Computer Fraud and Abuse Act (CFAA) Defense

The statute criminalizes conduct that half the country performs before lunch.

Section 1030 of Title 18 was enacted in 1986 to prosecute computer hackers. It has since become something else. The original prohibition targeted unauthorized intrusion into government and financial systems, a narrow objective addressed with narrow language. Forty years of amendment have produced a statute that reaches password sharing, terms-of-service violations, and the act of accessing a database in a manner that displeases its owner. Federal prosecutors have treated this expansion not as a drafting accident but as an invitation. The CFAA is now charged in cases involving data scraping, insider misconduct, security research, ransomware deployment, and everything between those poles.

The distance between a federal felony and ordinary computer use has, in certain circuits, been measured in the fine print of a website’s terms of service.

What Van Buren Settled, and What It Did Not

In June 2021, the Supreme Court decided Van Buren v. United States and imposed a limit that had been absent for decades. The case involved a police sergeant in Georgia who used his valid credentials to search a law enforcement database in exchange for cash. He had access. He used it for the wrong reasons. The question was whether misuse of legitimate access constitutes “exceeding authorized access” under Section 1030.

Six Justices said no. Justice Barrett, writing for the majority, described the inquiry as a “gates-up-or-down” determination. Either the defendant could access the information in question, or the defendant could not. The purpose of the access was irrelevant. The Court rejected the government’s broader reading on the ground that it would criminalize “a breathtaking amount of commonplace computer activity,” transforming millions of employees who check personal email on a work computer into federal offenders.

That holding removed one weapon from the government’s arsenal. It did not disarm the government.

Van Buren addressed “exceeds authorized access.” It did not address “without authorization,” the statute’s other prong. The distinction matters in practice. A former employee who retains credentials and uses them after termination may still face prosecution. A person who circumvents a technical barrier, however minimal, remains exposed. The gates-up-or-down framework governs insiders. It says nothing about outsiders.

And the circuits have diverged on where that boundary falls.

The Seven Subsections and Their Penalties

Section 1030 contains seven operative subsections, each addressing a different species of computer-related conduct. The penalty structure varies with the conduct, the target, and the defendant’s history, and produces a range wide enough to be disorienting.

Subsection (a)(1) prohibits unauthorized access to national security information and carries a maximum of ten years, rising to twenty on a second conviction. Subsection (a)(2) covers the acquisition of information from a protected computer and is the most frequently charged provision, with a maximum of five years for a felony violation and one year for a misdemeanor. Subsection (a)(5) addresses damage to protected computers and stretches from one year to twenty, depending on whether the damage was reckless or intentional and whether it caused physical injury or threatened public safety. The most severe provision, (a)(5)(A), carries a maximum of life imprisonment if the offense results in death.

A “protected computer” is defined so broadly that it includes any device connected to the internet. Your phone qualifies.

Prosecutors rarely charge a single subsection in isolation. The average CFAA indictment layers three to five federal statutes atop the computer fraud counts: wire fraud, identity theft, conspiracy, economic espionage. The effect is to multiply the defendant’s exposure beyond what any single statute would authorize. This stacking is deliberate. It produces plea agreements.

The DOJ’s 2022 Policy Revision and Its Boundaries

On May 19, 2022, the Department of Justice revised its internal charging policy for CFAA cases. The revision announced two principles. First, the Department would not prosecute good-faith security research, defined as accessing a computer solely for purposes of testing, investigating, or correcting a security flaw or vulnerability, where the activity was conducted in a manner designed to avoid harm. Second, the Department would not pursue charges predicated solely on violations of terms of service, employment agreements, or other contractual restrictions on computer use.

Neither principle is enforceable by a defendant. Internal DOJ policy does not create rights. It creates expectations, and expectations are subject to revision by whatever administration occupies the fifth floor of Main Justice in any given year. The policy constrains line prosecutors only to the extent that their supervisors enforce it.

The revision also has no bearing on civil CFAA liability. Section 1030(g) permits any person who suffers damage or loss by reason of a CFAA violation to bring a private action. Corporations have used this provision to sue former employees, competitors, and data aggregators with a regularity that the original statute’s authors could not have anticipated. The civil CFAA case is a creature born entirely of judicial interpretation. Its habitat is expanding.

Authorization Is the Contested Ground

The central question in most CFAA prosecutions is deceptively simple. Was the access authorized. The statute does not define “authorization” with any precision, and the result is that the meaning of the word depends on the jurisdiction, the facts, and the court’s tolerance for ambiguity.

In August 2025, the Third Circuit held in NRA Group, LLC v. Durenleau that CFAA liability does not extend to violations of workplace computer use policies. The holding aligned with Van Buren‘s reasoning: access restrictions must be imposed by code, not by contract. But other circuits have not adopted identical frameworks. The Ninth Circuit’s treatment of web scraping cases, including the prolonged hiQ Labs v. LinkedIn litigation, produced a standard under which access to publicly available data cannot constitute a CFAA violation regardless of the website’s terms. In May 2024, a California district court applied that reasoning to dismiss claims by X Corp. against Bright Data, holding that scraping of public posts did not constitute unauthorized access.

These holdings represent the direction of the law. They do not represent its current state in every district where your case might be filed.

The government retains significant discretion in selecting its theory of unauthorized access. A technical bypass of a login screen is the clearest case. Credential sharing occupies a middle ground that Van Buren did not resolve. And the use of automated tools to access systems that are nominally public but rate-limited or bot-restricted remains an area of active litigation where the answer depends on the facts of the case and the composition of the bench.

What the Government Must Prove

The elements of a CFAA offense vary by subsection, but the common architecture requires: access to a protected computer, without authorization or in excess of authorized access, and a prohibited result (obtaining information, causing damage, or furthering fraud). The mens rea requirement varies. Subsection (a)(2) requires intent to obtain information. Subsection (a)(5)(A) requires intent to cause damage. Subsection (a)(5)(B) requires only recklessness as to whether damage results.

Intent is contested in nearly every case. The government must prove not merely that the defendant accessed the system but that the defendant did so with the requisite mental state. A security researcher who probes a system to identify vulnerabilities and a criminal who probes the same system to exfiltrate data may perform identical keystrokes. The distinction is intent. That distinction is the trial.

Loss and damage calculations compound the stakes at sentencing. “Damage” under the CFAA includes any impairment to the integrity or availability of data or a system. “Loss” includes the cost of responding to the offense, conducting a damage assessment, and restoring the system to its prior condition. Courts have permitted victims to include the cost of forensic investigations, security audits, and system redesigns in their loss calculations. In complex cases, the government’s loss figure can reach into the millions on the basis of remediation costs alone, even where no data was stolen and no system was permanently impaired.

The loss figure drives the Sentencing Guidelines calculation. Contesting that figure is not optional.

The Forensic Record and Its Deficiencies

CFAA prosecutions are built on digital evidence: server logs, IP addresses, network traffic captures, metadata. The government presents this evidence as definitive. It is not always so.

IP attribution is a persistent weakness in the government’s cases. An IP address identifies a device on a network at a point in time. It does not identify the person using that device. VPN services, Tor routing, compromised machines acting as proxies, shared networks in commercial buildings and residential complexes: each of these common conditions disrupts the assumption that an IP address equals an individual. Courts have acknowledged this limitation in dictum. Juries require education on the point.

Log evidence presents its own difficulties. Server logs can be altered, incomplete, or configured to record with insufficient granularity. Timestamps depend on clock synchronization across systems that may span multiple time zones and administrative domains. Chain of custody for digital evidence requires documentation of acquisition method, hash verification, and storage conditions. Failures at any stage create openings that a prepared defense will exploit.

We retain independent forensic experts in every CFAA case. The government’s forensic narrative is a construction. It is not the only construction that the evidence supports.

DEFENSE TEAM SPOTLIGHT

Todd Spodek

Lead Attorney & Founder

Featured on Netflix's "Inventing Anna," Todd Spodek brings decades of high-stakes criminal defense experience. His aggressive approach has secured dismissals and acquittals in cases others deemed unwinnable.

NY Bar Admitted Multi-State Licensed Federal Courts

Meet the Full Team

The Sextortion Cases and the Statute’s Outer Reach

The CFAA has been applied to conduct that its drafters did not envision and could not have. Recent prosecutions have charged defendants with CFAA violations in sextortion schemes where the “hacking” consisted of guessing a victim’s security questions or obtaining credentials through social engineering. In the District of New Hampshire, Ryan Vallee pleaded guilty to a superseding indictment that included CFAA counts alongside interstate threat charges, in a case involving eleven victims between the ages of fifteen and nineteen.

These cases test the statute’s boundaries. The conduct is reprehensible. The question of whether it is properly charged under a computer fraud statute, rather than under extortion or harassment provisions, is a different inquiry. The CFAA was not written to address interpersonal coercion. It was written to address system intrusion. The government has merged the two categories, and courts have permitted it.

This expansion matters for defense practitioners because it signals the government’s willingness to charge CFAA counts in any case where a computer was instrumentally involved, regardless of whether the core conduct is better described by another statute. The CFAA count adds exposure. That is its function in these indictments.

Pre-Indictment Intervention and the Value of Time

Federal cybercrime investigations operate on extended timelines. The FBI’s Cyber Division may monitor a target for months before executing a search warrant. The Secret Service’s Electronic Crimes Task Forces conduct parallel investigations with overlapping jurisdiction. The interval between the first subpoena and the indictment can exceed a year. That interval is not dead time. It is the period during which the most consequential decisions in the case are made.

Whether to speak with agents who appear at the door. Whether to surrender devices voluntarily or require a warrant. Whether to engage in pre-indictment negotiations with the assigned AUSA. These decisions are made once. They are not revisable.

We have represented software engineers, security researchers, corporate insiders, and individuals who had no understanding of the CFAA until they received a target letter. The common thread is that early engagement with counsel produces better outcomes than delayed engagement. This is not a theoretical proposition. It is an observation drawn from years of practice in the Southern District of New York and in federal courts across the country.

The statute is broad. The penalties are severe. The government’s resources in cybercrime prosecution have increased every fiscal year since 2019. Against that, a defendant possesses rights that the Constitution guarantees and that skilled counsel can exercise. But rights are temporal. Their value diminishes with each day that passes without assertion.

A consultation with this office is confidential, without cost, and without obligation. The CFAA carries weight that its four letters do not suggest. The response to an investigation or indictment under Section 1030 should begin before the government has finished building its case. That is the moment when the architecture of the defense is determined. Everything that follows is construction on a foundation already set.