Call any time, day or night!
(865) 670-8535

Computer Fraud And Abuse Enforcement

At Breeding Carter, we leverage years of experience and superior technological expertise to prosecute and defend computer crimes around the globe. Our attorneys have developed an extensive network of leading experts in computer forensics to attack computer crime at its core. Using those resources, we have successfully defended some of the most high profile computer cases in history.

We are experienced in aggressively pursuing computer crimes for national and international companies, often working hand in hand with law enforcement to prevent and punish wrongdoing. We have also defended individuals in the criminal context in federal courts around the country for various computer crimes.

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. 1030, criminalizes an array of computer crimes. It also provides for a private right of action in a civil case for those who have violated company policy or evaded electronic security protocol. Computer crime continues to occupy the front page of the news as hacking, corporate espionage and employee crimes increase in frequency and severity. Computer crimes are some of the most serious offenses that can be committed, and the U.S. Department of Justice has turned its focus to these types of offenses. As companies its and the government become more sophisticated, computer crime will become easier to detect and prosecute. Whether you are a company looking to prevent electronic intrusions, or an individual facing government prosecution, Breeding Carter is equipped to help you immediately.

Seven Categories of CFAA Crimes

18 U.S.C. 1030 defines seven categories of prohibited conduct:

18 U.S.C. § 1030(a)(1): Computer Espionage

Subsection (a)(1) defines the crime of computer espionage and includes significant language from the Espionage Act of 1917, but also covers information related to “Foreign Relations”, not simply “National Defense” like the Espionage Act. The Department of Justice recognizes that this offense subsection is rarely used, and that prosecution under this subsection requires the prior approval of the National Security Division of the Department of Justice, through the Counterespionage Section. A violation of this subsection is punishable by up to 10 years in prison, or 20 years in prison for a second conviction.

In order to convict someone of this subsection, the government must prove the following:

 

  1. Knowingly access computer without or in excess of authorization
  2. obtain national security information
  3. obtain national security information
  4. obtain national security information

National security information is defined as information, “that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as de ned in paragraph y. of section 11 of the Atomic Energy Act of 1954.” Very often the information defined is classified information belonging to the Department of Defense or Department of Energy. But, the government must also prove that the information obtained could injure the United States or benefit a foreign nation.

The government’s ability to show that once the information was obtained it was willfully transmitted can depend on if it can be shown that:

[T]he defendant did any of the following: (a) communicated, delivered, or transmitted national security information, or caused it to be communicated, delivered, or transmitted, to any person not entitled to receive it; (b) attempted to communicate, deliver, or transmit national security information, or attempted to cause it to be communicated, delivered, or transmitted to any person not entitled to receive it; or (c) willfully retained national security information and failed to deliver it to an o cer or employee of the United States who is entitled to receive it in the course of their official duties.

Section 808 of the USA PATRIOT Act added section 1030(a)(1) to the list of crimes in that are considered “Federal Crime[s] of Terrorism” under 18 U.S.C. 2332b(g)(5)(B). Among other issues, this means that a violation of this subsection can be used as a predicate offense under the RICO statute, may have an extended statute of limitations and could result in an additional term of supervised release.

18 U.S.C. § 1030(a)(2): Unauthorized Access and Obtaining Information

Subsection (a)(2) criminalizes the unauthorized access of different kinds of computers and information. This subsection contains both a misdemeanor and felony alternative. As a starting point, violations of this subsection begin as misdemeanors unless aggravating factors exist that increase the crime to a felony. One factor is the value of the information obtained. While the statute has no minimum monetary threshold for a misdemeanor offense, this subsection does require the information obtained to be valued above $5,000 for the offense to become a felony.

To prove a misdemeanor violation of subsection (a)(2) the government must prove that a person did the following:
  1. Intentionally access a computer
  2. Without or in excess of authorization
  3. Obtain information
  4. From financial records of financial institution or consumer reporting agency OR the U.S. government OR a protected computer
To take the offense from a misdemeanor to a felony, the government must prove the elements listed above in addition to showing that a person:
  1. Committed for commercial advantage or private financial gain OR committed in furtherance of any criminal or tortious act OR the value of the information obtained exceeds $5,000

Unlike subsection (a)(1) which requires knowing access to a computer, this subsection requires intentional access. In 1986, Congress changed the intent standard to emphasize that “intentional acts of unauthorized access-rather than mistaken, inadvertent, or careless ones- are precisely what the Committee intends to proscribe.” S. Rep. No. 432, 99th Cong., 2d Sess., reprinted in 1986 U.S.C.C.A.N. 2479, 2483. Thus, a slightly heightened standard for accessing information is required under this subsection.

However, one of the biggest debates surrounding prosecutions under the Computer Fraud and Abuse Act is the meaning and application of “unauthorized access” and “in excess of authorization.” Unauthorized access is not defined by the statute. So, courts around the country have been left to interpret the meaning of what constitutes access and when is that access unauthorized. The statute does define in excess of authorization as, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” 18 U.S.C. 1030(e)(6).

The legislative history of the CFAA reflects an expectation that persons who “exceed authorized access” will be a person who has some authorization to use the computer or network (i.e. employees, contractors, IT specialists), while persons who access computers “without authorization” will typically be hackers or other outsiders who exploit the system without having been given any authorization at all. See S. Rep. No. 99- 432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479 (discussing section 1030(a)(5). However difficult questions arise when courts try to determine whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. There is no definitive answer to this question currently, but there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded. This will typically happen in the context of employee termination or layoffs.

Where the statute permits prosecution for exceeding authorization, the government should be prepared to present evidence proving (a) how the person’s authority to obtain or alter information on the computer was limited, rather than absolute, and (b) how the person exceeded those limitations in obtaining or altering information. The most significant issue that comes up is whether a particular defendant exceeded authorized access by accessing the computer for an improper purpose where no explicit or implicit restrictions on access existed. The argument typically arises in three ways:

(1) the authorizing party has expressly prohibited the defendant from accessing the computer for the improper purpose; (2) the authorizing party has expressly prohibited the defendant from using the authorizing party’s data for the improper purpose but did not condition the defendant’s computer access on compliance with this prohibition; and (3) the authorizing party did not expressly prohibit the defendant from using its data for the improper purpose, but the defendant was acting against the authorizing party’s interests.

Obviously, the answers to these questions in court opinions become more difficult to distill in questions 2 and 3. As a result, significant litigation occurs surrounding these issues.

In the next prong, the meaning of “obtaining information” is very broad. It includes not only downloading or physically copying information, but also includes mere observation or viewing. Thus, a violation of this subsection can include scenarios where information is accessed and simply looked at, without more. Information in the context of this statute includes computer programs and other intellectual or intangible property.

In terms of heavily litigated areas of the CFAA, “protected computer” is another area that is heavily contested. Basically, a protected computer is any computer used in or affecting interstate or foreign commerce and computers used by the federal government and financial institutions. The computer must only be “used in or affecting” interstate commerce. The government need not prove that the defendant specifically used that computer in affecting interstate commerce. Based on case law, it is typically enough that the computer is connected to the Internet to meet the interstate commerce prong. The statute does not require proof that the defendant also used the Internet to access the computer or used the computer to access the Internet. A protected computer can also include a computer outside the United States as long as it affects interstate commerce.

In terms of one of the aggravating felony factors requiring proof that the information was valued at over $5,000, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs or the value of the property “in the thieves’ market” can be used to meet the $5,000 valuation. See, e.g., United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988).

18 U.S.C. § 1030(a)(3): Computer trespassing in a government computer

Subsection (a)(3) specifically protects government computers. To violate this subsection the government must prove:
  1. Intentionally access
  2. without authorization
  3. a nonpublic computer of the U.S. that was exclusively for the use of U.S. or was used by or for U.S.
  4. affected U.S. use of computer

There is no requirement that information be obtained. It is the act of trespassing alone that is criminalized. A violation of (a)(3) is a misdemeanor offense. There is no provision that would increase a violation of this section to a felony. However, a second conviction of the CFAA under his subsection results in a felony carrying a maximum of 10 years in prison.

A nonpublic computer includes most government computers, but does not include government servers that, by design, are intended for public use. As an example, a government agency’s database server is probably “nonpublic,” while the same agency’s web servers are “public.”

18 U.S.C. § 1030(a)(4): Committing fraud with computer

Subsection (a)(4) is typically charged in conjunction with or in lieu of subsection (a)(2) violations because this subsection carries felony penalties. The government will also charge (a)(4) violations in addition to wire fraud because this subsection contains an intent to defraud element. A violation of this section requires the government to prove:

  1. Knowingly access a protected computer without or in excess of authorization
  2. with intent to defraud
  3. access furthered the intended fraud
  4. obtained anything of value, including use if value exceeded $5000

While this subsection of the CFAA significantly resembles the mail and wire fraud statutes, it purposefully includes the use of a computer without authorization or in excess of his authorization to obtain property of another, which property furthers the intended fraud. In that way it is more narrowly tailored that mail and wire fraud.

“Knowingly and with intent to defraud is not defined by the CFAA. There is little case law intercepting the meaning, but it seems Congress intended to punish attempts to steal valuable data, not just mere unauthorized access. However, courts may use the definition of the term “defraud” as it relates to mail and wire fraud cases to inform their decisions.

The requirement that the access must further the intended fraud can be met in a number of ways. Some examples are deleting or altering computer files to receive some value, obtaining information from a computer that is later used to complete a fraud (i.e. stealing credit card information), or producing falsified records that are later used to commit a fraud (i.e. creating and printing backdated winning lottery tickets).

The government must also prove that the offender obtained money, cash, or a good or service with measurable value. However, two cases that are more difficult arise (1) when the defendant obtains only the use of a computer, and (2) when the defendant obtains only information. Legislative history suggests that obtaining some computer data or information, alone, is not valuable enough to qualify.

A violation of (a)(4) is punishable by up to five years in prison and a fine. A second conviction, like other subsections, is punishable by up to 10 years in prison.

18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)

Subsection (a)(5) is perhaps the most widely used subsection of the CFAA. It prohibits damage to protected computers, and can be violated in a number of ways. Hackers who access computers and delete or alter files, install malware, initiate denial of service (DDoS) attacks or unleash computer viruses or worms are frequently charged under this subsection.

Subsection (a)(5) has three alternatives. Each of the subsection, if violated as outlined below without any aggravating factors is a misdemeanor. However, there are a number of ways that a violation of subsections (a)(5)(A) and (a)(5)(B) can elevate the crime to a felony.

Subsection (a)(5)(A) prohibits:

  1. Knowingly cause transmission of a program, information, code, or command
  2. intentionally cause damage to protected computer without authorization

Subsection (a)(5)(B) prohibits:

  1. Intentionally access a protected computer without authorization
  2. recklessly cause damage

Subsection (a)(5)(C) prohibits:

  1. Intentionally access a protected computer without authorization
  2. cause damage
  3. cause loss

A violation of subsection (a)(5)(A) and (a)(5)(B) can be a felony if the offense:

  • results in loss of $5,000 during 1 year or
  • modifies medical care of a person or
  • causes physical injury or
  • threatens public health or safety or
  • damages systems used by or for government entity for administration of justice, national defense, or national security or
  • damages affect 10 or more protected computers during 1 year

In basic terms, subsection (a)(5)(A) prohibits anyone from intentionally damaging a computer (without authorization) while subsection (a)(5)(B) prohibits unauthorized users from causing damage recklessly and subsection (a)(5)(C) from causing damage (and loss) negligently.

Damaging a computer can have far-reaching effects. For example, a business may not be able to operate if its computer system stops functioning or it may lose sales if it cannot retrieve the data in a database containing customer information. Similarly, if a computer that operates a hospital or power plant stops functioning, people could be injured or die as a result of not receiving emergency services. Such damage to a computer can occur following a successful intrusion, but it may also occur in ways that do not involve the unauthorized access of a computer system.

Subsections (a)(5)(B) and (a)(5)(C), unlike (a)(5)(A) require that the offender “access” the computer without authorization and hold intruders accountable for any damage they cause while intentionally trespassing on a computer, even if they did not intend to cause that damage. Section 1030(a)(5)(A) requires proof only of the knowing transmission of data, a command, or software to intentionally damage a computer without authorization. The government does not need to prove “access.”

Section (a)(5)(A) prohibits knowingly causing the transmission of a “program, information, code, or command” and intentionally causing damage to a protected computer. “Program, information, code, or command” broadly covers all transmissions that are capable of having any effect on a computer’s operation. This can include keystroke commends to change or delete computer files, software packages that alter the operation of a computer (i.e. worms, malware) and even DDoS attacks that flood the network connection of a computer or server taking its operation offline without actually accessing the computer itself. These acts do not have to be directly sent to the victim computer in order to violate this statute.

Subsections (a)(5)(B) and (a)(5)(C) do not include offenses defined as “exceeds authorized access.” A violation of these subsection is only available in the prosecution of offenders who are unauthorized to access the computer.

Damage under each prong of (a)(5) requires the proof of damage. The computer accessed need not be the same computer that was damaged. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. 1030(e)(8). Impairment of integrity can include situations where, for example, where an act causes data or information to be deleted or changed (i.e. deleted log files or changed entries in a bank database). Installing key logger software or altering security software so the intruders changes go undetected can also constitute damage. Additionally, damage includes making information on a computer unavailable through a DDOS attack or other ways of consuming a computers computational power.

In addition to damage, under (a)(5)(C) the government must also prove loss. Loss is defined as, “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In addition to the statutory penalties prescribed for offenses to the CFAA additional enhancements under the federal sentencing guidelines exist specifically for violation of section (a)(5)(A). Those increases result in an elevated guideline range, which often leads to a more severe sentence.

18 U.S.C. § 1030(a)(6): Trafficking in passwords of a government or commerce computer

Violations of (a)(6) prohibit knowingly and with intent to defraud trafficking in computer passwords and similar information when the trafficking affects interstate or foreign commerce, or when the password may be used to access without authorization a computer used by or for the federal government. Violations of (a)(6) may often be charged with or in addition to violations of 18 U.S.C. 1029, access device fraud.

To convict, the government must prove:

  1. Trafficking
  2. in computer password or similar information 
  3. knowingly and with intent to defraud
  4. trafficking affects interstate or foreign commerce OR computer used by or for U.S.

“Traffic” in section 1030(a)(6) is defined by reference to the definition of the same term in 18 U.S.C. 1029, which means “transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of.” 18 U.S.C. 1029(e)(5). Mere possession of passwords without intent to transfer is not prohibited. Additionally, personal use of any obtained passwords is not a violation of this subsection. Although, in both scenarios prosecution may be brought under another subsection. If transferred, the offender need not have the motive to profit from the transaction.

In the context of this provision of the CFAA, a password is broadly defined:

The Committee recognizes that a “password” may actually be comprised of a set of instructions or directions for gaining access to a computer and intends that the word “password” be construed broadly enough to encompass both single words and longer more detailed explanations on how to access others’ computers. S. Rep. No. 99-432, at 13 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2491.

A violation of (a)(6) is a misdemeanor, while a second or subsequent conviction is a felony punishable by up to 10 years in prison.

18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer

In basic terms, Subsection (a)(7) prohibits extortion threats involving damage to a computer or involving confidential data. Threats to access and delete or alter computer information, along with threats of DDoS attacks are covered by this subsection.

To prove a violation of (a)(7) the government must prove:

  1.  With intent to extort money or any other thing of value
  2. transmits in interstate or foreign commerce a communication
  3. containing a:

    • threat to damage a protected computer

    • threat to obtain or reveal confidential information without or in excess of authorization

    • demand or request for money or value in relation to damage done in connection with the extortion.

Proving intent to extort does not require proof that the money or thing of value for which the threat issued was obtained. In other words, the government does not have to prove that the offense was completed by actually obtaining the thing demanded, just the intent to dos suffices. The threat must be sent in interstate or foreign commerce, but does not have to be sent by computer. The computer portion comes into play if the threats are targeting, “against computers, computer networks, and their data and programs.” The threat can be sent by, “mail, a telephone call, electronic mail, or through a computerized messaging service.”

Unlawful threats to the business that owns a computer system, such as threats to reveal flaws in the network or to reveal that the network has been hacked, are not threats to damage a protected computer under this subsection. However, a threat to a business, rather than to a protected computer, might be chargeable as a violation of the Hobbs Act.

Under this subsection the government may charge an offender for the use of ransomware. In that scenario, an intruder may obtain or encrypt information and refuse to repair or cover the information unless certain demands are met. In this way, information is held for ransom. Prosecutors could charge such conduct under (a)(7)(C).

A violation of (a)(7) is punishable by a fine and up to five years in prison. Any second or subsequent offense is punishable by up to 10 years in prison.

18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer

Attempt and Conspiracy

Attempts to violate 18 U.S.C. 1030 are criminal acts that carry the same statutory penalties as the underlying subsection. However, the sentencing guidelines call for the reduction of three points from the final calculation in the case of attempt. This results in a lower guideline range and a potentially lower sentence. Thus, an argument that a crime was attempted but not completed may provide some relief in sentencing if it becomes necessary to negotiate a favorable outcome.

In 2008, the Identity Theft Enforcement and Restitution Act amended section 1030(b) to create a new conspiracy offense. It says:

Whoever conspires to commit or attempts to commit an o ense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

However, Congress has not included a penalty provisions in subsection (c) to specify what penalties apply to offenders who engage in a conspiracy to violate section 1030. See, e.g., 18 U.S.C. 1030(c)(1)(A) (specifying a penalty of 10 years imprisonment for “an attempt to commit an offense punishable under this subparagraph” but not mentioning the penalty for conspiracy to commit such an offense).

Like in a drug conspiracy, the government need not prove an overt act in order to obtain a conviction for a section 1030 conspiracy. Additionally, impossibility is not a defense. In other words, the object of the conspiracy may be impossible to achieve, but the agreement to hack the objective is sufficient.

How Can We Help

Computer Fraud and Abuse Act violations are serious and wide-ranging. In today’s world where almost everyone has a computer and the government and large companies rely heavily of computer systems to operate, the government is pouring enormous resources and manpower into the detection and prosecution of computer crimes. As a result, the number of prosecutions continues to rise in number and complexity. The computer cime attorneys. atBreeding Carter in Knoxville have represented some of the most high profile hacking cases ever brought by the U.S. government. We have significant experience engaging and arguing against the attorneys in the DOJ cybercrime division. Our attorneys have been cleared in previous cases to deal with classified information. If you have been contacted about or charged with a Computer Fraud and Abuse Act violation, call immediately. Early intervention is extremely important. Let the innovative federal criminal defense attorneys at Breeding Carter provide you with the defense you deserve.

Contact us

Get To Know Us With An Initial Consultation

If you have questions, contact us at 865-670-8535 or fill out our online contact form. We respond promptly to inquiries.