Computer Fraud and Abuse ActBreaking Down the CFAA: How Does the Law Impact eCommerce?

10 Must-Know Facts & Pointers for eCommerce Merchants to Thrive Under the CFAA

The Computer Fraud and Abuse Act, commonly referred to as the CFAA, is the US’s primary legislation against unauthorized computer and network access.

Established in 1984, the CFAA has led to the conviction of numerous individuals. However, the law has seen its fair share of controversy. Some argue that prosecutors have overextended it by targeting cases beyond its original hacking intent. There's growing sentiment that the law needs revisiting to prevent potential misuse. 

What does the CFAA actually cover? And, how does it affect your business? Let’s find out. 

What is the Computer Fraud and Abuse Act?

Computer Fraud and Abuse Act

[noun]/kəm • pyo͞o • dər • frôd • ənd • ab • yo͞os • akt/

The Computer Fraud and Abuse Act (CFAA) of 1984 is a United States federal law that primarily addresses the unauthorized access and use of computers and related systems. The law aimed at protecting sensitive information, and setting penalties for unauthorized access.

The law is pretty broad ranging in scope. In very general terms, though, the CFAA:

• Prohibits Unauthorized Access: It makes it illegal to access a computer or network without authorization, or in a manner that exceeds authorized access.
• Protects Information: The act criminalizes the distribution, theft, or damage of data and information from a computer or network.
• Addresses Various Offenses: This includes offenses related to computer espionage, trafficking in passwords, and transmitting malicious code.
• Enhances Penalties: The CFAA provides for both criminal penalties (such as imprisonment) and civil remedies (like lawsuits) for violations.

Today, the CFAA is the primary federal legislation safeguarding digital data against unauthorized breaches in the United States. This law applies to all computers with internet connections and standalone computers utilized by federal entities and financial institutions.

Why was the CFAA Adopted?

The 1980s saw rapid technological advancement, which in turn, prompted anxieties about how this technology could be used (or abused). The Computer Fraud and Abuse Act was enacted against this backdrop of these growing concerns about computer security and the potential vulnerabilities. 

As computers became more prevalent in the business world and in government infrastructure, there was a corresponding rise in computer-related crimes. This included data theft, unauthorized access, and other malicious activities.

Prior to the CFAA, there wasn't a comprehensive federal law addressing computer crimes. There was a clear need for legislation that would provide a legal framework to prosecute those engaging in malicious computer-related activities.

What Devices are Covered Under the CFAA?

When the Computer Fraud and Abuse Act was first introduced by the federal government, its primary aim was to criminalize intentional unauthorized access and use of a protected computer. However, the terms “protected computer” and “authorized access” were not explicitly defined. This led to ambiguity and room for diverse interpretations (more on this below).

Let’s clarify this terminology. The CFAA's coverage is limited to devices which are used by financial institutions or the US Government, involved in voting systems or federal election administration, or which are engaged in, or influencing, interstate or foreign commerce (including those outside the US). Furthermore, the device in question must one of the following:

• Personal computers (laptops and desktops)
• Mobile devices like cell phones and smartphones
• Infrastructure hardware (i.e. cell towers and radio stations)
• Online platforms and websites
• Restricted databases
• Digital devices including tablets, iPads, and video game devices

Devices that are explicitly exempt from the  CFAA include automated typewriters and handheld calculators.

What Acts are Governed Under the CFAA?

Over time, with amendments and decisions from numerous Supreme Court cases, the scope of the Computer Fraud and Abuse Act has broadened substantially. Now, it criminalizes actions including:

• Unauthorized access to a protected computer
• Exceeding authorized access to gather confidential data
• Deliberately transmitting harmful digital codes or programs to computer systems
• Intentionally damaging a protected computer
• Illegally using someone else’s password or access key
• Extortion involving a computer
• Trafficking passwords of a protected computer

In a significant 2008 move, Congress widened the “protected computer” definition to encompass any computer involved in or influencing interstate or foreign trade. This inclusion, especially the use of the term “influencing,” has granted the CFAA regulatory oversight over a vast range of computer-related activities. These rules were further broadened in 2021 (see further down). 

Common Examples of Computer Crime Covered Under the CFAA

The Computer Fraud and Abuse Act has evolved over time. It’s undergone several amendments to address an expanding array of computer-related offenses. Some of the primary offenses recognized under the CFAA are:

Recent Provisions of the CFAA

So, what happens to people caught breaking Computer Fraud and Abuse Act statutes? Well, nothing good, frankly. 

Violations of the CFAA come with significant consequences. Those found guilty can expect criminal fines and potential jail time. First-time offenders might face fines of up to $5,000 per offense, as well as incarceration ranging from one to ten years in prison, or both.

Here's a streamlined list of offenses and their corresponding sentence guidelines for first-time offenders:

• Accessing a computer to defraud and obtain value: 5 years
• Accessing a protected computer and obtaining information: 1 to 5 years
• Acquiring national security information: 10 years
• Computer-related extortion: 5 years
• Deliberate computer damage via data transfer: 1 to 10 years
• Intentional access causing negligent damage or loss: 1 year
• Reckless damage from unauthorized computer access: 1 to 5 years
• Trafficking computer passwords: 1 year
• Unauthorized entry into a government computer: 1 year

Repeat offenders can expect harsher consequences under the CFAA. For subsequent violations, offenders may incur fines of up to $5,000 per offense, face imprisonment of up to 20 years, or both.

Concerns About the CFAA

Over the past four decades, the Computer Fraud and Abuse Act has been at the center of significant debate and contention. Specifically, controversy surrounded the murky definition of “unauthorized access,” and the stringency of its penalties.

Detractors believe the act's scope is overly expansive, risking the penalization of minor infractions. On the other hand, supporters underscore the necessity of a robust legal mechanism to curb and penalize malicious online actions.

A central concern is the CFAA’s potential misuse in prosecuting employees who breach a company's acceptable use policy (AUP). Or, of individuals who contravene terms of use for websites, online platforms, or ISPs.

Given these apprehensions, there have been multiple revisions to the CFAA since its inception. However, the efficacy of these amendments remains debated. They've been spotlighted in numerous high-profile lawsuits and even a tragic suicide, casting a lasting shadow of controversy over the CFAA.

Recent Changes & Updates to the CFAA

In 2021, the Supreme Court's decision in the Van Buren v. United States case finally clarified what “unauthorized access” means. This resolution addressed this persistent disparity in federal court interpretations and how the law can be applied in certain circumstances. 

Under the CFAA, exceeding authorized access refers to instances in which someone, although having permission to access a computer, retrieves or changes information they aren't allowed to access.

Even this particular phrasing led to divided opinions among federal circuit courts, though. The debate centered on whether the definition covered individuals who misused information from systems they had rightful access to.

The Supreme Court's ruling in the Van Buren case was pivotal. By overturning his conviction, the court determined that the CFAA doesn't penalize employees for misusing data they have legitimate access to. This decision not only settled the interpretive dispute but also limited the extent to which employers can invoke the CFAA for disciplinary actions.

Further Proposed Changes to the CFAA

The Van Buren Supreme Court decision in 2021, which clarified a significant ambiguity in the Computer Fraud and Abuse Act. However, many believe there are still areas of the act that require further reform. Here are some of the proposed changes and ways they might be implemented:

A comprehensive approach is essential to implement these reforms effectively across the digital domain. This involves consulting with cybersecurity professionals, legal experts, business stakeholders, and civil rights advocates.

Public awareness campaigns can help inform individuals and organizations about their rights and responsibilities under the revised law. Legislative action, followed by appropriate regulatory guidance, will be crucial in updating and clarifying the CFAA's scope and application.

How Can eCommerce Thrive Under the CFAA?

The CFAA’s regulations touch on various aspects of digital operations and conduct. As businesses increasingly rely on technology, it's crucial to understand the nuances of the CFAA to maintain compliance and protect both the organization and its employees.

We recommend that businesses:

#1 |  Grasp the Essentials

The CFAA primarily targets unauthorized access to digital systems. Businesses should familiarize themselves with the specifics to avoid accidental violations.

#2 |  Define Access Boundaries

Create explicit guidelines detailing which employees can access specific company resources and to what degree. This will minimize risks of inadvertent overreach.

#3 |  Educate Employees

Regularly train employees on digital use policies, emphasizing the legal ramifications — both personal for the company — of non-compliance.

#4 |  Protect Whistleblowers

Ensure a safe environment for employees to report security vulnerabilities or wrongdoing without facing legal repercussions under the CFAA.

#5 |  Refine Use Policies

Keep Acceptable Use Policies (AUPs) clear, up-to-date, and in line with CFAA regulations. Remove any ambiguities that might arise.

#6 |  Seek Legal Expertise

Engage with legal professionals specializing in cyber law to align company policies with the CFAA and address potential concerns proactively.

#7 |  Facilitate Reporting Mechanisms

Establish straightforward channels for employees to voice concerns about potential unauthorized access. This will help ensure timely interventions.

#8 |  Prioritize Cybersecurity

Beyond safeguarding business assets, robust security protocols can showcase a commitment to preventing unauthorized access. This is a vital aspect of CFAA compliance.

#9 |  Audit Regularly

Conduct IT assessments periodically to verify system security and access controls and identify potential areas of risk.

#10 |  Stay Informed

With the digital space and its regulations continuously evolving, ensure that company practices adapt to any changes in the CFAA or related laws.

Ultimately, the CFAA demands attention and understanding from every modern business. By proactively embracing its guidelines and instilling a culture of compliance, businesses can navigate the digital world confidently, safeguarding their operations and fostering a responsible and protected workspace for all employees.