Computer Fraud and Abuse Act: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
(New page: ==Computer Fraud and Abuse Act== ==Cumulative Supplement== '''Cases:''' Hotel licensee's spoofing of licensor's computers, in and of itself, constituted the unlawful, intentional trans...)
 
No edit summary
Line 1: Line 1:
==Computer Fraud and Abuse Act==
==Computer Fraud and Abuse Act==
The '''Computer Fraud and Abuse Act''' is a law passed by the United States Congress in 1984 intended to reduce [[Security cracking|cracking]] of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as [[USC 18 1030]] governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature,  or computers used in interstate and foreign commerce.  It was amended in 1986, 1994, 1996, in 2001 by the [[USA PATRIOT Act]], and in 2008 by the [[Identity Theft Enforcement and Restitution Act]]. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do so.<br>
<br>
The CFAA has specifically defined “protected computers” under [[USC 18 1030(e)(2)]] to mean a computer:
* exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
* which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;


==Cumulative Supplement==  
==Evolution of the act==
===PATRIOT Act===
The USA PATRIOT Act increased the scope and penalties of this act by:
* Raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense;
* Ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold;
* Allowing aggregation of damages to different computers over a year to reach the $5,000 threshold;
* Enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military;
* Including damage to foreign computers involved in US interstate commerce;
* Including state law offenses as priors for sentencing; and
* Expanding the definition of loss to expressly include time spent investigating and responding (this is why it is important for damage assessment and for restoration)
* Selling a computer that has had a virus or currently has a virus is committing a federal offense that will be carried out with a sentence of up to 5 years in a federal state penitentiary, and,or a fine of up to $7,000


'''Cases:'''
===Identity Theft Enforcement and Restitution Act===
The Identity Theft Enforcement and Restitution Act enhanced the jurisdiction of the Computer Fraud and Abuse Act by:
* Eliminating the requirement in [[USC 18 1030(a)(5)]] that the defendant’s action must result in a loss exceeding $5,000;
* Adding a provision to [[USC 18 1030(c)(4)]] that makes it a felony to cause damage to ten or more computers;
* Expanding jurisdiction for cases involving theft of information from computers by eliminating the requirement  that information must have been stolen through an interstate or foreign communication;
* Enhancing prosecution for extortion related to computers by expanding [[USC 18 1030(a)(7)]] to criminalize not only explicit threats to cause damage to a computer, but also threats (1) to steal data on a victim’s computer, (2) to publicly disclose stolen data, or (3) to not repair damage the offender already caused to the computer;
* Amending [[USC 18 3663(b)]] to make clear that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent in remediation of the actual or intended harm of the identity theft or aggravated identity theft offense;
* Creating a criminal offense for conspiring to commit a computer hacking offense under [[USC 18 1030]];
* Broadening the definition of "protected computer" in [[USC 18 1030(e)(2)(b)]] to the full extent of Congress' commerce power by including those computers used in or affecting interstate or foreign commerce or communication;
* Providing a mechanism for forfeiture of property used in or derived from violations of [[USC 18 1030]].


Hotel licensee's spoofing of licensor's computers, in and of itself, constituted the unlawful, intentional transmission of a program, code or command that caused damage within meaning of Computer Fraud and Abuse Act (CFAA). 18 U.S.C.A. § 1030(a)(5)(B)(i). Four Seasons Hotels and Resorts B.V. v. Consorcio Barr, S.A., 267 F. Supp. 2d 1268 (S.D. Fla. 2003); West's Key Number Digest, Telecommunications 461.15.
==Criminal Offenses Under The Computer Fraud and Abuse Act==
#Knowingly accessing a computer without authorization in order to obtain national security data
#Intentionally accessing a computer without authorization to obtain:
#*Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
#*Information from any department or agency of the United States
#*Information from any protected computer if the conduct involves an interstate or foreign communication
#Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
#Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
#Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
#*Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
#*The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
#*Physical injury to any person.
#*A threat to public health or safety.
#*Damage affecting a government computer system
#Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.


'''Computer Fraud and Abuse Act:''' Any "loss" actionable under Computer Fraud and Abuse Act (CFAA) is subject to Act's damages minimum, even though "loss" is mentioned separately from "damages" in CFAA provision creating right of action on part of anyone "who suffers damage or loss by reason of" violation; separate use of "loss" was intended to target remedial expenses as opposed to direct damage caused by computer "hacker." 18 U.S.C.A. § 1030(e)(8)(A), (g). In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D. N.Y. 2001); West's Key Number Digest, Telecommunications 461.15.
==Decisions referring to this act==
* Hotel licensee's spoofing of licensor's computers, in and of itself, constituted the unlawful, intentional transmission of a program, code or command that caused damage within meaning of Computer Fraud and Abuse Act (CFAA). 18 U.S.C.A. § 1030(a)(5)(B)(i). Four Seasons Hotels and Resorts B.V. v. Consorcio Barr, S.A., 267 F. Supp. 2d 1268 (S.D. Fla. 2003); West's Key Number Digest, Telecommunications 461.15.<br>
<br>
* ''Theofel v. Farey Jones'', 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is “patently unlawful”, “bad faith” and “at least gross negligence” to gain access to stored email is a breach of this act and the [[Stored Communications Act]].<br>
<br>
* '''Computer Fraud and Abuse Act:''' Any "loss" actionable under Computer Fraud and Abuse Act (CFAA) is subject to Act's damages minimum, even though "loss" is mentioned separately from "damages" in CFAA provision creating right of action on part of anyone "who suffers damage or loss by reason of" violation; separate use of "loss" was intended to target remedial expenses as opposed to direct damage caused by computer "hacker." 18 U.S.C.A. § 1030(e)(8)(A), (g). In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D. N.Y. 2001); West's Key Number Digest, Telecommunications 461.15.
 
==See also==
*[[Information technology audit]]
*[[Computer security audit]]
*[[Computer fraud case studies]]
*[[Electronic Communications Privacy Act]]
*[[The Hacker Crackdown]] (discussing the application of this law in the infamous hacker crackdown of the late 1980s and early 1990s)
*[[MBTA v. Anderson]]
*[[Protected Computer]]
*[[In re DoubleClick]]
 
==External links==
 
[[Category:Computer law]]
[[Category:Information technology audit]]

Revision as of 10:53, 1 May 2010

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended to reduce cracking of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as USC 18 1030 governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or computers used in interstate and foreign commerce. It was amended in 1986, 1994, 1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do so.

The CFAA has specifically defined “protected computers” under USC 18 1030(e)(2) to mean a computer:

  • exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
  • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Evolution of the act

PATRIOT Act

The USA PATRIOT Act increased the scope and penalties of this act by:

  • Raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense;
  • Ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold;
  • Allowing aggregation of damages to different computers over a year to reach the $5,000 threshold;
  • Enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military;
  • Including damage to foreign computers involved in US interstate commerce;
  • Including state law offenses as priors for sentencing; and
  • Expanding the definition of loss to expressly include time spent investigating and responding (this is why it is important for damage assessment and for restoration)
  • Selling a computer that has had a virus or currently has a virus is committing a federal offense that will be carried out with a sentence of up to 5 years in a federal state penitentiary, and,or a fine of up to $7,000

Identity Theft Enforcement and Restitution Act

The Identity Theft Enforcement and Restitution Act enhanced the jurisdiction of the Computer Fraud and Abuse Act by:

  • Eliminating the requirement in USC 18 1030(a)(5) that the defendant’s action must result in a loss exceeding $5,000;
  • Adding a provision to USC 18 1030(c)(4) that makes it a felony to cause damage to ten or more computers;
  • Expanding jurisdiction for cases involving theft of information from computers by eliminating the requirement that information must have been stolen through an interstate or foreign communication;
  • Enhancing prosecution for extortion related to computers by expanding USC 18 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats (1) to steal data on a victim’s computer, (2) to publicly disclose stolen data, or (3) to not repair damage the offender already caused to the computer;
  • Amending USC 18 3663(b) to make clear that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent in remediation of the actual or intended harm of the identity theft or aggravated identity theft offense;
  • Creating a criminal offense for conspiring to commit a computer hacking offense under USC 18 1030;
  • Broadening the definition of "protected computer" in USC 18 1030(e)(2)(b) to the full extent of Congress' commerce power by including those computers used in or affecting interstate or foreign commerce or communication;
  • Providing a mechanism for forfeiture of property used in or derived from violations of USC 18 1030.

Criminal Offenses Under The Computer Fraud and Abuse Act

  1. Knowingly accessing a computer without authorization in order to obtain national security data
  2. Intentionally accessing a computer without authorization to obtain:
    • Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
    • Information from any department or agency of the United States
    • Information from any protected computer if the conduct involves an interstate or foreign communication
  3. Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
  4. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
  5. Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
    • Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
    • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
    • Physical injury to any person.
    • A threat to public health or safety.
    • Damage affecting a government computer system
  6. Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.

Decisions referring to this act

  • Hotel licensee's spoofing of licensor's computers, in and of itself, constituted the unlawful, intentional transmission of a program, code or command that caused damage within meaning of Computer Fraud and Abuse Act (CFAA). 18 U.S.C.A. § 1030(a)(5)(B)(i). Four Seasons Hotels and Resorts B.V. v. Consorcio Barr, S.A., 267 F. Supp. 2d 1268 (S.D. Fla. 2003); West's Key Number Digest, Telecommunications 461.15.


  • Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is “patently unlawful”, “bad faith” and “at least gross negligence” to gain access to stored email is a breach of this act and the Stored Communications Act.


  • Computer Fraud and Abuse Act: Any "loss" actionable under Computer Fraud and Abuse Act (CFAA) is subject to Act's damages minimum, even though "loss" is mentioned separately from "damages" in CFAA provision creating right of action on part of anyone "who suffers damage or loss by reason of" violation; separate use of "loss" was intended to target remedial expenses as opposed to direct damage caused by computer "hacker." 18 U.S.C.A. § 1030(e)(8)(A), (g). In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D. N.Y. 2001); West's Key Number Digest, Telecommunications 461.15.

See also

External links