Cybercrime has been on the rise in recent years. In response, the federal government has shown an increased interest in prosecuting cybercrime offenses. The Computer Fraud and Abuse Act, codified at 18 U.S.C. Section 1030, is the leading cybercrime statute in the United States. The CFAA provides for varying penalties, ranging from fines to lifetime terms of federal imprisonment, depending on the severity of the claims. Regardless, any allegation of cybercrime carries the potential for a harsh sentence and must be taken seriously.
The States with the Most Cybercrimes
By their very nature, cybercrimes ignore state and national borders. In part, this is what brings federal prosecutors into the fray, as cases involving crimes committed across state lines trigger the federal court’s diversity jurisdiction. However, the vast majority of cybercrimes are committed in ten states:
- California – More than 60,000 cybercrimes involving approximately $621 million in losses
- Florida – More than 53,000 cybercrimes involving approximately $415 million in losses
- Texas – More than 38,000 cybercrimes involving approximately $313 million in losses
- New York– More than 34,000 cybercrimes involving approximately $295 million in losses
- Illinois– More than 20,000 cybercrimes involving approximately $170 million in losses
- Pennsylvania – More than 18,000 cybercrimes involving approximately $150 million in losses
- Washington – More than 17,000 cybercrimes involving approximately $115 million in losses
- Nevada – More than 16,000 cybercrimes involving approximately $108 million in losses
- New Jersey – More than 14,000 cybercrimes involving approximately $101 million in losses
- Maryland – More than 14,000 cybercrimes involving approximately $100 million in losses
While it isn’t a surprise that many of these states are on the list, due to their large population, population alone doesn’t explain the high rate of cybercrimes in these states. Whether the rate of cybercrimes in these states is significantly higher than in other states or federal prosecutors in these states are more prone to investigate cybercrimes remains unknown. However, the reality of the situation is that federal investigators across the country are starting to come down hard on those suspected of any type of cybercrime.
The Computer Fraud and Abuse Act
As noted above, most cybercrime prosecutions fall under the Computer Fraud and Abuse Act (CFAA). The CFAA covers an incredibly broad range of crimes related to unauthorized access to electronic devices. It also considers an unsuccessful attempt to commit a violation as serious as though the crime was carried out. The CFAA also allows for the prosecution of those who played a minor role in a cybercrime through conspiratorial liability.
The CFAA outlines seven categories of offenses:
- Accessing a computer containing protected national defense or foreign relations information without authorization;
- Obtaining financial records, government records or other data from a protected computer through unauthorized access;
- Accessing a computer belonging to the federal government without authorization;
- Breaching another’s computer with the intent to defraud;
- Causing damage to a computer through unauthorized access;
- Sale or trafficking of passwords or other protected data; and
- Using a computer to make threats of demands with the intent to extort
Thus, under the CFAA, the federal government is not only concerned about unauthorized access to government-owned technology but also business and personal computers.
A Recent Example of a Cybercrime Prosecution
Cybercrimes are sometimes brought as freestanding allegations; however, more often, charges under the CFAA are brought in conjunction with other crimes. For example, if someone uses a computer to commit extortion, they could be charged with CFAA violations in addition to the underlying extortion offenses. In this way, the fact that a computer was used to commit a crime enhances the seriousness of the offense.
One recent example of a cybercrime offense that made national headlines was the federal prosecution of an employee of a major home-security company. The case involved a man who worked for ADT. According to the government, the man added his own email address to customers’ accounts, giving him real-time access to the video surveillance cameras in their homes.
To gain access, the man would tell some customers that he needed to add his email to their account to perform necessary maintenance. However, the U.S. Attorney also alleged that he would surreptitiously add his email address to some customers’ accounts without the customers’ knowledge.
Adding to the seriousness of the case is the fact that the man selectively chose women he found to be attractive. The evidence suggested that he accessed more than 200 customers’ accounts, viewing the videos more than 9,500 times. In a subsequent plea agreement, the man admitted he watched videos of naked women and couples having sex for his own sexual gratification.
Ultimately, the man was charged with several counts of computer fraud and, as a result, he faced up to five years in prison. Rather than take the case to trial, the security technician entered a guilty plea, after which he received a slightly mitigated sentence of 52 months incarceration.
Defending Against Cybersecurity Crimes Brought Under the Computer Fraud and Abuse Act
Given the all-encompassing nature of the CFAA, there are many defenses to these crimes. However, on the other hand, no single defense applies to each case. Some of the most common defense strategies to allegations of cybercrime include the following:
Challenging the Government’s Claim Access Was Unauthorized
To be convicted of a CFAA offense, federal prosecutors must establish beyond a reasonable doubt that access to the computer at issue was unauthorized. However, even those who are granted some access to a computer can exceed their permitted authorization, bringing their conduct within the scope of the CFAA. That said, in some cybercrime prosecutions, the government’s evidence of unauthorized use may be circumstantial, allowing a defendant to challenge this necessary element.
Offering an Innocent Explanation for Seemingly Unauthorized Access
Every subsection of the CFAA requires a person to act with some form of knowledge or intent. Of course, the knowledge and intent requirements vary somewhat between subsections. However, providing an innocent explanation for what initially may seem to be unauthorized access can be a defense to charges under the CFAA. Depending on the situation, even successfully proving a lack of criminal intent to one aspect of an offense may not wholly absolve a defendant of liability. However, such a defense may result in less serious charges or convince federal prosecutors to offer a more favorable plea agreement.
Challenging the “Protected” Nature of a Computer
The CFAA outlines what constitutes a “protected computer.” More specifically, a protected computer is one that meets one of the following criteria:
- Exclusively for the use of the federal government;
- Exclusively for the use of financial institutions;
- Used in or affecting interstate or foreign commerce or communication; and
- Used as part of a voting system.
While some offenses will be difficult to challenge based on the protected nature of a computer, there can be some gray areas in many cases.
Challenging the “Access” Element
Several of the subsections of the CFAA require the government to prove the defendant accessed a protected computer. However, proving that a defendant obtained information through unauthorized access of a protected computer can be challenging for federal prosecutors. For example, if the information was available through other sources, prosecutors may not be able to prove beyond a reasonable doubt that the defendant obtained the information from a protected source.
Dr. Nick Oberheiden, a cybercrime defense attorney, explains,
Few federal statutes are as broadly phrased as the CFAA. Federal prosecutors know this and use the CFAA as a way to prosecute all types of crimes that may otherwise remain in state court. When a case is brought in federal court, defendants face enhanced punishments. Additionally, federal prosecutors are typically highly experienced attorneys who possess advanced knowledge of the crimes they prosecute, making it harder to defend against the allegations. The result is that many defendants facing allegations under the CFAA find themselves overwhelmed by the resources and skills of federal prosecutors.
Cybercrimes affect hundreds of thousands of Americans each year, making this an issue of national importance for federal prosecutors. And given the harsh penalties that come along with a conviction under the CFAA, as well as the complexity of these cases, anyone facing a cybercrime investigation should reach out to an experienced cybercrime defense lawyer for immediate assistance.