessing a computer without authorization, or by exceeding authorized access and obtaining protected information;
Knowingly and with intent to defraud accessing a protected computer without authorization, or by exceeding authorized access, and obtaining anything with a value of more than $5,000 in a one-year period;
Knowingly causing the transmission of a program, information, code, or command, and thereby intentionally causing unauthorized damage to a protected computer;
Intentionally accessing a protected computer without authorization and recklessly causing damage; or
Knowingly and with intent to defraud trafficking in passwords or access information; and
Extortion involving computers.

Conspiracies and attempts to commit these acts are also criminalized under CFAA law. Federal law provides for potential imprisonment of up to 10 years for a violation of the CFAA and up to twenty years for a second offense. The chart below summarizes the various subsections of Section 1030 (CFAA) and the corresponding sentences:

CFAA Offenses

Offense	Section	Sentence
Obtaining National Security Information	(a)(1)	10 yrs (20)
Accessing a Computer and Obtaining Information	(a)(2)	1 or 5 yrs (10)
Trespassing in a Government Computer	(a)(3)	1 yr (10)
Accessing a Computer to Defraud and Obtain Value	(a)(4)	5 yrs (10)
Intentionally Damaging by Knowing Transmission	(a)(5)(A)	1 or 10 yrs (20)
Recklessly Damaging by Intentional Access	(a)(5)(B)	1 or 5 yrs (20)
Negligently Causing Damage and Loss by Intentional Access	(a)(5)(C)	1 yr (10)
Trafficking in Passwords	(a)(6)	1 yr (10)
Extortion Involving Computers	(a)(7)	5 yrs (10)
Attempt and Conspiracy to Commit such an Offense	(b)	10 yrs for attempt but no penalty specified for conspiracy in section (c)

Civil Cause of Action

In some circumstances, the CFAA law also provides for a civil cause of action if a plaintiff can demonstrate the following:

Loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
Physical injury to any person;
A threat to public health or safety;
Damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
Damage affecting 10 or more protected computers during any 1-year period.

18 U.S.C. § 1030(c)(4)(A); see also id. at § 1030(g). Civil CFAA actions are on the rise, and can often provide strategic litigation advantages over related claims (such has misappropriation of trade secrets)—for instance, by providing for federal subject matter jurisdiction.

The CFAA is perhaps the most important—certainly the most comprehensive—federal statute governing computer crimes and violations. It is the primary federal statute protecting computers and digital information from unauthorized intrusions. As advancements in technology continue to open new doors and methods of computer intrusion, the use of the CFAA law and other criminal laws to combat computer intrusion will also continue to grow.

For more on Computer-related criminal statutes, see our post: Computer Crimes.

Expert Computer Crimes Defense Attorneys

Accused of a computer crime? Contact us as soon as possible to discuss your rights and the ways we can assist in your defense. We handle all types of cases, including complex computer fraud allegations. Schedule a consultation or call (214) 984-3410 to discuss your computer fraud issues or questions.