Computer Fraud and Abuse ActBreaking Down the CFAA: How Does the Law Impact eCommerce?

10 Must-Know Facts & Pointers for eCommerce Merchants to Thrive Under the CFAA

When you think about cybercrime, you probably picture a guy in a hoodie, sitting in a dark room illuminated only by the light of a monitor as he breaks through a wall of binary code.

Very cyberpunk. Very Mr. Robot.

But, what actual crime is the cybercriminal committing? What is the legal grounding that protects against unauthorized computer and network access?

The Computer Fraud and Abuse Act, commonly referred to as the CFAA, is the US’s primary legislation on this front. Established in 1984, the CFAA has led to the conviction of numerous individuals. However, the law has seen its fair share of controversy.

Some argue that prosecutors have overextended it by targeting cases beyond its original hacking intent. There's growing sentiment that the law needs revisiting to prevent potential misuse. So, what does the CFAA actually cover? And, how does it affect your business? Let’s find out.

What is the Computer Fraud and Abuse Act?

Computer Fraud and Abuse Act

[noun]/kəm • pyo͞o • dər • frôd • ənd • ab • yo͞os • akt/

The Computer Fraud and Abuse Act (CFAA) of 1984 is a United States federal law that primarily addresses the unauthorized access and use of computers and related systems. The law aimed at protecting sensitive information, and setting penalties for unauthorized access.

The law is pretty broad ranging in scope. In very general terms, though, the CFAA:

• Prohibits Unauthorized Access: It makes it illegal to access a computer or network without authorization, or in a manner that exceeds authorized access.
• Protects Information: The act criminalizes the distribution, theft, or damage of data and information from a computer or network.
• Addresses Various Offenses: This includes offenses related to computer espionage, trafficking in passwords, and transmitting malicious code.
• Enhances Penalties: The CFAA provides for both criminal penalties (such as imprisonment) and civil remedies (like lawsuits) for violations.

The CFAA is the primary federal legislation protecting digital data against unauthorized breaches in the United States. It applies to any computer with an internet connection, plus standalone computers used by federal entities and financial institutions.

Why was the CFAA Adopted?

The 1980s saw rapid advancement in tech. Of course, all that rapid change also prompted anxieties about how this technology could be used (or abused).

As the use of computers became widespread in business and government infrastructure, there was a corresponding rise in computer-related crimes. We’re talking about data theft, unauthorized access, and other malicious activities.

Prior to the Computer Fraud and Abuse Act, there was no comprehensive federal law addressing computer crimes. There was a clear need for legislation that would provide a legal framework to prosecute those engaging in malicious digital activity. The CFAA was put together in response to those growing concerns about computer security and vulnerabilities.

What Devices are Covered Under the CFAA?

When the Computer Fraud and Abuse Act was first introduced by the federal government, its primary aim was to criminalize intentional unauthorized access and use of a protected computer. However, the terms “protected computer” and “authorized access” were not defined very clearly. So, let’s clarify this terminology.

The CFAA covers any device that is:

• used by financial institutions or the US Government
• involved in voting systems or federal election administration
• engaged in, or influencing, interstate or foreign commerce

The device in question must also be one of the following:

• Personal computers (laptops and desktops)
• Mobile devices like cell phones and smartphones
• Infrastructure hardware (i.e. cell towers and radio stations)
• Online platforms and websites
• Restricted databases
• Digital devices including tablets, iPads, and video game devices

In other words, the term “protected computer” can mean virtually any computer connected to the internet. Devices that are explicitly exempt from the CFAA include automated typewriters and handheld calculators.

What Acts are Governed Under the CFAA?

Over time, with amendments and decisions from numerous Supreme Court cases, the scope of the Computer Fraud and Abuse Act has broadened substantially. Now, it criminalizes actions including:

• Unauthorized access to a protected computer
• Exceeding authorized access to gather confidential data
• Deliberately transmitting harmful digital codes or programs to computer systems
• Intentionally damaging a protected computer
• Illegally using someone else’s password or access key
• Extortion involving a computer
• Trafficking passwords of a protected computer

In a significant 2008 move, Congress widened the “protected computer” definition to encompass any computer involved in or influencing interstate or foreign trade. This inclusion, especially the use of the term “influencing,” has granted the CFAA regulatory oversight over a vast range of computer-related activities. These rules were further broadened in 2021 (see further down). 

Common Examples of Computer Crime Covered Under the CFAA

The Computer Fraud and Abuse Act has evolved and undergone several amendments to address new threats. Some of the primary offenses recognized under the CFAA are:

Recent Provisions of the CFAA

So, what happens to people caught breaking Computer Fraud and Abuse Act statutes?

Violations of the CFAA come with significant consequences. Those found guilty can expect criminal fines and potential jail time. First-time offenders might face fines of up to $5,000 per offense, and might also face up to ten years in prison.

Here's a streamlined list of offenses and their corresponding sentence guidelines for first-time offenders:

• Accessing a computer to defraud and obtain value: 5 years
• Accessing a protected computer and obtaining information: 1 to 5 years
• Acquiring national security information: 10 years
• Computer-related extortion: 5 years
• Deliberate computer damage via data transfer: 1 to 10 years
• Intentional access causing negligent damage or loss: 1 year
• Reckless damage from unauthorized computer access: 1 to 5 years
• Trafficking computer passwords: 1 year
• Unauthorized entry into a government computer: 1 year

Repeat offenders can expect harsher consequences under the CFAA. For subsequent violations, offenders may incur fines of up to $5,000 per offense, face imprisonment of up to 20 years, or both.

Concerns About the Scope of the CFAA

Over the past four decades, the Computer Fraud and Abuse Act has been at the center of significant debate. Specifically, the problem is focused on the murky definition of “unauthorized access,” and how strict the penalties for that access can be.

Detractors say the scope of the CFAA is too expansive. We could risk penalizing people for minor infractions. On the other hand, supporters drive home the necessity of a robust legal mechanism to curb malicious online activity.

A central concern is the chance that workers might be prosecuted for accidentally violating a company's acceptable use policy. Another example of potential misuse would be if individuals are prosecuted for minor violations of the terms of use for websites, online platforms, or ISPs.

There have been multiple revisions to the CFAA. But, given the numerous high-profile lawsuits tied to the act, and even a tragic suicide, there’s still a shadow of controversy over the CFAA.

Van Buren v. United States: A Pivotal Case in CFAA Enforcement

In 2021, the Supreme Court's decision in the Van Buren v. United States case finally clarified what “unauthorized access” means.

Specifically, with the Van Buren ruling, the court determined that authorization stems from a “gates-up-or-down” approach. As the ruling explains, “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”

In other words, when the gate is down and an individual is accessing a computer without permission, they are doing so “without authorization.” Similarly, an individual “exceeds authorized access” when they have permission to access certain areas of a computer system, but instead accesses other areas (e.g. files, folders, or databases) for which they lack permission.

The Supreme Court also ruled that an individual doesn’t “exceed authorized access” if they use information they’re permitted to see for an unauthorized purpose. This was pivotal, as it determined that the CFAA doesn't penalize employees for misusing data they have legitimate access to.

While a person can be convicted of violating other laws for misusing data (laws punishing HIPAA violations, for example), the ruling limited the scope of the CFAA significantly. This decision not only settled the interpretive dispute but also limited the extent to which employers can invoke the CFAA for disciplinary actions.

Further Proposed Changes to the CFAA

Many believe there are still areas of the act that require further reform. Here are some of the proposed changes and ways they might be implemented:

A comprehensive approach is essential to implement these reforms. This should involve consulting with cybersecurity professionals, legal experts, business stakeholders, and civil rights advocates.

Public awareness campaigns can help inform individuals and organizations about their rights and responsibilities under the revised law. Legislative action, followed by appropriate regulatory guidance, will be crucial in updating and clarifying the CFAA's scope and application.

How Can eCommerce Thrive Under the CFAA?

It’s crucial to understand the nuances of the CFAA to maintain compliance and protect both the organization and its employees. We recommend that businesses:

#1 |  Grasp the Essentials

The CFAA primarily targets unauthorized access to digital systems. Businesses should familiarize themselves with the specifics to avoid accidental violations.

#2 |  Define Access Boundaries

Create explicit guidelines detailing which employees can access specific company resources and to what degree. This will minimize risks of inadvertent overreach.

#3 |  Educate Employees

Regularly train employees on digital use policies, emphasizing the legal ramifications — both personal for the company — of non-compliance.

#4 |  Protect Whistleblowers

Ensure a safe environment for employees to report security vulnerabilities or wrongdoing without facing legal repercussions under the CFAA.

#5 |  Refine Use Policies

Keep Acceptable Use Policies (AUPs) clear, up-to-date, and in line with CFAA regulations. Remove any ambiguities that might arise.

#6 |  Seek Legal Expertise

Engage with legal professionals specializing in cyber law to align company policies with the CFAA and address potential concerns proactively.

#7 |  Facilitate Reporting Mechanisms

Establish straightforward channels for employees to voice concerns about potential unauthorized access. This will help ensure timely interventions.

#8 |  Prioritize Cybersecurity

Beyond safeguarding business assets, robust security protocols can showcase a commitment to preventing unauthorized access. This is a vital aspect of CFAA compliance.

#9 |  Audit Regularly

Conduct IT assessments periodically to verify system security and access controls and identify potential areas of risk.

#10 |  Stay Informed

With the digital space and its regulations continuously evolving, ensure that company practices adapt to any changes in the CFAA or related laws.

Ultimately, the CFAA demands attention and understanding from every modern business. By proactively embracing its guidelines and instilling a culture of compliance, businesses can navigate the digital world confidently, safeguarding their operations and fostering a responsible and protected workspace for all employees.

Next Chapter

The Credit CARD Act of 2009

Read More