Everything You Need to Know about CFAA

The business world can be a very cut-throat arena when the competition gets stiff. Often, people may turn to not-so-legal dealings in a bid to get even a slight advantage over their competitors. And in this modern era, the bid will more than likely involve the use of a computer. Hence, the Computer Fraud and Abuse Act (CFAA) is meant to be a deterrent against using technology for nefarious purposes. Yes, the CFAA seeks to protect enterprises as well as individuals.

Introduction to CFAA

The Computer Fraud and Abuse Act was originally enacted by Congress in 1986 as an amendment to an existing computer fraud law. It has been amended several times since. In this respect, it is a broad law that seeks to prohibit a plethora of activities related to computers and their networks that are deemed illegal. The CFAA criminalizes, among other things, accessing a computer without authorization, trafficking in passwords and access information, and extortion involving computers.

Overview of the law

As mentioned, the CFAA is a broad law. It lists the following activities as illegal:

  • accessing national security information,
  • compromising confidentiality,
  • accessing a government computer without authorization,
  • getting access to defraud and obtain value,
  • causing damage to a computer or information,
  • trafficking in passwords and access information,
  • and threatening to damage a computer.

Strictly speaking, the original intent of the CFAA was to cover protected computers only, such as those in the federal system. But, owing to the nature of modern-day communication and technological advancements, it now extends to ordinary computers and mobile phones as well.

Consequences of violating the act

The penalties for committing any of the above mentioned activities will vary according to the crime.  For example, illegally accessing classified information will get you charged with a felony, while accessing financial records or government computers is considered a misdemeanor offense. Felony convictions are punishable with either a fine or a sentence of up to 10 years, or both. A second conviction is punishable with either a fine or a sentence of not more than 20 years, or both.


One of the biggest arguments against the CFAA has been that it is not clear and that, as such, it is wide-open to interpretation. Cases such as United States v. Drew and United States v. Nosal have left people arguing that some legal actions were less about illegal accessing of computers and more about prosecutors twisting the Act to suit their own agendas. Often, for example, prosecutors suggest that violation of private agreements is tantamount to violating the CFAA. Critics of this Act also argue against what they see as its excessive penalties, with first-time offenders facing up to five years behind bars for accessing computers without adequate authorization.

A clearer, less punitive definition of unauthorized access has emerged from a recent appellate court decision in HiQ Labs vs. LinkedIn (September 2019). For details of the issues and outcome in that case, see our article Web Scraping and CFAA – A Big Step Toward Clarity.

Staying on the right side

Every law written by human beings will inevitably face opposition, no matter how much legal weight it may appear to hold. The Computer Fraud and Abuse Act was brought into existence by the need to protect enterprises, governments, and individuals from criminal use of technology. It has its merits, but it also has several ambiguous provisions that have aroused controversy over the years. However, regardless of what one may think of this Act, the knowledge of it is imperative for everyone who uses a computer and accesses the Internet, which is just about everyone.


This post may contain affiliate links.