The Computer Fraud And Abuse Act Subject To Different Interpretations


Among its various provisions, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, subjects a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer” to criminal penalties (§ 1030(a)(2)(C), (c)). Section 1030(a)(4) also prohibits “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value….” A “protected computer” is one used in or affecting interstate commerce (§ 1030(e)(2)(B)). The phrase “without authorization” is not defined in the statute, but “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” (§ 1030(e (6)). While a criminal statute, civil suits may be brought under the CFAA in certain circumstances.

One open question is whether the CFAA imposes liability on employees who have permission to access computerized information but use the permitted access for an improper purpose? The federal courts are currently split on the issue.

LOADING PDF: If there are any problems, click here to download the file.