What is the Computer Fraud and Abuse Act?

This page has been peer-reviewed, fact-checked, and edited by qualified attorneys to ensure substantive accuracy and coverage.

The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. It was written to limit federal jurisdiction to cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.

The CFAA criminalized additional computer-related acts. Congress included in the CFAA a provision criminalizing trafficking in passwords and similar items. The Act has been amended a number of times, including in 2001 by the USA Patriot Act, and in 2008 by the Identity Theft Enforcement and Restitution Act.

An Overview of the CFAA

There are seven types of criminal activity enumerated in the CFAA: obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer. Attempts to commit these crimes are criminally punishable.

The only computers covered by the CFAA are defined as protected computers. It is defined under the act to mean a computer:

  • Exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer’s use by or for the financial institution or the Government; or
  • Used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

In practice, however, any ordinary computer has come under the jurisdiction of the law, including cell phones, due to the inter-state nature of most internet communication.

Court Decisions that Determine How the CFAA is Interpreted

In MBTA v. Anderson, the district court found that a violation of the CFAA only occurs if the person knowingly causes the transmission of programmed information to a protected computer. The defendants were not found in violation in this case because were only seeking to transmit information to a non-computer audience. The court found that the MBTA was not likely to succeed on a claim under the CFAA.

In United States v. Neil Scott Kramer, (2011), the 8th Circuit court held that a cell phone fell under the jurisdiction of the Act. Kramer was a court case where a cell phone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cell phone constituted a computer device. Ultimately, the court held that a cell phone could be considered a computer if the phone performs arithmetic, logical, and storage functions, paving the way for harsher consequences for criminals engaging with minors over cell phones.

What are the Criminal Consequences for Violating the Act?

The Act makes it a felony to access classified information in a computer without authorization, and a misdemeanor to access financial records or credit histories stored in a financial institution or to trespass into a government computer. Convictions under some provisions of the Act are felonies punishable by a fine, imprisonment for not more than ten years, or both. A violation that occurs after another conviction under Section 1030 is punishable by a fine, imprisonment for not more than twenty years, or both.

What are the Damages for a Violation of the CFAA?

The CFAA is primarily a criminal statute. However, in 1994 a civil suit provision was added that provides a private cause of action if a violation causes loss or damage, as those terms are defined in the statute. To state a civil claim for violation of the CFAA, a plaintiff must allege:

  • damage or loss
  • caused by
  • a violation of one of the substantive provisions set forth in § 1030(a); and
  • Conduct involving one of the factors in § 1030(c) (4) (A) (i) (I)-(V).

Persons found to be civilly liable for a CFAA violation can be responsible for compensatory damages and injunctive or other equitable relief. Furthermore, an action brought under this section must be bought within two years of the date the act is complained or the date of the discovery of the damage.

What are Defenses for a Violation of the CFAA?

Sharing several of the same defenses to a charge of defamation, typical defenses for a violation of the CFAA include consent by the third party, the action was done negligently and not knowingly, and that there was no proximate cause between the act allegedly committed and the damage to the plaintiff.

The law concerning the CFAA is complex. If you believe you are a victim of a violation of the CFAA then contact the experienced internet defamation attorneys at Minc Law to evaluate your case. The laws regarding the CFAA vary depending on the state. Call today to find out more information at (216) 373-7706, or fill out our online contact form to set up a meeting.



“Minc Law were very efficient an helpful within their services. Our team are based in the UAE and the process was streamline. Highly recommend.”

OA, July 16, 2021