CFAA – Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474
1. Introduction:
a. The Computer Fraud and Abuse Act of 1986 was enacted as an amendment to the existing computer fraud statute included in the Comprehensive Crime Control Act of 1984 at 18 USC 1030 et seq. It comprises the federal computer security statutes that specify computer fraud and abuse to federal computers, and those in which there is a federal interest, such as banking computers, and computers used in interstate and foreign commerce. Over the last 30 years the Congress has amended the statute using the Identity Theft Enforcement and Restitution Act of 2008, and the USA Patriot Act of 2001. in response to advances in technology that have spawned greater and more frequent attacks on the public and private sectors. It is frequently relied upon by the US Department of Justice.
b. The CFAA Enacted as United States Public Law 99-474, on October 16, 1986, compiled at 100 Stat. 1213 and codified at 18 USC 1030 et seq.
2. Criminal computer activities have been categorized in 18 USC 1030 as follows:
a. Espionage > 18 USC 1030(a)(1) – This statute is in addition to the existing espionage statutes at 18 USC 793, 794 and 798, but includes when the information was acquired by unauthorized computer access. Penalties include prison time and fines. 18 USC 1030(c)(1).
i. Derivative crimes with the attempt or conspiracy may include violation of the RICO statutes (18 USC 1962) and money laundering (18 USC 1956, 1957).
b. Trespass or intentional unauthorized access > 18 USC 1030(a)(2) – Incursion by hacking or misuse of credentials and obtaining financial, consumer credit, government or other information on a protected computer.
c. Trespass or intentional unauthorized access into a government computer > 18 USC 1030(a)(3) – Incursion by unauthorized access into a nonpublic or government computer which affects such use.
d. Computer Fraud > 18 USC 1030(a)(4) – Unauthorized access of a protected computer with intent to commit fraud and obtaining value more than minimal computer time. Criminal penalties include prison time and fines. However, the private right of action in 1030(g) permits injunctive relief and suits by victims.
i. Derivative crimes may include 18 U.S.C. 1343 (wire fraud); 18 U.S.C. 2314 (interstate transportation of stolen property); 18 U.S.C. 659 (theft from interstate carriers); 18 U.S.C. 1832 (economic espionage); 18 U.S.C. 1832(theft of trade secrets); 18 U.S.C. 1029 (fraud involving credit cards and access devices); 18 U.S.C. 641 (theft of federal property); 18 U.S.C. 1001 (false statements on a matter within the jurisdiction of a federal agency or department); 18 U.S.C. 287 (false claims against the United States); 18 U.S.C. 1344 (bank fraud); 18 U.S.C. 2319 (copyright infringement); 18 U.S.C. 1956 & 1957 (money laundering); 18 U.S.C. 1962 (racketeering); 18 U.S.C. 1952(travel act).
e. Cyber attack and damage > 18 USC 1030(a)(5) – Unauthorized access to a protected computer intentionally or recklessly causing damage. Criminal penalties include prison time, fines, and lawsuits by victims through the private right of action.
i. Derivative crimes from damage or destruction of federal property, the property of financial institutions, or property used in interstate or foreign commerce, may include 18 U.S.C. 844(f)(destruction of federal property by arson or explosion); 18 U.S.C. 1853 (destruction of timber of U.S. lands); 18 U.S.C. 2071 (destruction of government records); 18 U.S.C. 1361 (destruction of federal property); 18 U.S.C. 1362 (destruction of federal communications property); 18 U.S.C. 32 (destruction of aircraft or aircraft facilities); 18 U.S.C. 33 (destruction of motor vehicles or their facilities); 18 U.S.C. 2280 (destruction of maritime navigational facilities); 18 U.S.C. 1992 (causing a train wreck); 18 U.S.C. 1367 (damaging an energy facility).
f. Trafficking in Computer Access Credentials > 18 USC 1030(a)(6) – intent to defraud by trafficking in unauthorized access information for a government computer or affecting interstate or foreign commerce. Penalties include the criminal and civil liabilities noted above.
i. Derivative crimes may include the prohibition against trafficking in access devices (credit card fraud) under 18 U.S.C. 1029(a)(2); wire fraud provisions of 18 U.S.C. 1343; RICO (18 U.S.C. 1962); money laundering (18 U.S.C. 1956, 1957);
g. Extortion threat > 18 USC 1030(a)(7) – Transmitting in interstate or foreign commerce threats to damage a protected computer, data, information, program or system, for value. Penalties include the criminal and civil liabilities noted above.
i. Derivative crimes may include 18 U.S.C. 1951 (extortion that affects commerce); 18 U.S.C. 875 (threats transmitted in interstate commerce); 18 U.S.C. 876 (mailing threatening communications); 18 U.S.C. 877 (mailing threatening communications form a foreign country); and 18 U.S.C. 880 (receipt of the proceeds of extortion).
2. Penalties –
a. 1030(b) – it is a crime to conspire or attempt to commit any of these offenses.
b. 1030(c) comprises the criminal penalties for the 1030(a) crimes, which range from imprisonment for not more than a year to not more than twenty years for a second espionage-related conviction.
c. 1030(d) preserves the primary investigative authority of the Federal Bureau of Investigation for these crimes, but curiously also permits the Secret Service to incur simultaneous investigations.
d. 1030)e) provides common definitions for twelve terms, (1) computer, (2) protected computer, (3) State, (4) financial institution, (5) financial record, (6) exceeds authorized access, (7) department of the United States, (8) damage, (9) government entity, (10 conviction, (11) loss, and (12) person.
e. 1030(f) does not prohibit lawful investigative or intelligence activity of the United States or any State.
f. 1030(g) gives victims a 2 year private right of civil action by injunction and compensatory damages, but not punitive.
g. 1030(h) requires the Attorney General and Secretary of the Treasury to report on investigations and prosecutions under (a)(5) to the Congress every three years.
h. 1030(i) and (j) – forfeiture of personal property for these crimes.
Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474 | ||||
Act Title & Section | Compiled at Stat | Codified at USC | Regulation | Description |
Sec 1 | 100 Stat 1213 | 18 USC 1001 Note | Title | |
Sec 2 1030 Amendments | 100 Stat 1213 | 18 USC 1030(a)(1) | Espionage | |
(c) only from PL 110-326 Sec. 203 ITERA | 100 Stat 1213
122 Stat 3561 |
18 USC 1030(a)(2)
18 USC 1030(a)(2)(C) |
Computer trespassing or hacking | |
100 Stat 1213 | 18 USC 1030(a)(3) | Computer trespassing or hacking in a government computer | ||
100 Stat 1213 – 1214 | 18 USC 1030(a)(4) | Fraud | ||
See also PL 110-326 Sec. 204 ITERA | 100 Stat 1214
122 Stat 3561 |
18 USC 1030(a)(5)
[See 1030(h) for 3 year reports] |
Cyber attack | |
100 Stat 1214 | 18 USC 1030(a)(6) | Trafficking in Passwords | ||
See also PL 110-326 Sec. 205 ITERA | 100 Stat 1214
122 Stat 3563 |
18 USC 1030(a)(7) | Extortion threats | |
See also PL 110-326 Sec. 206 ITERA | 100 Stat 1214
122 Stat 3563 |
18 USC 1030(b) | Crime | |
See also PL 110-326 Sec. 204 ITERA | 100 Stat 1214
122 Stat 3561 – 3563 |
18 USC 1030(c) | Penalties | |
100 Stat 1214 | 18 USC 1030(d) | Secret Service and FBI Jurisdiction | ||
See also PL 110-326 Sec. 207 ITERA | 100 Stat 1214
122 Stat 3563 |
18 USC 1030(e) | Definitions | |
No concurrent prohibition | ||||
PL 107-56
Sec 814(d) Patriot Act |
115 Stat 384 | 18 USC 1030(g) | Private Right of Action | |
PL 98-473 Sec 2103 | 98 Stat 2192 | 18 USC 1030(h) | Reports to Congress every three years | |
PL 110-326 Sec 208 ITERA | 122 Stat 3563 | 18 USC 1030(i) and (j) | Criminal forfeitures |
Action Cyber Times™ © 2018 All Rights Reserved.
Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.
Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.