The Computer Fraud and Abuse Act (CFAA) establishes, in the U.S. Criminal Code, a number of criminal offenses committed through the use or involvement of a computer. The law applies to any “protected computer” which is used in, or affects, interstate or foreign commerce or communication. The broad definition encompasses almost any electronic device that is connected to the internet, because the internet is an instrumentality of interstate commerce.

Criminal Offenses

The CFAA criminalizes seven separate offenses and conspiracy to commit the offenses: computer espionage, computer fraud, damaging a computer, extortion using threats to damage a computer, distribution of malicious code, and trafficking in passwords. Each of the offenses require that the offender’s conduct be without authorization or exceeds authorized access. 

Enforcement & Liability

Title 18 of the U.S. Criminal Code (Crimes and Criminal Procedure), is enforced by federal law enforcement authorities, including the Federal Bureau of Investigation (FBI) and the Dept. of Homeland Security (DHS). Both the U.S. Secret Service and the FBI were given authority to investigate these offenses, with primary authority given to the FBI for cases involving espionage and foreign counterintelligence. 

Although the law is criminal in nature, it provides a private right of action to individuals that have been harmed by a violation of the law. Those harmed individuals may bring a civil suit in federal court alleging damages from the offender’s conduct. Offenders may be subject to criminal prosecution and civil lawsuit for the same conduct.

Penalties

If found guilty or liable, an offender may be subject to up to twenty years of imprisonment and an unspecified fine, depending which of the seven offenses were committed, the value of damage to property, serious bodily injury or death of a victim, and the existence of prior conviction for a CFAA criminal offense.