Computer Fraud and Abuse Act of 1984 (CFAA)

DATE: Enacted on October 12, 1984, and amended in 1986, 1990, 1994, 1996, 2001, 2002, and 2008

THE LAW: First comprehensive federal legislation in the United States designed to address concerns about the growth of computer fraud and other computer-related crimes.

SIGNIFICANCE: The enactment of the Computer Fraud and Abuse Act of 1984 generated computer-specific criminal laws and sentencing guidelines for computer criminals.

Prior to the passage of the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (commonly referred to as the Computer Fraud and Abuse Act, or CFAA), computer crimes in the United States were prosecuted under a number of statutes generally dealing with interstate communications, wire fraud, and attacks against government property. Little legislation had been passed to deal specifically with computer crimes. Federal statutes addressed crimes against federal institutions, interstate crimes, and acts against the country’s security, such as terrorism. Because of the nature of computer networks, hackers were often prosecuted under interstate commerce and federal telecommunications laws originally written to address telephone fraud.

Content

Technological advances during the mid-1980s brought computers into mainstream American homes as well as into high schools, colleges, and businesses. The rapid growth of interconnectivity of computers by telephone lines and modems and the storage of vast numbers of confidential documents on computers compelled the passage of legislation to protect computer users. Existing laws were no longer sufficient to handle the kinds of theft and trespass that were possible using the new technology.

Originally limited in scope to interstate crime and instances involving government computers or those of financial institutions, the purpose of the 1984 Computer Fraud and Abuse Act was to protect classified, financial, and credit information that was maintained on federal government computers. The act made it a crime to knowingly access a federal-interest computer without authorization to obtain certain defense, foreign relations, or financial information or atomic secrets. A federal-interest computer was defined as a computer used by a financial institution, a computer used by the US government, or one of two or more computers used in committing the offense, not all of which were located in the same state. The act also made it a criminal offense to use a computer to commit fraud, to “trespass” on a computer, and to traffic in unauthorized computer passwords.

Amendments

The Computer Fraud and Abuse Act of 1986 was designed to strengthen, expand, and clarify the intentionally narrow 1984 act. It safeguarded sensitive data harbored by government agencies and related organizations, nuclear systems, financial institutions, and medical records. The act, which was signed into law on October 16, 1986, by President Ronald Reagan, forbade interference with any federal-interest computer system or any system that crossed state lines. It also prohibited the unauthorized access of any computer system containing classified government information. It specified three categories of classified information: information belonging to a financial institution, credit card issuer, or consumer reporting agency; information from a department or agency of the United States; and information from any computer deemed “protected” or used exclusively by a financial institution, by the US government, or in interstate or foreign commerce or communication.

The 1986 act aimed to safeguard the integrity of computer systems with specific prohibitions against computer vandalism, including transmission of a virus or similar code intended to cause damage to a computer or system, unauthorized access that caused damage recklessly, or unauthorized access of a computer without malicious intent. The law established punishments of prison sentences up to twenty years and fines up to $250,000 for the perpetration of knowing and reckless damage to any computer system. Establishing criminal intent at time of trial, however, can prove difficult.

As computing evolved, the CFAA was further amended in 1996 by the National Information Infrastructure Protection Act, which broadened the law’s scope to include conduct committed by or through the use of the Internet, World Wide Web, or other computer networks. It also removed the wording “federal-interest computer” and replaced it with “protected computer.” In so doing, Congress broadened the scope of the act’s protection from federal computers to include all computers involved in interstate and foreign commerce.

The Patriot Act of 2001 amended the CFAA again, raising the maximum penalties for some violations to ten years for a first offense and twenty years for a second offense, ensuring that violators who cause damage generally can be punished, and enhancing punishments for violations involving any damage to government computers involved in criminal justice or the military, including damage to foreign computers involved in interstate commerce. In addition, the 2001 amendments expanded the act’s definition of “loss” to include the time spent by authorities in investigating and responding to damage assessment and restitution.

In its decision in the 2003 case Theofel v. Farey Jones, the US Court of Appeals for the Ninth Circuit referred to the Computer Fraud and Abuse Act, holding that disclosure by the plaintiff’s Internet service provider of e-mail messages pursuant to the defendant’s invalid and overly broad subpoena did not constitute an “authorized” disclosure. This decision had serious implications for law-enforcement authorities because of the limitations it placed on their ability to obtain information from Internet service providers without having to obtain search warrants. Search warrants for cell phones can be particularly tricky in that individuals typically use them to access all manner of digital information, from texts to social media platforms and email. Courts often require warrants to be specific, limiting police searches to certain types of data, for example, or to defined time periods.

Bibliography

Cantos, Lisa, Chad Chambers, Lorin Fine, and Randi Singer. “Internet Security Legislation Introduced in the Senate.” Journal of Proprietary Rights 12 (May 2000): 15-16.

"CFAA Background." National Association of Criminal Defense Lawyers, 14 July 2022, www.nacdl.org/Content/CFAABackground. Accessed 14 Aug. 2024.

Conley, John M., and Robert M. Bryan. “A Survey of Computer Crime Legislation in the United States.” Information and Communications Technology Law 8 (March, 1999): 35-58.

Jarrett, H. Marshall, et al. Prosecuting Computer Crimes. Washington, DC: Office of Legal Education Executive Office for United States Attorneys, Dept. of Justice, 2010. Web. 16 Mar. 2015.

Lynch, Jennifer. "New Federal and State Court Rulings Show Courts Are Divided on the Scope of Cell Phone Searches Post-Riley." Electronic Frontier Foundation, 4 Oct. 2022, www.eff.org/deeplinks/2022/10/new-federal-and-state-court-rulings-show-courts-are-divided-scope-cell-phone. Accessed 14 Aug. 2024.

Montana, John C. “Viruses and the Law: Why the Law Is Ineffective.” Information Management Journal 34 (October, 2000): 57-60.

Toren, Peter J. Intellectual Property and Computer Crimes. New York: Law Journal Press, 2003.