Computer Fraud and Abuse ActBreaking Down the CFAA: How Does the Law Impact eCommerce?

October 19, 2023 | 13 min read

This image was created by artificial intelligence using the following prompts:

A special agent looking to arrest hackers, prison cells with bars in the background, in the style of red and teal

Computer Fraud and Abuse Act

In a Nutshell

The Computer Fraud and Abuse Act, or the CFAA, is the federal anti-hacking statute prohibiting unauthorized access to computers and networks. This article will explain everything you need to know about the CFAA, including what it is, why it was adopted, how the law is enforced, and how businesses can thrive under the law.

10 Must-Know Facts & Pointers for eCommerce Merchants to Thrive Under the CFAA

The Computer Fraud and Abuse Act, commonly referred to as the CFAA, is the US’s primary legislation against unauthorized computer and network access.

Established in 1984, the CFAA has led to the conviction of numerous individuals. However, the law has seen its fair share of controversy. Some argue that prosecutors have overextended it by targeting cases beyond its original hacking intent. There's growing sentiment that the law needs revisiting to prevent potential misuse. 

What does the CFAA actually cover? And, how does it affect your business? Let’s find out. 

What is the Computer Fraud and Abuse Act?

Computer Fraud and Abuse Act

[noun]/kəm • pyo͞o • dər • frôd • ənd • ab • yo͞os • akt/

The Computer Fraud and Abuse Act (CFAA) of 1984 is a United States federal law that primarily addresses the unauthorized access and use of computers and related systems. The law aimed at protecting sensitive information, and setting penalties for unauthorized access.

The law is pretty broad ranging in scope. In very general terms, though, the CFAA:

  • Prohibits Unauthorized Access: It makes it illegal to access a computer or network without authorization, or in a manner that exceeds authorized access.
  • Protects Information: The act criminalizes the distribution, theft, or damage of data and information from a computer or network.
  • Addresses Various Offenses: This includes offenses related to computer espionage, trafficking in passwords, and transmitting malicious code.
  • Enhances Penalties: The CFAA provides for both criminal penalties (such as imprisonment) and civil remedies (like lawsuits) for violations.

Today, the CFAA is the primary federal legislation safeguarding digital data against unauthorized breaches in the United States. This law applies to all computers with internet connections and standalone computers utilized by federal entities and financial institutions.

Why was the CFAA Adopted?

The 1980s saw rapid technological advancement, which in turn, prompted anxieties about how this technology could be used (or abused). The Computer Fraud and Abuse Act was enacted against this backdrop of these growing concerns about computer security and the potential vulnerabilities. 

As computers became more prevalent in the business world and in government infrastructure, there was a corresponding rise in computer-related crimes. This included data theft, unauthorized access, and other malicious activities.

Prior to the CFAA, there wasn't a comprehensive federal law addressing computer crimes. There was a clear need for legislation that would provide a legal framework to prosecute those engaging in malicious computer-related activities.

Fun Fact

The 1983 movie WarGames depicted a scenario in which a teenager unwittingly hacks into a U.S. military supercomputer and almost starts World War III. While fictional, it raised public awareness about the potential dangers of unauthorized computer access. This movie is often cited as an influence in the CFAA's creation.

What Devices are Covered Under the CFAA?

When the Computer Fraud and Abuse Act was first introduced by the federal government, its primary aim was to criminalize intentional unauthorized access and use of a protected computer. However, the terms “protected computer” and “authorized access” were not explicitly defined. This led to ambiguity and room for diverse interpretations (more on this below).

Let’s clarify this terminology. The CFAA's coverage is limited to devices which are used by financial institutions or the US Government, involved in voting systems or federal election administration, or which are engaged in, or influencing, interstate or foreign commerce (including those outside the US). Furthermore, the device in question must one of the following:

  • Personal computers (laptops and desktops)
  • Mobile devices like cell phones and smartphones
  • Infrastructure hardware (i.e. cell towers and radio stations)
  • Online platforms and websites
  • Restricted databases
  • Digital devices including tablets, iPads, and video game devices

Devices that are explicitly exempt from the  CFAA include automated typewriters and handheld calculators.

Did You Know?

Some significant court cases that led to amendments to the CFAA include United States v. Nosal, United States v. Drew, and United States v. Valle.

What Acts are Governed Under the CFAA?

Over time, with amendments and decisions from numerous Supreme Court cases, the scope of the Computer Fraud and Abuse Act has broadened substantially. Now, it criminalizes actions including:

  • Unauthorized access to a protected computer
  • Exceeding authorized access to gather confidential data
  • Deliberately transmitting harmful digital codes or programs to computer systems
  • Intentionally damaging a protected computer
  • Illegally using someone else’s password or access key
  • Extortion involving a computer
  • Trafficking passwords of a protected computer

In a significant 2008 move, Congress widened the “protected computer” definition to encompass any computer involved in or influencing interstate or foreign trade. This inclusion, especially the use of the term “influencing,” has granted the CFAA regulatory oversight over a vast range of computer-related activities. These rules were further broadened in 2021 (see further down). 

Common Examples of Computer Crime Covered Under the CFAA

The Computer Fraud and Abuse Act has evolved over time. It’s undergone several amendments to address an expanding array of computer-related offenses. Some of the primary offenses recognized under the CFAA are:

Computer Fraud

Engaging in fraudulent activities using a protected computer to obtain goods or benefits valued at over $5,000 within a year is a CFAA offense. Notably, the computer's value itself isn't typically factored into this amount.


The CFAA prohibits individuals from deliberately accessing government computers to gather classified data available on or through such systems. This action may also subject the accused to additional counter-espionage penalties.


Coercing or threatening someone to obtain money or any valuable item through a computer device is illegal under the CFAA.

Malicious Software

Deliberately introducing malicious software or codes. For the CFAA to apply, this software must cause damages exceeding $5,000.

Password Sharing

Sharing or distributing passwords that facilitate unauthorized computer access is prohibited. This includes selling account information on the dark web.

Compromising Personal Data

Accessing financial records and credit files on computers, especially those tied to financial institutions or voting records, is criminalized under the CFAA.

Unauthorized Government Database Access

Any unauthorized access or overstepping of given access rights on government computers is deemed illegal.

Computer crime is constantly changing and evolving. Is your business protected against new and developing threats?REQUEST A DEMO

Recent Provisions of the CFAA

So, what happens to people caught breaking Computer Fraud and Abuse Act statutes? Well, nothing good, frankly. 

Violations of the CFAA come with significant consequences. Those found guilty can expect criminal fines and potential jail time. First-time offenders might face fines of up to $5,000 per offense, as well as incarceration ranging from one to ten years in prison, or both.

Here's a streamlined list of offenses and their corresponding sentence guidelines for first-time offenders:

  • Accessing a computer to defraud and obtain value: 5 years
  • Accessing a protected computer and obtaining information: 1 to 5 years
  • Acquiring national security information: 10 years
  • Computer-related extortion: 5 years
  • Deliberate computer damage via data transfer: 1 to 10 years
  • Intentional access causing negligent damage or loss: 1 year
  • Reckless damage from unauthorized computer access: 1 to 5 years
  • Trafficking computer passwords: 1 year
  • Unauthorized entry into a government computer: 1 year

Repeat offenders can expect harsher consequences under the CFAA. For subsequent violations, offenders may incur fines of up to $5,000 per offense, face imprisonment of up to 20 years, or both.

Common QuestionDoes the CFAA have a statute of limitations?Yes. Plaintiffs seeking to pursue CFAA-related claims in court must do so within two years. This timeframe begins either from the date the defendant carried out the act or from when the plaintiff became aware of the unauthorized access or resulting damages.

Organizations should note that this two-year window commences once they recognize the unauthorized activity, irrespective of whether the identity of the perpetrator is known.

Concerns About the CFAA

Over the past four decades, the Computer Fraud and Abuse Act has been at the center of significant debate and contention. Specifically, controversy surrounded the murky definition of “unauthorized access,” and the stringency of its penalties.

Detractors believe the act's scope is overly expansive, risking the penalization of minor infractions. On the other hand, supporters underscore the necessity of a robust legal mechanism to curb and penalize malicious online actions.

A central concern is the CFAA’s potential misuse in prosecuting employees who breach a company's acceptable use policy (AUP). Or, of individuals who contravene terms of use for websites, online platforms, or ISPs.

Given these apprehensions, there have been multiple revisions to the CFAA since its inception. However, the efficacy of these amendments remains debated. They've been spotlighted in numerous high-profile lawsuits and even a tragic suicide, casting a lasting shadow of controversy over the CFAA.

Computer Fraud and Abuse Act

Recent Changes & Updates to the CFAA

In 2021, the Supreme Court's decision in the Van Buren v. United States case finally clarified what “unauthorized access” means. This resolution addressed this persistent disparity in federal court interpretations and how the law can be applied in certain circumstances. 

Under the CFAA, exceeding authorized access refers to instances in which someone, although having permission to access a computer, retrieves or changes information they aren't allowed to access.

Even this particular phrasing led to divided opinions among federal circuit courts, though. The debate centered on whether the definition covered individuals who misused information from systems they had rightful access to.

The Supreme Court's ruling in the Van Buren case was pivotal. By overturning his conviction, the court determined that the CFAA doesn't penalize employees for misusing data they have legitimate access to. This decision not only settled the interpretive dispute but also limited the extent to which employers can invoke the CFAA for disciplinary actions.

Further Proposed Changes to the CFAA

The Van Buren Supreme Court decision in 2021, which clarified a significant ambiguity in the Computer Fraud and Abuse Act. However, many believe there are still areas of the act that require further reform. Here are some of the proposed changes and ways they might be implemented:

Computer Fraud and Abuse Act

Distinguishing Malicious & Non-Malicious Actors

One criticism of the CFAA is that it doesn't sufficiently differentiate between individuals with malicious intent and those who act without malice. For instance, ethical hackers or researchers. Organizations must create clear provisions that differentiate penalties based on intent. Encourage ethical hacking by providing safe harbor provisions for researchers who disclose vulnerabilities responsibly.
Computer Fraud and Abuse Act

Rationalizing Penalties

Some believe the CFAA's penalties can be overly harsh, particularly for minor violations. Adjust penalties based on the severity of the offense, ensuring they're proportional to the harm caused.
Computer Fraud and Abuse Act

Clarification on “Damage” & “Loss”

The terms “damage” and “loss” in the CFAA are broad and can encompass various scenarios, from actual harm to mere inconvenience. Organizations must clearly define what constitutes “damage” and “loss” to prevent overreach.
Computer Fraud and Abuse Act

Protection for Terms-of-Service Violations

There are concerns that the CFAA can be weaponized against individuals who violate website terms of service or end-user license agreements, which can often be extensive and unclear. Organizations should explicitly exclude standard terms of service violations from the CFAA's purview unless they result in tangible harm.
Computer Fraud and Abuse Act

Enhance Whistleblower Protections

Given the digital nature of many modern whistleblowing activities, there's a need to ensure that individuals who expose wrongdoing aren't prosecuted under the CFAA. Organizations need to incorporate provisions that protect whistleblowers, ensuring that they're not penalized for accessing or disclosing information in the public interest.
Computer Fraud and Abuse Act

Update to Reflect Technological Advances

The digital landscape continues to evolve, and the CFAA should be adaptable to accommodate new technologies and threats. This requires periodic reviews and updates of the CFAA involving stakeholders from the tech industry, legal experts, and civil rights advocates.

A comprehensive approach is essential to implement these reforms effectively across the digital domain. This involves consulting with cybersecurity professionals, legal experts, business stakeholders, and civil rights advocates.

Public awareness campaigns can help inform individuals and organizations about their rights and responsibilities under the revised law. Legislative action, followed by appropriate regulatory guidance, will be crucial in updating and clarifying the CFAA's scope and application.

How Can eCommerce Thrive Under the CFAA?

The CFAA’s regulations touch on various aspects of digital operations and conduct. As businesses increasingly rely on technology, it's crucial to understand the nuances of the CFAA to maintain compliance and protect both the organization and its employees.

We recommend that businesses:

#1 Grasp the Essentials

The CFAA primarily targets unauthorized access to digital systems. Businesses should familiarize themselves with the specifics to avoid accidental violations.

#2 Define Access Boundaries

Create explicit guidelines detailing which employees can access specific company resources and to what degree. This will minimize risks of inadvertent overreach.

#3 Educate Employees

Regularly train employees on digital use policies, emphasizing the legal ramifications — both personal for the company — of non-compliance.

#4 Protect Whistleblowers

Ensure a safe environment for employees to report security vulnerabilities or wrongdoing without facing legal repercussions under the CFAA.

#5 Refine Use Policies

Keep Acceptable Use Policies (AUPs) clear, up-to-date, and in line with CFAA regulations. Remove any ambiguities that might arise.

Engage with legal professionals specializing in cyber law to align company policies with the CFAA and address potential concerns proactively.

#7 Facilitate Reporting Mechanisms

Establish straightforward channels for employees to voice concerns about potential unauthorized access. This will help ensure timely interventions.

#8 Prioritize Cybersecurity

Beyond safeguarding business assets, robust security protocols can showcase a commitment to preventing unauthorized access. This is a vital aspect of CFAA compliance.

#9 Audit Regularly

Conduct IT assessments periodically to verify system security and access controls and identify potential areas of risk.

#10 Stay Informed

With the digital space and its regulations continuously evolving, ensure that company practices adapt to any changes in the CFAA or related laws.

Ultimately, the CFAA demands attention and understanding from every modern business. By proactively embracing its guidelines and instilling a culture of compliance, businesses can navigate the digital world confidently, safeguarding their operations and fostering a responsible and protected workspace for all employees.


What is a Computer Fraud & Abuse Act violation?

A CFAA violation occurs when someone intentionally accesses a computer without authorization or exceeds granted access to obtain or alter information. This includes hacking, unauthorized data retrieval, or causing damage to digital systems. Penalties for violations range from fines to imprisonment.

What is the maximum sentence for CFAA?

CFAA penalties can range from short-term imprisonment to up to 20 years for repeat offenders or grave infractions.

Is computer fraud a federal crime?

Yes, computer fraud is a crime. It involves unauthorized access, data theft, or manipulation of digital systems with deceitful intent.

What happens if you break CFAA?

CFAA penalties can range from short-term imprisonment to up to 20 years for repeat offenders or grave infractions.

What are the criminal elements of CFAA?

CFAA violations are characterized by knowingly accessing a computer without authorization or exceeding permitted access to obtain, alter, or damage information. This encompasses hacking, unauthorized data retrieval, and intentional digital system damage. The act delineates specific offenses, each carrying its respective penalties.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form