FAQ: What is the Computer Fraud and Abuse Act?

The Computer Fraud and Abuse Act (CFAA) was passed in 1986 to combat hacking of computer systems operated by the U.S. government and some financial institutions. The act made it a federal crime to access a protected computer without authorization or to exceed authorized access.

The law has been amended repeatedly, with expanded scope and penalties. It has come to be used very broadly not just by the government to prosecute hackers, but also by private corporations to help safeguard trade secrets and other proprietary information.

This FAQ is part of SearchCompliance.com's IT Compliance FAQ series.

Table of contents:

How has the Computer Fraud and Abuse Act changed since it was passed in 1986?

The Computer Fraud and Abuse Act of 1986, originally a criminal statute intended to help federal prosecutors protect national security interests, has expanded greatly. In 1994, it was amended to allow private parties to file civil lawsuits if a violation resulted in loss or damage. In 1996, Congress further broadened its scope to pertain to any computer involved in interstate commerce. Following the 2001 terrorist attacks, the USA Patriot Act amended the Computer Fraud and Abuse Act to allow search and seizure of records from Internet service providers (ISPs). In 2008, the Identity Theft Enforcement and Restitution Act amended the CFAA to allow companies to file cases even if their losses as a result of a violation did not exceed $5,000.

In April, a decision by a panel of judges in the 9th Circuit Court of Appeals brought to light just how broadly the CFAA was being used to prosecute undesired computer usage. In a 2-3 ruling, the appeals court ruled in United States v. Nosal that private-sector employees can be prosecuted under the CFAA if they use data in a way that’s prohibited by an employer’s use policy, even if the employee is authorized to access the data. In a dissenting opinion, Judge Tena Campbell warned that under the majority’s interpretation of the CFAA, “any person who obtains information from any computer connected to the Internet, in violation of her employer’s computer-use restrictions, is guilty of a federal crime.”

MORE INFO:

How has the government invoked the act?

Federal prosecutors have invoked the Computer Fraud and Abuse Act of 1986 in cases involving computers operated by both the government and private business. The first person to be indicted under the CFAA was Cornell University graduate student Robert Tappan Morris, who in 1990 was prosecuted for unleashing the Morris worm.

In April, the government prosecuted David Nosal (United States v. Nosal), a former employee of executive recruiting firm Korn/Ferry, for using his employer’s computer in violation of the company’s use policy.

In another high-profile case, the government invoked the CFAA to prosecute Lori Drew (United States v. Lori Drew) for violating the terms of service of her MySpace account. Drew, who was accused of cyberbullying in an incident involving a teenage girl who committed suicide, was convicted of misdemeanor violations by a jury in 2008. A federal judge overturned the conviction in 2009. U.S. District Judge George Wu concluded that under the government’s case, website owners would essentially be able to determine what constitutes a crime.

“Treating a violation of a website’s terms of service, without more, to be sufficient to constitute `intentionally access[ing] a computer without authorization or exceed[ing] authorized access’ would result in transforming [the law] into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals,” Wu wrote. The government did not appeal the decision.

MORE INFO:

How have corporations used the Computer Fraud and Abuse Act?

Although originally intended as a national security tool to help prevent hacking, the Computer Fraud and Abuse Act was invoked by businesses to safeguard trade secrets and other proprietary information. After Congress amended the act in 1994 to cover private litigants pursuing civil damages, businesses as diverse as Lockheed Martin Corp., Charles Schwab & Co., White Plains Honda and Hub Group Inc. have cited it primarily to sue employees and former employees suspected of stealing information for competitive purposes.

In January, Sony Computer Entertainment America cited the CFAA, among other statutes, to sue hacker George Hotz and others for posting information about security flaws in PlayStation3. The case was eventually settled out of court.

MORE INFO:

What are the main criticisms of the Computer Fraud and Abuse Act of 1986?

Critics maintain that the CFAA has been interpreted so broadly that it could be used to criminally charge employees for violating their companies’ use policies and any individuals for violating terms of service set by an ISP or a website. Critics argue that computer use policies have a tendency to be vague, confusing and arbitrary, and thus should not be the basis of determining criminal activity.

A diverse coalition of public-interest organizations, including the Center for Democracy & Technology, Americans for Tax Reform, the Competitive Enterprise Institute and the American Civil Liberties Union, wrote to lawmakers in September and urged them to amend the CFAA. The coalition wanted to make it clear that accessing a computer in violation of a use policy or terms of service agreement could not be prosecuted as a felony.

MORE INFO:

What changes are lawmakers planning for the seventh amendment to the CFAA?

In September, Sens. Chuck Grassley (R-Iowa), Al Franken (D-Minn.) and Mike Lee (R-Utah) -- introduced an amendment to the Computer Fraud and Abuse Act of 1986 that would convert the law back to its original focus of hack prevention. The amendment was offered as part of the Personal Data Privacy and Security Act of 2011.

Under the amendment, employees could not be prosecuted or held civilly liable under the CFAA for violating a use policy issued by a nongovernment employer. The Senate Judiciary Committee approved the amendment’s provisions on Sept. 22, when the Personal Data Privacy and Security Act was approved.

MORE INFO: