Computer fraud law addresses unauthorized access to computer systems, data theft, and related cybercrimes. The federal Computer Fraud and Abuse Act provides the primary criminal and civil framework, supplemented by state laws and sector-specific regulations. As digital systems become central to commerce and daily life, computer fraud cases have grown in complexity and importance.
The Computer Fraud and Abuse Act
CFAA criminalizes unauthorized access to protected computers. Protected computers include any computer used in interstate or foreign commerce, effectively covering all internet-connected devices.
Access without authorization is the core prohibition. The meaning of “without authorization” has been heavily litigated. Does it require hacking, or can it include violating terms of service?
Exceeding authorized access extends liability to insiders who access systems they may use but for unauthorized purposes. Employees accessing data beyond their job duties may violate CFAA.
The Van Buren decision narrowed CFAA scope. The Supreme Court held that exceeding authorized access requires accessing areas of a computer the user was not entitled to access at all, not merely misusing permitted access.
Tiered penalties depend on the offense. Simple unauthorized access is a misdemeanor. Accessing to obtain valuable information, cause damage, or commit fraud increases penalties.
Types of Computer Crimes
Hacking involves gaining unauthorized access to systems through technical exploitation. Vulnerability exploitation, password cracking, and social engineering achieve unauthorized entry.
Data theft extracts valuable information including trade secrets, personal data, and financial information. Exfiltration may occur over extended periods before detection.
Ransomware encrypts victim data and demands payment for decryption. Attacks on critical infrastructure have made ransomware a national security concern.
Denial of service attacks overwhelm systems to prevent legitimate use. Botnets of compromised computers generate attack traffic.
Phishing deceives users into revealing credentials or installing malware. Spear phishing targets specific individuals with customized deception.
Business email compromise redirects payments through fraudulent instructions. Losses from BEC exceed other computer fraud categories.
Criminal Prosecution
Federal prosecution is handled by DOJ Computer Crime units and U.S. Attorneys. FBI, Secret Service, and other agencies investigate.
Charging decisions consider offense severity, victim impact, defendant sophistication, and deterrence value. Minor intrusions may receive warnings rather than prosecution.
Sentencing follows federal guidelines. Base offense levels depend on loss amount, number of victims, and sophistication. Enhancements apply for critical infrastructure, government systems, and prior convictions.
Plea negotiations are common. Cooperation with investigation can reduce sentences. Defendants with valuable intelligence about criminal networks may receive significant consideration.
Forfeiture of proceeds and instrumentalities accompanies conviction. Equipment used in attacks and profits from crimes are subject to seizure.
Civil CFAA Claims
Private right of action allows victims to sue for damages and injunctive relief. Civil claims require showing damage or loss exceeding $5,000.
Damage or loss includes costs of responding to violations, lost revenue, and other consequential harms. Aggregation of harm reaches the threshold.
Injunctive relief prevents ongoing or threatened violations. Preliminary injunctions stop continuing unauthorized access.
Trade secret claims often accompany CFAA claims. Employees who take data when departing face both CFAA and trade secret liability.
Employer-employee disputes frequently involve CFAA. Departing employees accused of data theft and employers accused of monitoring personal accounts both generate litigation.
State Computer Crime Laws
State laws supplement federal CFAA. Every state has computer crime statutes with varying elements and penalties.
Broader state definitions may reach conduct outside federal CFAA. Some state laws do not require the same threshold showing for civil claims.
Data breach notification laws require disclosure when personal information is compromised. Notification triggers vary by data type and number affected.
State consumer protection laws provide additional theories. Unfair and deceptive practice claims address data security failures.
Defenses
Authorization is the primary defense. Demonstrating permitted access defeats CFAA claims. Scope of authorization is frequently contested.
Terms of service violations after Van Buren are less likely to support CFAA charges. Using a website in violation of TOS is not necessarily unauthorized access.
Good faith security research may provide defense. Researchers who discover and report vulnerabilities argue authorization from beneficial purpose.
Entrapment applies when government induces offense the defendant was not predisposed to commit. Undercover operations in computer crime cases raise entrapment issues.
Statute of limitations bars stale claims. CFAA has a two-year civil limitations period. Criminal limitations vary by offense.
Incident Response
Breach discovery triggers response obligations. Containing the intrusion, preserving evidence, and assessing scope are immediate priorities.
Forensic investigation documents the attack. Digital forensics experts analyze systems to determine access methods and data affected.
Law enforcement notification may be advisable or required. FBI and Secret Service investigate significant intrusions. Notification timing is strategic.
Regulatory notification requirements vary by industry. Financial institutions, healthcare entities, and others have sector-specific obligations.
Victim notification is required when personal information is compromised. State laws specify timing, content, and method.
For Service Members
Military computer systems are protected by CFAA and additional military regulations. Unauthorized access to military systems carries severe consequences.
UCMJ prosecution for computer crimes can proceed independently of federal civilian prosecution. Article 134 and other provisions reach computer misconduct.
Security clearance requires reporting computer incidents. Involvement in computer crimes, even minor ones, affects clearance eligibility.
Insider threats receive intense focus. Service members with system access who misuse that access face aggressive investigation.
CID, NCIS, and OSI investigate military computer crimes. These agencies have specialized cyber units.
Post-service employment in cybersecurity is common for military personnel with relevant training. Understanding computer crime law helps transition.
Defense contractor work often involves classified systems. CFAA violations by contractors affect both criminal liability and contract eligibility.
Whistleblower considerations arise when service members discover and report vulnerabilities. Distinguishing authorized security testing from unauthorized access is critical.
A military attorney understands both CFAA and UCMJ provisions addressing computer crimes, how military-specific regulations layer onto federal law, and the career implications of computer-related misconduct.
Disclaimer
This article is provided for general informational and educational purposes only. Nothing in this article constitutes legal advice, and no attorney-client relationship is formed by reading this content.
Computer fraud law is technical and rapidly evolving. CFAA interpretation continues to develop through litigation. State laws vary significantly. The information presented here may not reflect current law or apply to any specific situation.
Do not rely on this article to make legal decisions. Computer crimes carry serious criminal penalties. Civil liability can be substantial. Incident response has legal implications.
If you are facing computer crime allegations or have experienced a computer intrusion, consult immediately with a qualified attorney experienced in this specialized field.
The authors, publishers, and distributors of this content expressly disclaim any liability for actions taken or not taken based on this information. Reading this article does not create an attorney-client relationship with any person or entity.
For service members, computer crimes involving military systems trigger both federal and military jurisdiction. Seek counsel familiar with CFAA, UCMJ, and military cyber regulations.