Federal Computer Fraud Charges Under 18 USC 1030 (CFAA): When Computer Use Becomes Criminal

Federal Computer Fraud Charges Under 18 USC 1030 (CFAA): When Computer Use Becomes Criminal

So your probably facing federal computer fraud charges under CFAA and your ABSOLUTELY CONFUSED because you thought you were just accessing computer systems for work or research. Maybe you used login credentials that prosecutors claim exceeded your authorization. Maybe there’s allegations you accessed files you weren’t supposed to see. Or maybe your just accused of violating website terms of service. Look, we get it. Your COMPLETELY OVERWHELMED by these charges. And you should be! Because Computer Fraud and Abuse Act under 18 USC 1030 carries up to 20 YEARS in federal prison and prosecutors use CFAA to criminalize routine computer activities that cause no harm!

What Is the Computer Fraud and Abuse Act (CFAA)?

Let me explain the prosecutorial weapon that criminalizes computer use. CFAA enacted in 1986 to combat hacking but has expanded to cover ordinary computer activities! Originally targeted hackers breaking into government computers but now applies to ANYONE using computers in ways prosecutors claim are “unauthorized”!

The statute has SEVEN subsections creating different computer crimes! Section (a)(1) targets espionage, (a)(2) obtaining information, (a)(3) accessing government computers, (a)(4) fraud schemes, (a)(5) damaging computers, (a)(6) trafficking in passwords, (a)(7) extortion! Each has different elements and penalties!

Here’s what’s really scary – “protected computer” means ANY computer connected to internet or used in interstate commerce! Your laptop? Protected computer! Work computer? Protected computer! Website servers? Protected computers! Virtually EVERY computer is “protected” giving federal jurisdiction!

Two key phrases prosecutors abuse: “without authorization” and “exceeds authorized access”! Without authorization means no permission at all! Exceeds authorized access means accessing computer with permission but obtaining information you’re not entitled to! Vague terms create prosecutorial discretion!

What Did Supreme Court Rule in Van Buren v. United States?

HUGE 2021 decision limiting CFAA prosecutions!

Police sergeant Van Buren ran license plate search for personal reason violating department policy! Government charged him with exceeding authorized access! Supreme Court reversed conviction holding “exceeds authorized access” applies only when accessing areas of computer system you’re not allowed to access!

The ruling distinguished “gates-up-or-down” inquiry from “purposes” inquiry! If you have authorization to access part of computer system, using it for improper purpose doesn’t violate CFAA! Only accessing forbidden areas violates statute!

This protects employees who misuse data they’re authorized to see! Salesman downloads customer list before quitting? Van Buren says NOT CFAA violation if salesman had access to that database! Using data improperly isn’t “exceeding authorized access”!

But prosecutors still charge CFAA for workplace data theft! They argue accessing data with intent to misuse it means you NEVER had authorization! Courts split on whether Van Buren fully protects employees who misuse authorized access!

We use Van Buren aggressively! If client had login credentials and accessed systems they routinely used, Van Buren says not CFAA violation! Government must prove accessed areas that were off-limits, not just used authorized access improperly!

What Are the Different CFAA Subsections?

Seven alternative violations with DIFFERENT penalties!

Section 1030(a)(1) targets espionage! Obtaining national security information through unauthorized computer access – 10 years first offense, 20 years for repeat! Rarely charged unless involving classified information!

Section 1030(a)(2) is most commonly charged! Obtaining information from protected computer! Requires intentionally accessing computer without authorization or exceeding authorized access! Penalty is 1 year for first offense, longer if involves computer used by government or financial institution!

Section 1030(a)(4) covers fraud schemes using computers! Accessing protected computer without authorization to further fraud – 5 years maximum! Prosecutors charge this alongside wire fraud and bank fraud!

Section 1030(a)(5) targets computer damage! Knowingly causing transmission damaging protected computer! Covers viruses, malware, DDoS attacks, data destruction! 10 years maximum or 20 years if causes serious injury!

Section 1030(a)(6) prohibits trafficking in passwords! Selling or distributing passwords with intent to defraud! One year maximum but rarely prosecuted alone! Usually charged with other fraud counts!

What Is $5,000 Damage Threshold?

Most CFAA violations require proof of damage exceeding $5,000!

“Loss” is broadly defined! Includes cost of responding to offense, conducting damage assessment, restoring system, lost revenue during interruption, costs of investigating! Not just actual damage – ANY costs responding to incident!

Aggregation makes threshold easy to reach! Can combine losses from multiple victims over one-year period! Victim companies claim huge investigation costs, security assessments, system reviews – suddenly $500 breach becomes $50,000 prosecution!

Prosecutors use inflated damage claims! Company claims IT staff spent 100 hours investigating breach at $200/hour? That’s $20,000 “loss” even if no actual damage! Security consultant charging $10,000 to review systems? Counts as loss!

We challenge damage calculations aggressively! Most claimed “losses” are routine IT costs not caused by defendant’s actions! Security reviews that would have happened anyway? Not defendant’s loss! Inflated consultant fees? Challenge reasonableness!

Some subsections don’t require $5,000! Espionage, obtaining government information, trafficking in passwords – no damage threshold! But most common charges (a)(2) and (a)(4) require proving loss!

What Was Aaron Swartz Case?

Tragic example of CFAA prosecutorial overreach!

Aaron Swartz was researcher who downloaded academic articles from JSTOR through MIT network! Prosecutors charged him with CFAA violations carrying 35 years prison and $1 million fine! For downloading academic articles!

JSTOR didn’t want prosecution! MIT was ambiguous! But federal prosecutors pursued case aggressively! Swartz tragically committed suicide in January 2013 while facing trial!

Case highlighted CFAA problems! Vague “authorization” language allows prosecutors to charge minor violations as serious felonies! Terms of service violations shouldn’t be federal crimes! Downloading public information shouldn’t carry decades in prison!

“Aaron’s Law” proposed reforms! Would exclude terms of service violations from CFAA, reduce penalties for minor violations! Introduced in 2013 and 2015 but stalled in Congress! CFAA remains unchanged despite widespread calls for reform!

We invoke Swartz case to show prosecutorial overreach! When government charges minimal violations as serious felonies, judges and juries remember Swartz prosecution! Shows CFAA needs proportionality!

What Are Penalties for CFAA Violations?

Penalties vary by subsection but can be CRUSHING!

Section (a)(2) is 1 year for simple violations, 5 years if involves government or financial institution computer! Section (a)(4) fraud is 5 years maximum! Section (a)(5) damage is 10 years (20 if serious injury)!

Subsequent offenses DOUBLE penalties! First offense is 5 years? Second offense is 10 years! Prior convictions for computer crimes dramatically increase sentences!

Multiple counts create decade-long sentences! Accessed 10 different computer systems? That’s 10 counts! Downloaded files from 5 servers? Five counts! Prosecutors charge each unauthorized access as separate violation!

Fines up to $250,000 per count! Plus restitution for victim losses! Companies claim massive investigation and remediation costs! We’ve seen $500,000 restitution orders for breaches causing minimal actual damage!

Civil liability adds to criminal penalties! Victims can sue civilly under CFAA for compensatory damages and injunctive relief! Face criminal prosecution AND civil lawsuits simultaneously!

What Are Defenses to CFAA Charges?

Several defenses exist but Van Buren changed landscape!

Authorization is primary defense! If you had permission to access computer system, not “without authorization”! We prove clients had login credentials, were authorized users, accessed systems they routinely used!

Van Buren “exceeds authorized access” defense! If you accessed areas of system you had permission to access, doesn’t matter that you used information improperly! Employee accessing customer data they routinely accessed? Not CFAA violation even if planned to misuse it!

No damage exceeding $5,000! If government can’t prove loss over threshold, many CFAA subsections don’t apply! Challenge inflated damage calculations and routine IT costs claimed as “loss”!

Lack of intent to defraud! CFAA requires intentional conduct! Accidental access? Not criminal! Authorized research? Not fraud! Good faith belief you had authorization negates intent!

Computer security research exception! If accessing system to identify security vulnerabilities for legitimate research purposes, may have defense! But must be genuine research not pretext for theft!

Terms of service violations alone aren’t criminal! While government tried charging ToS violations as CFAA crimes, Van Buren effectively ended this practice! Violating website rules isn’t federal crime!

Why CFAA Defense Requires Specialized Computer Crime Attorneys

Look, we’re not your typical lawyers who don’t understand computer systems and authorization issues. We’re former federal prosecutors who CHARGED CFAA cases and know EXACTLY how to use Van Buren decision to challenge vague “authorization” theories!

We understand how to prove authorization through IT records and access logs! We know how to challenge inflated damage calculations! We can establish Van Buren defense showing client accessed authorized areas! Most importantly, we prevent workplace computer disputes from becoming federal prosecutions!

Other lawyers don’t challenge damage thresholds! They accept government’s characterization of routine access as “exceeding authorization”! Their ignorance leads to convictions for ordinary computer use!

Call us RIGHT NOW at 212-300-5196
CFAA investigations involve forensic analysis – act NOW!
Former federal prosecutors – Computer fraud specialists – Available 24/7!

Don’t speak to FBI or Secret Service about computer access without experienced CFAA counsel! Computer forensics will be examined! Access logs will be analyzed! Every statement about your authorization can become evidence! Assert your rights and call us IMMEDIATELY!

Remember – federal computer fraud charges aren’t just for hackers, there for anyone who uses computers in ways prosecutors claim exceeded authorization. One download of work files, one access to database for personal reason, one terms of service violation can mean 10 years in federal prison. You need someone who understands both computer systems AND Van Buren defense. Call us NOW before computer use becomes federal prosecution!