Computer Fraud and Abuse Act (CFAA)
Computer Fraud and Abuse Act prohibits intentionally accessing a computer without authorization or in excess of authorization.
- called the anti-hacking law
- passed in 1984
Overview
- first piece of federal legislation that identified computer crimes as distinct offenses
- provides both criminal and civil penalties
- limits federal jurisdiction to situations where:
- cybercrime is interstate in nature
- or when certain “protected computers” are the target of crime
- criminalizes the act of causing certain types of damage to a protected computer without authorization or by exceeding authorized access
- A protected computer is any of the following:
- federal government computer
- financial institution computer
- computer used in interstate or foreign commerce
- treats protected computers as the victim of a crime
Info
The CFAA does not define what access “without authorization” means.
However, it does define what “exceeding authorized access” means.
- The failure to define the scope and limits of “without authorization” is one of the biggest criticisms of the CFAA
- Many CFAA cases boil down to questions of access
- There is a split among federal courts as to the meaning of authorized access under the CFAA
- In April 2020, the U.S. Supreme Court agreed to hear a CFAA case in its upcoming term.
- The name of the case to watch is Van Buren v. United States.
Criminal Activity and Penalty
| CRIMINAL ACTIVITY | ACTION | GENERAL PENALTY |
|---|---|---|
| Protected computer trespass | Unauthorized access | A defendant can receive a fine, or up to 1 year in prison, or both. |
| Obtaining information from a protected computer | Unauthorized access Access in excess of authorized access | A defendant can receive a fine, or up to 1 year in prison, or both. The defendant also can be sentenced for a felony and up to 5 years in prison if aggravating factors exist. Repeat offenders can receive a fine, or 10 years in prison, or both. |
| Access of a protected computer with intent to defraud | Unauthorized access Access in excess of authorized access | A defendant can receive a fine, or up to 5 years in prison, or both. |
| Access to a protected computer that causes damage | Knowingly transmits a program, incorporation, or code that intentionally causes damage Intentional access that recklessly causes damage Intentional access that causes damage and loss | Damage by Code Transmission: A defendant can receive a fine, or 10 years in prison, or both. The defendant also can receive 20 years in prison for subsequent convictions or causing damage leading to serious bodily injury. A defendant can receive life imprisonment if the offense causes or attempts to cause death. Reckless Damage: A defendant can receive a fine, or 5 years in prison, or both. Repeat offenders can receive a fine, or 20 years in prison, or both. Damage and Loss: A defendant can receive a fine, or 10 years in prison, or both. |
| Threatening to damage a computer | Intent to extort | A defendant can receive a fine, or up to 5 years in prison, or both. |
| Trafficking in passwords | Knowing action, with intent to defraud | A defendant can receive a fine, or up to 1 year in prison, or both. Repeat offenders can receive a fine, or 10 years in prison, or both. |
| Computer espionage | Knowing access and willful transmission of information that could be used to injure the U.S. or its interests | A defendant can receive a fine, or up to 10 years in prison, or both. |