Federal Cybercrime — The Computer Fraud and Abuse Act (CFAA)
18 U.S.C. § 1030: hacking, unauthorized access, and exceeding authorized access
The Computer Fraud and Abuse Act: Unauthorized Access
The Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, is a federal law enacted in 1986 to address the growing problem of computer-related crimes such as hacking, unauthorized access, and data theft. One of its primary provisions, found at section 1030(a)(2), makes it illegal for anyone to intentionally access a protected computer without authorization or exceed authorized access.
Unauthorized access under § 1030(a)(2) typically involves gaining entry into a system that one is not supposed to have access to. This could be hacking into government systems, corporate networks, or any other system that requires authentication and has security measures in place to restrict unauthorized users. For example, if an employee of Company A uses their credentials to log into the network of Competitor B's database without permission, they are committing a federal crime under this section.
The term "without authorization" can be tricky to define in legal terms, but it generally means accessing information or systems that one has no right to access. For instance, if an individual uses someone else's password to gain entry into their email account without permission, they are violating the CFAA by unauthorized access.
It is important to note that while § 1030(a)(2) criminalizes unauthorized access, it does not address the use of stolen information for subsequent crimes. For example, using credit card numbers obtained from an illegal hacking operation to make fraudulent purchases would fall under other statutes such as fraud or identity theft.
Exceeding Authorized Access and Damaging Protected Computers
The CFAA also prohibits the act of "exceeding authorized access" to a protected computer, which is covered under § 1030(a)(5). This provision covers scenarios where an individual has permission to use certain systems or data but goes beyond their granted authority. For example, if a database administrator uses their legitimate credentials to view and modify sensitive customer records outside the scope of their job duties, they could be violating this section.
Another critical aspect of § 1030(a)(5) is damage to protected computers. This can include altering or damaging computer data or programs without authorization, leading to a loss that meets certain thresholds as outlined by the statute. The specific types of damage covered under this provision range from causing system disruptions and deletion of data to introducing malware or viruses into a network.
To qualify as "damage" for CFAA purposes, it must cause actual monetary loss or harm that exceeds $5000 over one year, or if the act is part of an international conspiracy involving at least two people. For instance, if a hacker successfully deploys ransomware on a network causing significant downtime and economic losses to the victim, this could meet the threshold for "damage" under the CFAA.
Moreover, the definition of what constitutes a “protected computer” is crucial in determining whether an action falls under federal jurisdiction. According to § 1030(e)(2), any computer that affects interstate or foreign commerce, or which uses or accesses information from financial institutions or government departments and agencies, qualifies as a protected computer. Essentially, this means that almost any modern computer system connected to the internet could potentially be covered by the CFAA.
The Circuit Split on 'Exceeds Authorized Access' Resolved in Van Buren v. United States
One of the most significant challenges in interpreting the CFAA has been understanding what it means to "exceed authorized access." Prior to 2021, there was a split among federal circuits regarding this term. Some courts held that exceeding authorized access only applied when an individual accessed data they were not allowed to see at all. Others took a broader view, arguing that accessing information within the bounds of one's authority but in contravention of company policies or agreements could also constitute "exceeding authorized access."
In Van Buren v. United States, 141 S.Ct. 1730 (2021), the Supreme Court resolved this long-standing circuit split by adopting a narrower interpretation of “exceeds authorized access.” The case involved an officer who was bribed to run a license plate check through his police department’s database, despite clear restrictions against such use. The Supreme Court held that “the term ‘exceeds authorized access’ under § 1030(a)(2) does not extend to violations of employer policies or agreements concerning the use of information obtained from within the scope of one’s authority.” This ruling significantly narrowed the reach of the CFAA, limiting it primarily to instances where an individual intentionally gains unauthorized entry into a system.
Understanding this distinction is crucial for both prosecutors and defense attorneys when assessing cases involving alleged breaches of computer security or misuse of access. For defendants, it means that while using company data in ways prohibited by internal policies might still have serious consequences under state or other federal laws, such conduct no longer falls within the jurisdiction of § 1030(a)(2) as per Van Buren.
Lastly, when dealing with potential CFAA violations, it is essential to be aware of sentencing guidelines. The Sentencing Guidelines Manual provides a framework for calculating sentences based on various factors including the amount of loss or damage caused by the offense. Under § 2B1.1, the base level offense involves an assessment of losses; if these exceed $5000 but are less than $15,000, the base level might increase from one to four levels depending on the extent and nature of the loss.
For defense attorneys, this means that mitigating any potential financial damage or demonstrating lack of intent can be crucial in reducing the impact of a CFAA violation. Understanding how to navigate these guidelines is key to providing effective representation and potentially negotiating more favorable outcomes for clients facing such charges.
Understanding the nuances of unauthorized access, exceeding authorized access, and damage under the Computer Fraud and Abuse Act is essential for anyone navigating the complex landscape of federal cybercrime. Legal professionals must stay abreast of both statutory changes and judicial interpretations to provide effective counsel in this rapidly evolving field.