The U.S. Federal Government passed the Computer Fraud and Abuse Act (18 U.S.C.§1030) (CFAA) in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, which included the first federal computer crime statute.
Since enacting the CFAA, congress and the federal government have amended the act multiple times to extend its reach and impose criminal and civil liability on additional malicious computer activities. These amendments have been the topic of several prominent lawsuits and one traumatic suicide, forever shrouding the CFAA in controversy.
Today, the CFAA is the leading federal law that protects digital information from unauthorized access. The law governs every computer connected to the internet and non-network computers used by the federal government or financial institutions.
Below, this comprehensive guide will list the activities the CFAA criminalizes, outline the protections it offers organizations, and discuss the outcomes of several notable supreme court cases.
What is the Scope of the Computer Fraud and Abuse Act?
When the federal government first enacted the CFAA, the act primarily criminalized the intentional use of a protected computer without authorized access.
However, over the years, through amendments and several supreme court case rulings, the CFAA’s scope has been manipulated to criminalize all of the following activities:
- Knowingly accessing a protected computer without authorized access
- Knowingly exceeding authorization access to obtain confidential information
- Knowingly participating in the transmission of a program, code, or series of digital information with the intent to harm a computer system
- Intentionally causing damage to a protected computer system
- Knowingly using another individual’s password or access key to access a protected system
- Extortion that involves the use of a computer
- Trafficking passwords related to a protected computer
It’s important to note that the CFAA only covers activities committed to a protected computer. The CFAA defines “protected computers” to mean any computer:
- Used exclusively by a financial institution
- Used exclusively by the United States Government
- Used as part of a voting system or in the administration of a Federal election
- Used in or affecting interstate or foreign commerce (including computers outside the United States)
In 2008, Congress expanded the definition of “protected computers” to include any computer used in or affecting interstate or foreign commerce. This section of the “protected computer” definition is now the widest reaching. The term “affecting” gives the CFAA regulatory control over many computer activities.
As previously stated, the CFAA governs the activities of any computer connected to the internet and non-network computers that the federal government uses. The term “computer” includes many types of high-speed data processing devices, including:
- Laptops and desktop computers
- Cell phones and smartphones
- Cell towers, radio stations (United States v. Nosal)
- Websites (United States v. Drew)
- Restricted databases (United States v. Valle)
- Tablets, Ipads, and video game devices (United States v. Nosal)
The CFAA explicitly states that it does not apply to automated typewriters, portable handheld calculators, or similar devices.
“Exceeding Authorized Access”
In 2021, the CFAA’s definition of “exceeds authorized access” was further defined by the Van Buren v. United States Supreme Court case. The ruling of the case narrowed the protections the CFAA could offer and resolved a long-standing divide among the federal courts.
The CFAA defines “exceeds authorized access” as knowingly accessing a computer with authorization and using such access to obtain or alter information in the computer that the accessor is not permitted to obtain or alter.
The application of this definition contributed to a notable split in the federal circuit courts. The courts disagreed on whether this applied to individuals who misuse information obtained from a computer or digital database they were permitted to access.
In the case, the court annulled Van Buren’s conviction and ruled that the CFAA could not hold employees liable for misusing sensitive information they were permitted to access. This ruling was noteworthy because it narrowed how employers could use the CFAA as an enforcement tool.
Note: While employers cant use the CFAA to prosecute employees for misusing sensitive information they were permitted to access, employers can still prosecute employees for computer fraud, unlawful disclosure, computer extortion, etc.
Provisions of the CFAA
The CFAA applies strict punishments to individuals found in violation of its statutes. The following list includes the provisions the CFAA covers and the maximum sentences first-time offenders will receive if found guilty:
- Obtaining national security information - 10 years
- Intentionally damaging a computer through data transmission - 1 to 10 years
- Accessing a computer to defraud and obtain value - 5 years
- Extortion involving computers - 5 years
- Recklessly damage through intentional computer access - 1 to 5 years
- Accessing a protected computer and obtaining information - 1 to 5 years
- Trespassing in a government computer - 1 year
- Negligent damage or loss caused by deliberate access - 1 year
- Trafficking in passwords - 1 year
Second-time offenders found in violation of the CFAA will face more severe penalties and longer sentences.
Statute of Limitations
Plaintiffs must present CFAA actions to the courts within two years of either:
- The date the defendant committed the act
- The date the plaintiff discovered the unauthorized access or damages
Note: When determining the limitation period, organizations should be aware that the two-year period starts after they become aware of the unauthorized access, even if they don’t know the perpetrator's identity (Sewell v. Bernardin).
Employer Protections Under the CFAA
While initially, the CFAA only protected government agencies and other organizations that operated protected computers, various employers have since used the act to prosecute negligent employees or ones who committed cyber crimes against them (commonly in retaliation for being let go).
Since the CFAA has a record of being interpreted differently by various courts in the federal circuit, the exact reach of the law is somewhat unknown. Most organizations filing CFAA lawsuits use the act’s broad “protected computer” definition to prove the defendant’s actions affected interstate or foreign commerce.
Several organizations, such as Cisco and Reuters, have filed lawsuits against employees, arguing the employee’s actions qualify as a breach of the CFAA because they could reasonably cause further damage to many computer systems, including many defined as “protected computers.”
However, the Supreme Court’s ruling in Van Buren v. United States further limited how employers could use the CFAA to criminalize the actions of disgruntled or malicious employees.
Due to the varying interpretations of the CFAA and the law’s ambiguous nature, all employers should install other protections to safeguard their sensitive information.
To adequately protect their information and computer systems from hackers and employee misuse, organizations should use the following to create ample cause of action:
- Confidentiality/invention agreements
- Non-disclosure agreements
- Noncompete agreements
- Computer-use policies
- Information security policy
Data mapping involves correlating data fields from one database to another. Employers can utilize data mapping techniques to confirm where their sensitive data resides on their internal network.
Once an organization has identified where its sensitive data is stored, it can install data privacy controls to limit who has access to various categories of information.
Zero trust is a cybersecurity model that doesn’t implicitly trust anything inside or outside its system. This data protection approach requires authentication before providing access to sensitive information.
While giving all employees full data access may seem more manageable, it’s safer to consider what information employees need and establish access restrictions based on necessary information. Sensitive information should remain encrypted behind a multi-factor authentication system (MFA) where only employees with a legitimate business need can gain access.
Timeline of Notable CFAA Amendments and Court Cases
The history of the CFAA can be confusing, given the federal government has amended that act on many occasions. The following timeline aims to provide a clear record of each amendment and its impact:
- 1986: Congress passes the CFAA to amend the Comprehensive Crime Control Act
- 1994: Congress adds civil cause of action to the law. The government also adds defrauding, password trafficking, and digital theft as offenses under the CFAA. The courts can now use the CFAAT for criminal law enforcement and to issue civil actions to individuals acting maliciously rather than just punishing their technical activities.
- 1996: Title II of the Economic Espionage Act expands the CFAA in three ways. First, the act broadens the scope of section 1030(a)(2) to include not just the theft of financial records but the theft of any information (including trade secrets) that involves interstate or foreign communication. Second, the act elevates many of the law's punishments to felony status. Third, “federal interest” terminology is swapped with “protected computers.”
- 2002: Congress passed the USA Patriot Act and expanded the definition of “protected computers” to include a variety of data processing technology. The Patriot Act also added new criminal penalties for malicious intent to damage a computer system used by the federal government.
- 2008: Congress expands the scope of the CFAA again to cover threats to steal data on a victim’s computer, publicly disclose sensitive information, and computer-related espionage. Congress also continues to expand the definition of “protected computers” to include any computer in or affecting interstate or foreign commerce.
The CFAA has also been the topic of many court cases. A few of these cases have made it to the U.S. Supreme Court and had vast implications on the scope and enforcement of the CFAA. The most notable court cases involving the CFAA are:
- United States v. Morris (1991): Dealt with the release of the Morris worm, an early computer worm. The courts convicted the worm's creator under the act's provisions.
- United States v. Rodriguez (2010): The court ruled that the Social Security employee had breached the CFAA by violating his employer’s policy and using a work computer and SSA database to identify people he knew personally.
- United States v. Kane (2011): Court ruled that exploiting a bug in a poker machine does not constitute computer hacking because the specified device was not considered a protected computer. The case also found that the button presses that triggered the software bug did not constitute improper purpose or exceed the individual’s authorized access. The defendant faced subsequent charges for wire fraud.
- United States v. Aaron Swartz (2011): Swartz entered an MIT wiring closet and set up his laptop to complete a mass download of articles on the database JSTOR. He avoided attempts by MIT to stop his activities by spoofing his MAC address. The court indicted Swartz on multiple counts. The judge dismissed the case after Swartz committed suicide.
- Lee v. PMSI, Inc. (2011): PMSI, Inc. sued their former employee for checking their personal email, violating the company’s acceptable use policy. The court ruled that breaching an acceptable use policy did not constitute “unauthorized access” under the act. Therefore, the employee’s use of the computer did not violate the CFAA.
- Van Buren v. United States (2020): A sting operation catches a Georgia police officer misusing his license plate database. In June of 2021, the Supreme Court overturned the case. The Supreme Court ruled that the CFAA defines “exceeds authorized access” as accessing protected information and portions of the computer system that are off-limits. The court also ruled that this definition does not apply to individuals who misuse information they are authorized to access.
How Can UpGuard Help?
While the CFAA imposes civil and criminal liability on negligent computer activities and aims to protect organizations against malicious intent, the law’s ambiguous nature can be troubling for organizations to navigate.
UpGuard BreachSight can empower your organization to monitor its attack surface 24/7. By utilizing the product, your organization can mitigate and remediate internal and external attacks and gain access to:
- Real-time updates (continuous monitoring),
- Comprehensive data leak detection,
- Remediation workflows,
- Security ratings,
- Custom report templates and more