Computer Fraud and Abuse Act of 1986

Citation: Computer Fraud and Abuse Act, codified at 18 U.S.C. §1030.

Introduction
In the early 1980s law enforcement agencies lacked criminal laws designed to fight the emerging computer crimes. Although the wire and mail fraud provisions of the federal criminal code were capable of addressing some types of computer-related criminal activity, neither of those statutes provided the full range of tools needed to combat these new crimes.

In response, Congress included in the Comprehensive Crime Control Act of 1984 provisions to address the unauthorized access and use of computers and computer networks. The legislative history indicates that Congress intended these provisions to provide "a clearer statement of proscribed activity" to "the law enforcement community, those who own and operate computers, as well as those who may be tempted to commit crimes by unauthorized access."

Congress did this by making it a felony to access classified information in a computer without authorization, and a misdemeanor to access financial records or credit histories stored in a financial institution or to trespass into a government computer. In so doing, Congress opted not to add new provisions regarding computers to existing criminal laws, but rather to address federal computer-related offenses in a single, new statute.

Even after enacting Section 1030, Congress continued to investigate problems associated with computer crime to determine whether federal criminal laws required further revision. Throughout 1985, both the House and the Senate held hearings on potential computer crime bills, continuing the efforts begun in the year before. These hearings culminated in the Computer Fraud and Abuse Act (CFAA), enacted by Congress in 1986, which amended 18 U.S.C. §1030.

In the CFAA, Congress attempted to strike an "appropriate balance between the Federal Government's interest in computer crime and the interests and abilities of the States to proscribe and punish such offenses." Congress addressed federalism concerns in the CFAA by limiting federal jurisdiction to cases with a compelling federal interest &mdash; i.e., where computers of the federal government or certain financial institutions are involved, or where the crime itself is interstate in nature.

In addition to clarifying a number of the provisions in the original Section 1030, the CFAA also criminalized additional computer-related acts. For example, Congress added a provision to penalize the theft of property via computer that occurs as a part of a scheme to defraud. Congress also added a provision to penalize those who intentionally alter, damage, or destroy data belonging to others. This latter provision was designed to cover such activities as the distribution of malicious code and denial of service attacks. Finally, Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.

As computer crimes continued to grow in sophistication, the CFAA required further amendment, which Congress did in 1988, 1989, 1990, 1994, 1996, 2001, and 2002. The current version of the CFAA includes seven types of criminal activity. Attempts to commit these crimes are also crimes. Lawfully authorized activities of law enforcement or intelligence agencies are explicitly excluded from coverage of Section 1030.

Obtaining National Security Information: 18 U.S.C. §1030(a)(1)
The infrequently-used Section 1030(a)(1) punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient, or willfully retaining the information.

18 U.S.C. §1030(a)(1):

"Whoever &mdash;
 * (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it. . .."

Knowingly Access a Computer Without Authorization or In Excess of Authorization
Prosecutors must prove that the defendant knowingly accessed a computer without authorization or in excess of authorization. This covers both completely unauthorized individuals who intrude into a computer containing national security information as well as insiders with limited privileges who manage to access portions of a computer or computer network to which they have not been granted access. The scope of authorization will depend upon the facts of each case. However, it is worth noting that computers and computer networks containing national security information will normally be classified and incorporate security safeguards and access controls of their own, which should facilitate proving this element.

Obtain National Security Information
The information obtained must be national security information, meaning information "that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954." An example of national security information used in Section 1030(a)(1) would be classified information obtained from a Department of Defense computer or restricted data obtained from a Department of Energy computer.

Information Could Injure the United States or Benefit a Foreign Nation
Prosecutors must prove that the defendant had reason to believe that the national security information so obtained could be used to the injury of the United States or to the advantage of any foreign nation. The fact that the national security information is classified or restricted, along with proof of the defendant's knowledge of that fact, should be sufficient to establish this element of the offense.

Willful Communication, Delivery, Transmission, or Retention
Prosecutors must prove that the defendant willfully communicated, delivered, or transmitted the national security information, attempted to do so, or willfully retained the information instead of delivering it to the intended recipient. This element could be proven through evidence showing that the defendant did any of the following: (a) communicated, delivered, or transmitted national security information, or caused it to be communicated, delivered, or transmitted, to any person not entitled to receive it; (b) attempted to communicate, deliver, or transmit national security information, or attempted to cause it to be communicated, delivered, or transmitted to any person not entitled to receive it; or (c) willfully retained national security information and failed to deliver it to an officer or employee of the United States who is entitled to receive it in the course of their official duties.

Penalties
Convictions under this section are felonies punishable by a fine, imprisonment for not more than ten years, or both. A violation that occurs after another conviction under Section 1030 is punishable by a fine, imprisonment for not more than twenty years, or both.

Historical Background
Section 1030(a)(1) was originally enacted in 1984 and was substantially amended in 1996. As originally enacted, Section 1030(a)(1) provided that anyone who knowingly accessed a computer without authorization or in excess of authorization and obtained classified information "with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation" was subject to a fine or imprisonment for not more than ten years for a first offense. This scienter element mirrored that of 18 U.S.C. §794(a), the statute that prohibits gathering or delivering defense information to aid a foreign government.

Section 794(a), however, provides for life imprisonment, whereas Section 1030(a)(1) is only a ten-year felony. Based on that distinction, Congress amended Section 1030(a)(1) in 1996 to track more closely the language of 18 U.S.C. §793(e), which also provides a maximum penalty of ten years' imprisonment, for obtaining from any source certain information connected with the national defense and thereafter communicating or attempting to communicate it in an unauthorized manner.

This section is used quite rarely. However, a four-count information was filed in the U.S. District Court for the District of New Jersey on May 4, 2006, which charged Leandro Aragoncillo, an FBI intelligence analyst assigned to the Ft. Monmouth Information Technology Center, with, among other things, a Section 1030(a)(1) violation. Aragoncillo pleaded guilty to the information, and admitted that he used his FBI computer to access classified documents through the FBI's Automated Case System and transmit the information contained in the documents to former and current officials of the Philippine government.

Although Sections 793(e) and 1030(a)(1) overlap, the two statutes do not reach exactly the same conduct. Section 1030(a)(1) requires proof that the individual knowingly accessed a computer without or in excess of authority and thereby obtained national security information, and subsequently performed some unauthorized communication or other improper act with that data.

In this way, it focuses not only on the possession of, control over, or subsequent transmission of the information (as Section 793(e) does), but also focuses on the improper use of a computer to obtain the information itself. Existing espionage laws such as Section 793(e) provide solid grounds for the prosecution of individuals who attempt to peddle governmental secrets to foreign governments. However, when a person, without authorization or in excess of authorized access, deliberately accesses a computer, obtains national security information, and seeks to transmit or communicate that information to any prohibited person, prosecutors should consider charging a violation Section 1030(a)(1) in addition to considering charging a violation of Section 793(e).

Section 808 of the USA PATRIOT Act added Section 1030(a)(1) to the list of crimes in that are considered to be "Federal Crime[s] of Terrorism" under 18 U.S.C. §2332b(g)(5)(B). This addition affects prosecutions under Section 1030(a)(1) in three ways. First, because offenses listed under Section 2332b(g)(5)(B) are now incorporated into 18 U.S.C. §3286, the statute of limitation for subsection (a)(1) is extended to eight years, and is eliminated for offenses that resulted in, or created a foreseeable risk of, death or serious bodily injury to another person. Second, the term of supervised release after imprisonment for any offense listed under Section 2332b(g)(5)(B) that resulted in, or created a foreseeable risk of, death or serious bodily injury to another person, can be any term of years or life. 18 U.S.C. §3583. Formerly, the maximum term of supervised release for any violation of Section 1030 was five years.

Third, the USA PATRIOT Act] added the offenses listed in Section 2332b(g)(5)(B) to 18 U.S.C. §1961(1), making them predicate offenses for prosecution under the Racketeer Influenced and Corrupt Organizations Act (RICO). As a result, any "RICO enterprise" (which may include terrorist groups) that carries out acts of cyberterrorism in violation of Section 1030(a)(1) (or Section 1030(a)(5)(A)(i)) can now be prosecuted under the RICO statute.

Compromising Confidentiality: 18 U.S.C. §1030(a)(2)
The distinct but overlapping crimes established by the three subsections of Section 1030(a)(2) punish the unauthorized access of different types of information and computers. Violations of this section are misdemeanors unless aggravating factors exist. Also, some intrusions may violate more than one subsection. For example, a computer intrusion into a federal agency's computer might be covered under the latter two subsections.

Section 1030(a)(2) does not impose a monetary threshold for a violation, in recognition of the fact that some invasions of privacy do not lend themselves to monetary valuation but still warrant federal protection. If not authorized, downloading sensitive personnel information from a company's computer (via an interstate communication) or gathering personal data from the National Crime Information Center would both be serious violations of privacy which do not easily lend themselves to a dollar valuation of the damage. Although there is no monetary threshold for establishing an offense under Section 1030(a)(2), the value of the information obtained during an intrusion is important when determining whether a violation constitutes a misdemeanor or a felony.

Title 18, United States Code, Section 1030(a)(2) provides:

"Whoever &mdash;
 * (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains &mdash;
 * (A) information contained in a financial record of a financial institution, or of a card issuer as defined in Section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.);
 * (B) information from any department or agency of the United States; or
 * (C) information from any protected computer if the conduct involved an interstate or foreign communication . . . shall be punished as provided in subsection (c) of this section."

Intentionally Access a Computer
A violation of this section requires that the defendant actually be the one to access a computer without authorization rather than merely receive information that was accessed without authorization by another. For example, if A obtains information in violation of Section 1030(a)(2) and forwards it to B, B has not violated this section, even if B knew the source of the information. Of course, B might be subject to prosecution for participating in a criminal conspiracy to violate this section.

Without or In Excess of Authorization
A violation of this section requires that the access by without authorization or in excess of authorization.

Obtained Information
The term "obtaining information" is an expansive one, which includes merely viewing information online without downloading or copying it. information stored electronically can be obtained not only by actual physical theft, but by "mere observation of the data." The "crux of the offense under SubSection 1030(a)(2)(C) . . . is the abuse of a computer to obtain the information."

"Information" includes intangible goods, settling an issue raised by the Tenth Circuit's decision in United States v. Brown. In Brown, the appellate court held that purely intangible intellectual property, such as a computer program, did not constitute goods or services that can be stolen or converted. In the 1996 amendments to Section 1030, Congress clarified this issue, stating that Section 1030(a)(2) would "ensure that the theft of intangible information by the unauthorized use of a computer is prohibited in the same way theft of physical items are protected."

Financial Institution or Consumer Reporting Agency
To prove a violation of Section 1030(a)(2)(A), obtaining information related to the Fair Credit Reporting Act (FCRA), the violation must be willful. To prove willfulness under the FCRA, the government must show that the defendant knowingly and intentionally committed an act in conscious disregard for the rights of a consumer.

Department or Agency of the United States
Whether a company working as a private contractor for the government constitutes a "department or agency of the United States" for purposes of prosecution under Subsection (a)(2)(B) has not been addressed by any court. However, the argument that private contractors are intended to be covered by this section may be undercut by Section 1030(a)(3), which includes language permitting prosecution of trespass into government systems and non-government systems, if "such conduct affects that use by or for the Government of the United States." The existence of this language suggests that if Congress had intended to extend the reach of Section 1030(a)(2) beyond computers owned by the federal government, it would have done so using language it used elsewhere in Section 1030.

Protected Computer
The term "protected computer" is defined in Section 1030(e)(2).

Interstate or Foreign Communication
Note that a violation of this subsection must involve an actual interstate or foreign communication and not merely the use of an interstate communication mechanism, as other parts of the CFAA allow. The intent of this subsection is to protect against the interstate or foreign theft of information by computer, not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer. Therefore, using the Internet or connecting by telephone to a network may not be sufficient to charge a violation of this subsection where there is no evidence that the victim computer was accessed using some type of interstate or foreign communication.

Penalties
Violations of Section 1030(a)(2) are misdemeanors punishable by a fine or a one-year prison term, unless aggravating factors apply. Merely obtaining information worth less than $5,000 is a misdemeanor, unless committed after a conviction of another offense under Section 1030. A violation or attempted violation of Section 1030(a)(2) is a felony if:


 * committed for commercial advantage or private financial gain,
 * committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or
 * the value of the information obtained exceeds $5,000.

If the aggravating factors apply, a violation is punishable by a fine, up to five years' imprisonment, or both.

Any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs or the value of the property "in the thieves' market" can be used to meet the $5,000 valuation. The terms "for purposes of commercial advantage or private financial gain" and "for the purpose of committing any criminal or tortious act" are taken from copyright law and the wiretap statute, respectively.

Historical Background
Originally, Section 1030(a)(2) protected individual privacy by criminalizing unauthorized access to computerized information and credit records relating to customers' relationships with financial institutions. In 1996, Congress expanded the scope of the section by adding two subsections that also protected information on government computers (§1030(a)(2)(B)) and computers used in interstate or foreign communication (§1030(a)(2)(C)).

In 1986, Congress changed the scienter requirement from "knowingly" to "intentionally." The first reason for the change was to ensure that only intentional acts of unauthorized access were prohibited, rather than "mistaken, inadvertent, or careless" acts of unauthorized access. The second reason for the change was a concern that the "knowingly" standard "might be inappropriate for cases involving computer technology." The specific concern was that a scienter requirement of "knowingly" might include an individual "who inadvertently 'stumble[d] into' someone else's computer file or computer data," especially where such individual was authorized to use a particular computer. The Senate Report offered that "[t]he substitution of an 'intentional' standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another."

Section 1030(a)(2) applies to computer access "without authorization" and access that "exceeds authorized access." The intent of this distinction is to differentiate between the conduct of insiders (i.e., individuals who have been granted some authority to access a computer) and outsiders (i.e., individuals who have no authority to access a computer).

Trespassing in a Government Computer: 18 U.S.C. §1030(a)(3)
Section 1030(a)(3) condemns unauthorized intrusion (“hacking”) into federal government computers whether they are used exclusively by the government or the government shares access with others. Congress limited this section's application to outsiders out of concern that federal employees could become unwittingly subject to prosecution or punished criminally when administrative sanctions were more appropriate. However, Congress intended interdepartmental trespasses (rather than intradepartmental trespasses) to be punishable under Section 1030(a)(3).

With the help of subsection 1030(b), Section 1030(a)(3) also outlaws attempted intrusions. In the case of shared computers, a crime only occurs if the unauthorized access “affects. . . use by or for” the government or would affect such use if an attempted effort had succeeded.

Note that Section 1030(a)(2) applies to many of the same cases in which Section 1030(a)(3) could be used. In such cases, Section 1030(a)(2) may be preferred because a first offense of Section 1030(a)(2) may be charged as a felony if certain aggravating factors are present, while a first offence of Section 1030(a)(3) is only a misdemeanor.

Title 18, United State Code, Section 1030(a)(3) provides:

"Whoever &mdash;
 * (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States . . . shall be punished as provided in subsection (c) of this section."

Intent
The section only bans “intentional” trespassing. The congressional reports are instructive, for they make it apparent that the element cannot be satisfied by a mere inadvertent trespass and nothing more. It contemplates those who purposefully accomplish the proscribed unauthorized entry into a government computer, and, at least in the view of the House report, those “whose initial access was inadvertent but who then deliberatively maintains access after a non-intentional initial contact."

Without Authorization
By requiring that the defendant act without authorization to the computer and not criminalizing merely exceeding authorized access to a computer, Section 1030(a)(3) does not apply to situations in which employees merely "exceed authorized access" to computers in their own department. However, Congress also offered that Section 1030(a)(3) applies "where the offender's act of trespass is interdepartmental in nature." Thus, while federal employees may not be subject to prosecution under Section 1030(a)(3) as insiders as to their own agency's computers, they may be eligible for prosecution as outsiders in regard to intrusions into other agencies' computers. It is clear that Congress was willing to accept a certain degree of trespassing by government employees in order to protect whistleblowers:

"The Committee wishes to be very precise about who may be prosecuted under the new subsection (a)(3). The Committee was concerned that a Federal computer crime statute not be so broad as to create a risk that government employees and others who are authorized to use a Federal Government computer would not face prosecution for acts of computer access and use that, while technically wrong, should not rise to the level of criminal conduct. At the same time, the Committee was required to balance its concern for Federal employees and other authorized users against the legitimate need to protect Government computers against abuse by “outsiders.” The Committee struck that balance in the following manner.

In the first place, the Committee has declined to criminalize acts in which the offending employee merely ‘exceeds authorized access’ to computers in his own department (“department”’ is defined in section 2(g) of S.2281 [now 18 U.S.C. 1030(e)(7)]). It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data. The Committee believes that administrative sanctions are more appropriate than criminal punishment in such a case. The Committee wishes to avoid the danger that every time an employee exceeds his authorized access to his department's computers &mdash; no matter how slightly &mdash; he could be prosecuted under this subsection. That danger will be prevented by not including “exceeds authorized access” as part of this subsection's offense.

In the second place, the Committee has distinguished between acts of unauthorized access that occur within a department and those that involve trespasses into computers belonging to another department. The former are not covered by subsection (a)(3); the latter are. Again, it is not difficult to envision an individual who, while authorized to use certain computers in one department, is not authorized to use them all. The danger existed that S.2281, as originally introduced, might cover every employee who happens to sit down, within his department, at a computer terminal which he is not officially authorized to use. These acts can also be best handled by administrative sanctions, rather than by criminal punishment. To that end, the Committee has constructed its amended version of (a)(3) to prevent prosecution of those who, while authorized to use some computers in their department, use others for which they lack the proper authorization. By precluding liability in purely ‘insider’ cases such as these, the Committee also seeks to alleviate concerns by Senators Mathias and Leahy that the existing statute cases a wide net over “whistleblowers”. . ..

The Committee has thus limited 18 U.S.C. 1030(a)(3) to cases where the offender is completely outside the Government, and has no authority to access a computer of any agency or department of the United States, or where the offender's act of trespass is interdepartmental in nature. The Committee does not intend to preclude prosecution under this subsection if, for example, a Labor Department employee authorized to use Labor’s computers accesses without authorization an FBI computer. An employee who uses his department's computer and, without authorization, forages into data belonging to another department is engaged in conduct directly analogous to an ‘outsider’ tampering with Government computers. . ..

The Committee acknowledges that in rare circumstances this may leave serious cases of intradepartmental trespass free from criminal prosecution under (a)(3). However, the Committee notes that such serious acts may be subject to other criminal penalties if, for example, they violate trade secrets laws or 18 U.S.C. 1030(a)(1), (a)(4), (a)(5), or (a)(6), as proposed in this legislation."

S. Rep. No. 99-432 at 7-8 (1986); see also H.R. Rep. No. 99-612 at 11 (1986).

Nonpublic Computer of the United States
"Nonpublic" includes most government computers, but not Internet servers that, by design, offer services to members of the general public. For example, a government agency's database server is probably nonpublic, while the same agency's web servers and domain name servers are "public."

The computer must be "of" &mdash; meaning owned or controlled by &mdash; a department or agency of the United States.

The computer must also be either exclusively for the use of the United States, or at least used "by or for" the Government of the United States in some capacity. For example, if the United States has obtained an account on a private company's server, that server is used "by" the United States even though it is not owned by the United States.

Affected United States' Use of Computer
Demonstrating that the attacked computer is affected by an intrusion should be simple. Almost any network intrusion will affect the government's use of its computers because any intrusion potentially affects the confidentiality and integrity of the government's network and often requires substantial measures to reconstitute the network.

Section 1030(a)(3) "defines as a criminal violation the knowing unauthorized access or use of the system for any unauthorized purpose." Notably, it is not necessary to demonstrate that the intruder obtained any information from the computer, or that the intruder's trespass damaged the computer. It is not even necessary to show that the intruder's conduct "adversely" affected the government's operation of a computer. Under §1030(a)(3), there are no benign intrusions into government computers.

Statutory Penalties
Violations of this subsection are punishable by a fine of not more than $100,000 ($200,000 for organizations) and/or up to one year in prison, unless the individual has previously been convicted of a Section 1030 offense, in which case the punishment increases to a maximum of ten years in prison and/or a fine of not more than $250,000 ($500,000 for organizations).

Other Liability
Any property derived from a violation of Section 1030 is subject to confiscation by federal authorities who may proceed under either civil or criminal forfeiture procedures. Offenders are also subject to civil liability for any “person” who suffers “damage or loss” may sue for compensatory damages and/or injunctive relief, 18 U.S.C. §1030(g). Offenders may also be subject to a restitution order.

Relation to Other Statutes
Section 1030(a)(3) is not charged often, and few cases interpret it. This lack is probably because Section 1030(a)(2) applies in many of the same cases in which Section 1030(a)(3) could be charged. In such cases, Section 1030(a)(2) may be the preferred charge because statutory sentencing enhancements sometimes allow Section 1030(a)(2) to be charged as a felony on the first offense. A violation of Section 1030(a)(3), on the other hand, is only a misdemeanor for a first offense.

Historical Background
Congress added the term "nonpublic" in 1996, in recognition of the occasions when a department or agency authorizes access to some portions of its systems by the public, such as websites and interactive services. This addition eliminated the potential defense that intruders were not "without authorization to access any computer," if they had been given authority to access websites and other public networked services offered by the government. By adding the word "nonpublic," Congress clarified that persons who have no authority to access nonpublic computers of a department or agency may be convicted under Section 1030(a)(3), even if they are allowed to access publicly available computers.

During enactment of Section 1030(a)(3), the Department of Justice expressed concern that the section could be interpreted to require that the offender's conduct harm the overall operation of the Government, which would be an exceedingly difficult showing for federal prosecutors. Congress responded in 1996 by drafting Section 1030(a)(3) so that an offender's conduct need only affect the use of the Government's operation of the attacked computer rather than affect the Government as a whole.

Section 1030(a)(3) has remained essentially unchanged since 1986, and there appear to have been relatively few prosecutions under its provisions.

Accessing to Defraud and Obtain Value: 18 U.S.C. §1030(a)(4)
Title 18, United State Code, Section 1030(a)(4) provides:

"Whoever &mdash;
 * (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period shall be punished as provided in subsection (c) of this section."

Knowingly Access Without or In Excess of Authorization
One of the required elements of this section is access without authorization or access in excess of authorization.

With Intent to Defraud
The phrase "knowingly and with intent to defraud" is not defined by Section 1030. Very little case law under Section 1030 exists as to its meaning, leaving open the question of how broadly a court will interpret the phrase. On one hand, courts might interpret "intent to defraud" as requiring proof of the elements of common law fraud. On the other hand, courts might give more liberal meaning to the phrase "intent to defraud" and allow proof of mere wrongdoing or dishonesty to suffice.

In examining the phrase "to defraud" in the mail and wire fraud statutes, the Supreme Court rejected the notion that every "scheme or artifice that in its necessary consequence is one which is calculated to injure another [or] to deprive him of his property wrongfully" constitutes fraud under the mail fraud provision. In Fasulo, the court stated that "broad as are the words 'to defraud,' they do not include threat and coercion through fear or force." Instead, the Supreme Court placed emphasis on the central role of deception to the concept of fraud &mdash;"the words 'to defraud' . . . primarily mean to cheat, . . . usually signify the deprivation of something of value by trick, deceit, chicane, or overreaching, and . . . do not extend to theft by violence, or to robbery or burglary."

A broader alternative definition can be found in Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., a civil case involving Section 1030(a)(4). In that case, the court favored an expansive interpretation of "intent to defraud." In denying the defendant's motion to dismiss, the court held that the word "fraud" as used in Section 1030(a)(4) simply means "wrongdoing" and does not require proof of the common law elements of fraud. Thus, the plaintiff stated a sufficient cause of action under Section 1030(a)(4) by alleging that the defendant participated in "dishonest methods to obtain the plaintiff's secret information."

Shurgard does not directly address the U.S. Supreme Court decision in Fasulo, but nevertheless provides some basis for interpreting "fraud" in its broadest sense (i.e., finding "fraud" when there is evidence of "wrongdoing," as opposed to requiring proof of "trick, deceit, chicane, or overreaching").

In discussing the creation of Section 1030(a)(4), Congress specifically noted that "[t]he scienter requirement for this subsection, 'knowingly and with intent to defraud,' is the same as the standard used for 18 U.S.C. §1029 relating to credit card fraud." Interestingly, despite having specifically discussed the mail and wire fraud statutes in the context of Section 1030(a)(4), the Committee did not relate the scienter requirement of the term "to defraud" to the use of the term in the mail and wire fraud statutes, leaving open the question of whether the meaning and proof of "to defraud" is the same for Sections 1030(a)(4) and 1029, as it is for the mail and wire fraud statutes. As it is, there are no reported cases discussing the meaning of "to defraud" under section 1029.

Access Furthered the Intended Fraud
The defendant's illegal access of the protected computer must "further" a fraud. accessing a computer without authorization &mdash; or, more often, exceeding authorized access &mdash; can further a fraud in several ways. For example:

The term "by means of such conduct" explicitly links the unauthorized accessing of a protected computer to the furthering of the intended fraud. In creating this link, Congress wished to distinguish those cases of computer trespass where the trespass is used to further the fraud (covered by §1030(a)(4)) from those cases of fraud that involve a computer but the computer is only tangential to the crime (not covered by §1030(a)(4)). In order to fall within Section 1030(a)(4), "the use of the computer must be more directly linked to the intended fraud." The section does not apply simply because "the offender signed onto a computer at some point near to the commission or execution of the fraud." More explicitly, a fraudulent scheme does not constitute computer fraud just because a computer was used "to keep records or to add up [the] potential 'take' from the crime."
 * This element is met if a defendant alters or deletes records on a computer, and then receives something of value from an individual who relied on the accuracy of those altered or deleted records. In United States v. Butler, the defendant altered a credit reporting agency's records to improve the credit ratings of his coconspirators, who then used their improved credit rating to make purchases. In United States v. Sadolsky, the defendant used his employer's computer to credit amounts for returned merchandise to his personal credit card.
 * This element is met if a defendant obtains information from a computer, and then later uses that information to commit fraud. For example, in United States v. Lindsley, the defendant accessed a telephone company's computer without authorization, obtained calling card numbers, and then used those calling card numbers to make free long-distance telephone calls.
 * This element is met if a defendant uses a computer to produce falsified documents which are later used to defraud. For example, in United States v. Bae, the defendant used a lottery terminal to produce back-dated tickets with winning numbers, and then turned those tickets in to collect lottery prizes.

Obtains Anything of Value
This element is easily met if the defendant obtained money, cash, or a good or service with measurable value. Two more difficult cases arise when the defendant obtains only the use of a computer and when the defendant obtains only information.

Use of the Computer as a Thing of Value
The statute recognizes that the use of a computer can constitute a thing of value, but this element is satisfied only if the value of such use is greater than $5,000 in any one-year period.

This condition will be met only in rare cases. At the time the statute was written, it was common for owners of top-of-the-line supercomputers to rent the right to run programs on their computer by the hour. In 1986, for example, an hour of time on a Cray X-MP/48 supercomputer reportedly cost $1,000. Conceivably, repeated and sustained use of a very expensive modern computer could reach the statutory threshold within one year.

Data or Information as a Thing of Value
Aside from the "computer use" exception, subsection (a)(4) has no minimum dollar amount, unlike subsection (a)(5). Still, the legislative history suggests that some computer data or information, alone, is not valuable enough to qualify. In other words, if all that is obtained are the results of port scans, or the names and IP addresses of other servers, it may not count as something of value.

One case of particular note in this area is United States v. Czubinski. While the Czubinski case turned on the specific facts, the court's discussion can be instructive in assessing the parameters of the term "something of value." Specifically, Czubinski was employed as a Contact Representative in the Boston office of the Taxpayer Services Division of the Internal Revenue Service (IRS). As part of his official duties, Czubinski routinely accessed taxpayer-related information from an IRS computer system using a valid password provided to Contact Representatives. Despite IRS rules plainly forbidding employees from accessing taxpayer files outside the course of their official duties, Czubinski carried out numerous unauthorized searches of taxpayer records on a number of occasions. Based upon these actions, he was indicted and convicted for wire fraud and computer fraud.

On appeal, Czubinski argued that his conviction for violating Section 1030(a)(4) should be overturned because he did not obtain "anything of value." In reviewing the facts surrounding Czubinski's actions, the First Circuit agreed with Czubinski, stating that "[t]he value of information is relative to one's needs and objectives; here, the government had to show that the information was valuable to Czubinski in light of a fraudulent scheme. The government failed, however, to prove that Czubinski intended anything more than to satisfy idle curiosity."

Further elaborating on its holding, the court went on to explain that:

"[t]he plain language of Section 1030(a)(4) emphasizes that more than mere unauthorized use is required: the 'thing obtained' may not merely be the unauthorized use. It is the showing of some additional end &mdash; to which the unauthorized access is a means &mdash; that is lacking here. The evidence did not show that Czubinski's end was anything more than to satisfy his curiosity by viewing information about friends, acquaintances, and political rivals. No evidence suggests that he printed out, recorded, or used the information he browsed. No rational jury could conclude beyond a reasonable doubt that Czubinski intended to use or disclose that information, and merely viewing information cannot be deemed the same as obtaining something of value for the purposes of this statute."

The parameters of what constitutes a "thing of value" were further explored in In re America Online, Inc.. Specifically, America Online (AOL) was sued by computer users and competitor Internet service providers, alleging that AOL's software had caused damage to users' computers and had blocked utilization of competitors' software by potential users. In moving to dismiss the Section 1030(a)(4) allegation, AOL argued that the plaintiffs could not make out an actionable claim because they had failed to plead that AOL had deprived them of "anything of value." In response, the plaintiffs asserted that AOL's actions had deprived them of their subscribers "custom and trade" and that this interest constituted a "thing of value."

In distinguishing the case from Czubinski, the America Online court noted that "AOL allegedly has been motivated by more than the mere satisfaction of its curiosity [as was allegedly the sole motivation of the defendant in Czubinski]. AOL's alleged end is to obtain a monopoly, or at least secure its stronghold, as an ISP." Noting that the "typical item of value" in cases brought under the CFAA is usually data, the court observed that "in other areas of the law, customers have been found to be a thing of value." The court therefore found that "damage to an ISP's goodwill and reputation is actionable under the CFAA" and that "[b]ecause [the plaintiff] has alleged that AOL's actions have interfered with its relationships with its existing customers and potential subscribers, it has alleged that AOL has obtained something of value within the meaning of 18 U.S.C. §1030(a)(4)."

Statutory Penalties
A violation of Section 1030(a)(4) is punishable by a fine and up to five years in prison, unless the individual has been previously convicted of a Section 1030 offense, in which case the punishment increases to a maximum of ten years in prison.

Relation to Other Statutes
In appropriate cases, prosecutors may also want to consider charges under the wire fraud statute (18 U.S.C. §1343), which requires proof of many elements similar to those needed for Section 1030(a)(4). Unlike Section 1030(a)(4), however, which is punishable by a maximum of 5 years in prison (assuming the defendant does not have other prior §1030 convictions), wire fraud carries stiffer penalties and is punishable by a maximum of 20 years in prison, or 30 years if the violation affected a financial institution.

Historical Background
Although Section 1030(a)(4) bears similarities to the federal mail fraud statute and wire fraud statute. Section 1030(a)(4) does not have the same broad jurisdictional sweep as the mail and wire fraud statutes.

Damaging a Computer or Information: 18 U.S.C. §103(a)(5)
Criminals can cause harm to computers in a wide variety of ways. For example, an intruder who gains unauthorized access to a computer can send commands that delete files or shut the computer down. Alternatively, intruders can initiate a "denial of service attack" that floods the victim computer with useless information and prevents legitimate users from accessing it. In a similar way, a virus or worm can use up all of the available communications bandwidth on a corporate network, making it unavailable to employees. In addition, when a virus or worm penetrates a computer's security, it can delete files, crash the computer, install malicious software, or do other things that impair the computer's integrity. Section 1030(a)(5) can be used for all of these different kinds of acts.

Section 1030(a)(5) criminalizes a variety of actions that cause computer systems to fail to operate as their owners would like them to operate. Damaging a computer can have far-reaching effects. For example, a business may not be able to operate if its computer system stops functioning or it may lose sales if it cannot retrieve the data in a database containing customer information. Similarly, if a computer that operates the phone system used by police and fire fighters stops functioning, people could be injured or die as a result of not receiving emergency services. Such damage to a computer can occur following a successful intrusion, but it may also occur in ways that do not involve the unauthorized access of a computer system.

Title 18, United State Code, Section 1030(a)(5) provides:

"Whoever &mdash;


 * (5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
 * (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
 * (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
 * (B) by conduct described in clause (i), (ii), or (iii) of subsection (A), caused (or, in the case of an attempted offense, would, if completed, have caused) (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
 * (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
 * (iii) physical injury to any person;
 * (iv) a threat to public health or safety; or
 * (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security

shall be punished as provided in subsection (c) of this section."

The differences between the conduct criminalized by the three subsections of Section 1030(a)(5)(A) are important to note. That section criminalizes three different types of conduct, based on mental state and authority to access. In basic terms, subsection (5)(A)(i) prohibits anyone from knowingly damaging a computer (without authorization) while subsection (5)(A)(ii) prohibits unauthorized users from causing damage recklessly and subsection (5)(A)(iii) from causing damage negligently.

The latter two subsections require that the defendant "access" the computer without authorization. These criminal prohibitions hold intruders accountable for any damage they cause while intentionally trespassing on a computer, even if they did not intend to cause that damage.

By contrast, Section 1030(a)(5)(A)(i) requires proof only of the knowing transmission of something to damage a computer without authorization. The government does not need to prove "access." Because it is possible to damage a computer without "accessing" it, this element is easier to prove (except for the mental state requirement). For example, most worms and trojans spread though self-replication, without personally accessing the affected systems.

Subsection (a)(5)(A)(i): Knowingly causing the transmission of a program, information, code, or command to a protected computer
Section 1030(a)(5)(A)(i) prohibits knowingly causing the transmission of a "program, information, code, or command" and as a result of such conduct, intentionally causing damage to a protected computer. This subsection applies regardless of whether the offenders were authorized to use the victim computer system (an "insider"), not authorized to use it (an "outsider"), or even those who have never accessed the system at all.

The term "program, information, code, or command" broadly covers all transmissions that are capable of having any effect on a computer's operation. This includes software code, software commands, and network packets designed to exploit system vulnerabilities.

Courts have considered the question of what constitutes knowingly causing the "transmission" of a program, information, code, or command. In the ordinary case where the attacker releases a worm or initiates a denial of service attack, the government should easily meet this element of the crime. On the other hand, this subsection does not apply to "physical" acts that shut down a computer, such as flipping a switch to cut of the electrical supply, as they do not involve transmission of a program or command. Other criminal statutes may cover such conduct, however.

An attacker need not directly send the required transmission in order to violate this statute. In one case, a defendant inserted malicious code into a program he wrote to run on his employer's computer network. After lying dormant for four months, the malicious code activated and downloaded certain other malicious code to several hundred employee handheld computers, making them unusable. The court held that the defendant knowingly caused transmission of code in violation of the statute.

In the civil context, courts have taken the idea of transmission of code even further. In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit held that a civil complaint stated a claim when it alleged that the defendant copied a secure-erasure program to his (company-issued) laptop, and even said in dicta that it made no difference if the defendant copied the program over an Internet connection, from an external disk drive, or an internal disk drive. Similarly, in Shaw v. Toshiba America Information Systems, Toshiba manufactured computers with faulty software that improperly deleted data on diskettes used in their floppy drives, and Toshiba shipped the computers in interstate commerce. In that case, the court found that the shipment of the software by itself constituted its transmission for purposes of the statute.

Subsections (a)(5)(A)(ii) or (iii): Intentionally accessed a protected computer without authorization
Subsections 1030(a)(5)(A)(ii) and (iii) require proof that the defendant intentionally accessed a protected computer without authorization. These subsections do not include the phrase "exceeds authorized access." Thus, these subsections do not apply to authorized users of a computer who exceed their authorization ("insiders").

Courts have examined the question of what constitutes unauthorized access for purposes of subsections (a)(5)(A)(ii) and (iii). In many situations the unauthorized access is obvious, such as where an intruder exploits a vulnerability in the security of another person's computer and directly sends commands that cause damage. The courts have also held, however, that an actor may gain "unauthorized access" to a computer by indirect means, such as by releasing an automated, self-replicating program that penetrates the defenses of others' computers.<refSee United States v. Morris, 928 F.2d 504, 509-10 (2d Cir. 1991) (defendant obtained "unauthorized access" to computers by releasing a "worm" that copied itself onto many thousands of computers by exploiting security vulnerabilities and guessing passwords).

In ruling on civil suits under Section 1030(a)(5), some courts have expanded the idea of "unauthorized access" even further. For example, in one case, a company created an automated program to access its competitor's web server &mdash; a publicly available computer &mdash; in violation of the competitor's terms of use. Surprisingly, even though the company that created the automated program did not circumvent any security feature and could lawfully have accessed the site if it did so without using automated programs, the court held that this activity constituted "unauthorized access" for purposes of Section 1030(a)(5).

Cause Damage to the Protected Computer
Section 1030(a)(5) prohibits damaging a computer system. The statute requires only that the defendant's conduct "cause" damage in a computer. It is not necessary to prove that the damaged protected computer was the same computer that the defendant accessed. "Damage" is defined as "any impairment to the integrity or availability of data, a program, a system, or information." Although this definition is broad and inclusive, as the use of the word "any" suggests, the definition differs in some ways from the idea of damage to physical property. This definition contains several concepts that allow Section 1030(a)(5) to apply to a wide variety of situations.

First, "damage" occurs when an act impairs the "integrity" of data, a program, a system, or information. This part of the definition would apply, for example, where an act causes data or information to be deleted or changed, such as where an intruder accesses a computer system and deletes log files or changes entries in a bank database.

Similarly, "damage" occurs when an intruder changes the way a computer is instructed to operate. For example, installing keylogger software on a home computer can constitute damage. Damage also occurs if an intruder alters the security software of a victim computer so that it fails to detect computer trespassers. For example, in United States v. Middleton, part of the damage consisted of a user increasing his permissions on a computer system without authorization.

In addition to the impairment of the integrity of information or computer systems, the definition of damage also includes acts that simply make information or computers "unavailable." Intruders have devised ways to consume all of a computer's computational resources, effectively making it impossible for authorized users to make use of the computer even though none of the data or software has been modified. Similarly, a "denial-of-service attack" floods a computer's Internet connection with junk data, preventing legitimate users from sending or receiving any communications with that computer.


 * Example 1: Prior to the annual football game between rival schools, an intruder from one high school gains access to the computer system of a rival school and defaces the football team's website with graffiti announcing that the intruder's school was going to win the game.

In this example, the intruder has caused damage &mdash; the integrity of the information on the website has been impaired because viewers of the site will not see the information that the site's designers put there.


 * Example 2: An attacker configures several thousand computers to access the washingtonpost.com website at the same time in a coordinated denial of service attack. As a consequence, the site is jammed, and for approximately 45 minutes, ordinary web surfers find that the site will not load when they type its URL in their browsers.

This example also shows damage as defined by the CFAA. The attacker has, via a code or command, impaired the availability of the data on the website to its normal users.

In the computer network world, an intrusion &mdash; even a fairly noticeable one &mdash; can amount to a kind of trespass that causes no readily discoverable impairment to the computers intruded upon or the data accessed. Even so, such "trespass intrusions" often require that substantial time and attention be devoted to responding to them. In the wake of seemingly minor intrusions, the entire computer system is often audited, for instance, to ensure that viruses, back-doors, or other harmful codes have not been left behind or that data has not been altered or copied. Even adding false information to a computer can impair its integrity. In addition, holes exploited by the intruder are sometimes patched, and the network generally is resecured through a rigorous and time-consuming technical effort. This process can be costly and time-consuming.


 * Example 3: The system administrator of a local community college reviews server logs one morning and notes an unauthorized intrusion that occurred through a backdoor at about 3:30 in the morning. It appears to the administrator that the intruder accessed a student database that listed students' home addresses, phone numbers, and social security numbers. After calling the FBI, she and her staff spend several hours reviewing what occurred, devising patches for the vulnerabilities that were exploited, and otherwise trying to prevent similar intrusions from occurring again. Still, the result of the technical review is that no offending code can be found, and the network appears to function as before. In the two months after the intrusion, staff at the community college report no known alterations or errors in the student database. The cost of the employee time devoted to the review totaled approximately $7,500.

Although the intruder apparently did not make any alterations to the database and the system seems to work as it did before, in a few civil cases, courts have held that accessing and copying private data may cause damage to the data under the CFAA. In Shurgard Storage Centers, a self-storage company hired away a key employee of its main competitor. Before the employee left to take his new job, he emailed copies of computer files containing trade secrets to his new employer. In support of a motion for summary judgment as to the Section 1030(a)(5) count, the defendant argued that the plaintiff's computer system had suffered no "damage" as a consequence of a mere copying of files by the disloyal employee. The court, however, found the term "integrity" contextually ambiguous, and held that the employee did in fact impair the integrity of the data on the system &mdash; even though no data was "physically changed or erased" in the process &mdash; when he accessed a computer system without authorization to collect trade secrets.

Courts have made similar rulings in HUB Group, Inc. v. Clancy and I.M.S. Inquiry Management Systems v. Berkshire Information Systems.

Loss or Other Damage Listed in Section 1030(a)(5)(B)
Section 1030(a)(5) differentiates different types of conduct that cause damage. Section 1030(a)(5)(A) prohibits certain acts when accompanied by particular mental states, while Section 1030(a)(5)(B) requires the government to prove that a specific kind of harm resulted from those actions. A violation occurs only where an act meets the elements of both subsections.

Thus, in addition to proving one of the subsections of Section 1030(a)(5)(A), the government must also prove that one of the harms enumerated in Section 1030(a)(5)(B) resulted from the damage. These harms are: (1) at least $5,000 economic loss during a one-year period; (2) an actual or potential effect on medical care; (3) physical injury to a person; (4) a threat to public health or safety; or (5) damage to a computer used in the administration of justice, national defense, or national security. Importantly, the statute does not create a mental state with respect to these resulting harms. The government need not prove that the actor intended to cause any particular one of these harms, but merely that his conduct in fact caused the harm.

Economic Loss
Loss includes:


 * Response costs
 * Damage assessments
 * Restoration of data or programs
 * Wages of employees for these tasks
 * Lost sales from website
 * Lost advertising revenue from website

Loss might also include:


 * Harm to reputation or goodwill
 * Other costs if reasonable

Loss does not include:


 * Assistance to law enforcement

Of these enumerated harms, the most commonly charged is economic loss. The statute defines "loss" quite broadly: "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." This definition includes, for example, the prorated salary of a system administrator who restores a backup of deleted data, the prorated hourly wage of an employee who checks a database to make sure that no information in it has been modified, the expense of re-creating lost work, the cost of reinstalling system software, and the cost of installing security measures to resecure the computer to avoid further damage from the offender.

The definition of loss in Section 1030(e)(11) is not exclusive and does not preclude other types of financial setbacks that are not specifically listed from being counted toward the $5,000 threshold. Costs that are necessary to restore a system to its previous condition are included in any calculation of loss because they are specifically mentioned in Section 1030(e)(11). Although money that a victim spends to make a system better or more secure than it was prior to the intrusion may not qualify as "reasonable" in many cases, if the facts of your case suggest otherwise, you should argue to include them.

In meeting the $5,000 loss requirement, the government may aggregate all of the losses to all of the victims of a particular intruder that occur within a one-year period, so long as the losses result from a "related course of conduct." Thus, evidence showing that a particular intruder broke into a computer network five times and caused $1,000 loss each time would meet the statutory requirement, as would $1 loss to 5,000 computers caused by the release of a single virus or worm. In addition, Section 1030(e)(12) makes clear that for purposes of establishing loss, the victim can be any natural or legal "person," including corporations, government agencies, or other legal entities.

The statute does not impose a proximate causation requirement on loss or any other of the special harms listed in Section 1030(a)(5). Nonetheless, in the Middleton opinion the Ninth Circuit noted approvingly that the jury in that case was instructed that the losses claimed had to be a "natural and foreseeable result" of the damage. This opinion predates the inclusion of a definition of the term "loss" in Section 1030. However, given that the statutory definition was modeled on the one used in Middleton, prosecutors may be well-advised, if possible, to demonstrate that the losses used to reach the $5,000 threshold were proximately caused by their defendants' actions.

Because the costs associated with restoring a system to its prior condition are by virtue of the statute reasonable costs, victims should be encouraged to document them carefully. In the event that the intrusion was facilitated by the existence of some known vulnerability &mdash; e.g., the operating system had not been patched with the latest security updates &mdash; the victim may, understandably, be unwilling to expend funds to restore the system to a state where it is again vulnerable to intrusion. As noted above, however, the fact that a particular cost was incurred in an effort to improve the security of a system is not determinative of whether or not it is properly considered as loss. Rather, the statute defines loss to include "any reasonable cost to the victim."

Accordingly, the types of losses considered by courts "have generally been limited to those costs necessary to assess the damage caused to the plaintiff's computer system or to resecure the system."

"Loss" also includes such harms as lost advertising revenue or lost sales due to a website outage and the salaries of company employees who are unable to work due to a computer shutdown. In general, the cost of installing completely new security measures "unrelated to preventing further damage resulting from [the offender's] conduct," however, should not be included in the loss total.

At least one court has held that harm to a company's reputation and goodwill as a consequence of an intrusion might properly be considered loss for purposes of alleging a violation of Section 1030.

"Loss" calculations may not include costs incurred by victims primarily to aid the government in prosecuting or investigating an offense.

Medical Care
The second harm in Section 1030(a)(5)(B) relates to the "modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment or care of 1 or more individuals." This subsection provides strong protection to the computer networks of hospitals, clinics, and other medical facilities because of the importance of those systems and the sensitive data that they contain. This type of special harm does not require any showing of financial loss. Indeed, the impairment to computer data caused by an intruder could be minor and easily fixable while still giving rise to justified criminal liability. The evidence only has to show that at least one patient's medical care was at least potentially affected as a consequence of the intrusion.


 * Example: A system administrator of a hospital resigns her employment. Before she leaves, she inserts a malicious program into the operating system's code that, when activated one morning, deletes the passwords of all doctors and nurses in the labor and delivery unit. This damage prevents medical personnel from logging on to the computer system, making it impossible to access patients' medical records, charts, and other data. Another system administrator corrects the problem very quickly, restoring the passwords in ten minutes. No patients were in the labor and delivery unit during the incident.

The conduct in this example should satisfy the "medical" special harm provision. Even though nothing harmful actually occurred as a consequence of the impairment to the system in this case, it requires little imagination to conjure a different outcome where the inability to access the computer system would affect a doctor or nurse's ability to treat a patient. Provided that a medical professional can testify that a patient's treatment or care could potentially have been modified or impaired, the government can prove this harm.

Physical Injury
The third special harm occurs when the damage to a computer causes "physical injury to any person." Computer networks control many other vital systems in our society, such as air traffic control and 911 emergency telephone service. Disruption of these computers could directly result in physical injury.

One issue to consider is whether the chain of causation between the damaged computer and the injury is too attenuated for the court to hold the intruder criminally responsible. Although the statute does not explicitly require that the injury be proximately caused, courts have much experience in applying this sort of test in other areas of the law and might import the doctrine here. So long as there is a reasonable connection between the damaged computer and the injury, however, charging Section 1030(a)(5)(B)(iii) is appropriate. For example, suppose that an intruder succeeds in accessing an electric utility's computer system and shuts down power to a three-square-block area, causing the traffic lights to shut down, and a car accident results. If one of the drivers suffers back and neck injuries, the intruder could properly be convicted under this subsection.

Threats to Public Health or Safety
The fourth special harm is closely related to physical harm, but only requires a "threat" to public health or safety. Indeed, because the government need not prove actual physical harm to a person, this subsection applies to a wider range of circumstances. Today, computer networks control many of the nation's critical infrastructures, such as electricity and gas distribution, water purification, nuclear power, and transportation. Damage to the computers that operate these systems or their control and safety mechanisms can create a threat to the safety of many people at once.

Justice, National Defense, or National Security
Finally, the "special harm" requirement can be satisfied if the damage affects "a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security." In 2001, Congress added this subsection because this sort of damage can affect critically important functions &mdash; such as one intruder's attempt to access a court computer without authority and change his sentence &mdash; but may not be easily quantified in terms of economic loss under §1030(a)(5)(B)(i).

Here, "the administration of justice" includes court system computers, but would also appropriately extend to computers owned by state or federal law enforcement agencies, prosecutors, and probation offices. Similarly, computers used "in furtherance of . . . national defense, or national security" would include most computer networks owned by the Department of Defense. The statutory language does not require that the computer be owned or operated by the government &mdash; computers owned by a defense contractor, for example, could be "used . . . for" the military in furtherance of national security. At the same time, not every Defense Department computer is used "in furtherance" of the national defense. A computer at the cafeteria in the Pentagon might not qualify, for example.

Penalties
Section 1030(a)(5)(A) sets forth three mental states for the causing of damage, with varying penalty levels for each. Where the individual acts intentionally, the maximum sentence is ten years' imprisonment. If the individual accesses a protected computer without authorization and recklessly causes damage under subsection (5)(A)(ii), the maximum sentence is five years in prison. In either case, if the offense follows a conviction for any crime under Section 1030, the maximum sentence rises to 20 years' imprisonment. If the attacker accesses a computer without authorization and causes damage with no culpable mental state (i.e., accidentally or negligently), the crime is a misdemeanor with a maximum penalty of one year imprisonment. But, violations of Section 1030(a)(5)(A)(iii) that follow a previous conviction under Section 1030 result in a ten year maximum penalty.

In 2002, Congress added an additional sentencing provision that raised the maximum penalties for certain of these crimes that result in serious bodily injury or death. If the offender intentionally damages a protected computer under §1030(a)(5)(A)(i) and "knowingly or recklessly causes or attempts to cause serious bodily injury," the maximum penalty rises to 20 years' imprisonment, and where the offender knowingly or recklessly causes or attempts to cause death, the court may impose life in prison.

Relation to Other Statutes
In many cases, intruders cause damage to systems even though their primary intent is to steal information or commit a fraud in violation of Sections 1030(a)(2) or (a)(4). For example, intruders commonly try to make it difficult for system administrators to detect them by erasing log files that show that they accessed the computer network. Deleting these files constitutes intentional "damage" for purposes of Section 1030(a)(5). Similarly, intruders commonly modify system programs or install new programs to circumvent the computer's security so that they can access the computer again later. This activity impairs the integrity of the computer and its programs and therefore meets the damage requirement. As long as the government can meet one of the other requirements under §1030(a)(5)(B) &mdash; such as $5,000 in loss, or damage that affects a computer used in furtherance of the national defense &mdash; a charge under §1030(a)(5) is appropriate in addition to any other charges under §1030.

Prosecutors should also consider Section 1030(a)(5) in cases where an individual breaks into a federal government computer in violation of §1030(a)(3), a misdemeanor. If the act causes damage, as well as causes one of the enumerated harms, prosecutors may be able to charge one of the felony offenses in §1030(a)(5).

When faced with conduct that damages a protected computer, prosecutors should also consider several other statutes that punish the same conduct when particular circumstances are present. For example, where the criminal act causes damage to a computer for communications that is "operated or controlled by the United States," or "used or intended to be used for military or civil defense functions," prosecutors should consider charging 18 U.S.C. §1362 &mdash; a ten-year felony.

Historical Background
Prior to the USA PATRIOT Act, the CFAA contained no definition of loss. The definition was left to the purview of the courts.

In United States v. Middleton, the Ninth Circuit was asked to rule upon the question of how to define the term "loss" in establishing a violation of Section 1030(a)(5). In that case, the defendant was accused of gaining unlawful access to an ISP's computer network, changing administrative passwords, altering the computer's registry, and deleting several databases. Two employees of the ISP spent an entire weekend repairing the damage and restoring data, and spent many additional hours investigating the source and extent of the damage that was caused. In addition, the ISP hired an outside consultant for technical support, and purchased some new software to replace some that the defendant had deleted. The government contended that all of these expenses together constituted a total loss of $10,092 to the victim ISP &mdash; though employee time computed at an hourly rate based on their respective annual salaries made up the bulk of that amount.

The jury rendered a guilty verdict and the defendant challenged the sufficiency of the evidence because the trial court had permitted employee time to be included in the "loss" calculation, without which the $5,000 threshold would not have been reached. The appellate court upheld the conviction, finding no abuse of discretion in the district court's broad definition of "loss." In particular, the appellate court upheld the district court's jury instructions, which stated that the jury "may consider what measures were reasonably necessary to restore the data, program, system, or information that was damaged or what measures were reasonably necessary to resecure the data, program, system, or information from further damage." The jury instructions also stated that the jury "may consider any loss that was a natural and foreseeable result of any damage that occurred."

The USA PATRIOT Act essentially adopted the Middleton court's definition of loss in 18 U.S.C. §1030(e)(11). The term "loss" is now defined by statute to include "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." The government must still prove that the costs incurred are reasonable ones.

Trafficking in Passwords: 18 U.S.C. §1030(a)(6)
Section 1030(a)(6) prohibits a person from knowingly and with intent to defraud trafficking in computer passwords and similar information when the trafficking affects interstate or foreign commerce, or when the password may be used to access without authorization a computer used by or for the federal government. First offenses of this section are misdemeanors.

Title 18, United States Code, Section 1030(a)(6) provides:

"Whoever &mdash;
 * (6) Knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if
 * (A) such trafficking affects interstate or foreign commerce; or
 * (B) such computer is used by or for the Government of the United States.

shall be punished as provided in subsection (c) of this section."

Trafficking
The term "traffic" in Section 1030(a)(6) is defined by reference to the definition of the same term in 18 U.S.C. §1029, which means "transfer, or otherwise dISPose of, to another, or obtain control of with intent to transfer or dISPose of." A profit motive is not required. However, the definition excludes mere possession of passwords if the defendant has no intent to transfer or dISPose of them. Similarly, personal use of an unauthorized password is not a violation of Section 1030(a)(6), although it may be a violation of other provisions under Section 1030 that apply to unauthorized access to computers or of section 1029.

Password or Similar Information
The term "password" does not mean just a single word or phrase that enables one to access a computer. The statute prohibits trafficking in passwords or similar information:

"The Committee recognizes that a "password" may actually be comprised of a set of instructions or directions for gaining access to a computer and intends that the word "password" be construed broadly enough to encompass both single words and longer more detailed explanations on how to access others' computers."

Therefore, prosecutors should apply the term "password" using a broad meaning to include any instructions that safeguard a computer. Pass phrases, codes, user names, or any other method or combination of methods by which a user is authenticated to a computer system may qualify as a password under Section 1030(a)(6).

Knowingly and With Intent to Defraud
This phrase is the same as in Section 1030(a)(4) above.

Trafficking Affects Interstate or Foreign Commerce
For a violation of subsection (A), the trafficking must affect interstate or foreign commerce. The phrase "affects interstate or foreign commerce" is not statutorily defined or interpreted in case law. However, courts have typically construed this requirement expansively when interpreting other statutes that require a certain conduct to affect interstate or foreign commerce. For example, the United States Court of Appeals for the Ninth Circuit held that a defendant's illicit possession of out-of-state credit card account numbers is an offense "affecting interstate or foreign commerce" within the meaning of Section 1029. In a similar vein, the United States Court of Appeals for the Sixth Circuit held that a fraudulent credit card transaction affects interstate commerce for purposes of section 1029, inasmuch as banking channels were used for gaining authorization for the charges.

Computer Used By or For the U.S. Government
To prove a violation of subsection (B), the password or similar information must be for accessing without authorization a computer used by or for the federal government. Reference to a computer "used by or for the Government of the United States" (also found in Section 1030(a)(3)) is not defined by statute or case law, but by its plain meaning should encompass any computer used for official business by a federal government employee or on behalf of the federal government.

Penalties
Violations of Section 1030(a)(6) are misdemeanors punishable by a fine or a one-year prison term for the first offense. If the defendant has a previous conviction under Section 1030, the maximum sentence increases to ten years' imprisonment.

Relation to Other Statutes
Given the shared statutory definition, Section 1030(a)(6) cases often overlap with access device cases under section 1029. passwords are also access devices under Section 1029.

Historical Background
Congress enacted Section 1030(a)(6) in 1986 as a "misdemeanor offense aimed at penalizing conduct associated with 'pirate bulletin boards,' where passwords are displayed that permit unauthorized access to others' computers."

Threatening to Damage a Computer: 18 U.S.C. §1030(a)(7)
Section 1030(a)(7), which prohibits extortion threats to damage a computer, is the high-tech variation of old-fashioned extortion. This section applies, for example, to situations in which intruders threaten to penetrate a system and encrypt or delete a database. Other scenarios might involve the threat of distributed denial of service attacks that would shut down the victim's computers. Section 1030(a)(7) enables the prosecution of modern-day extortionists who threaten to harm or damage computer networks &mdash; without causing physical damage &mdash; unless their demands are met.

Title 18, United States Code, Section 1030(a)(7) provides:

"Whoever &mdash;
 * (7) With intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer . . . shall be punished as provided in subsection (c) of this section."

Intent to Extort Money or Other Thing of Value
In order to prove the "intent to extort" element, it is not necessary to prove that the defendant actually succeeded in obtaining the money or thing of value, or that the defendant actually intended to carry out the threat made. Extortion generally refers to the intent to obtain money or other thing of value with a person's consent induced by the wrongful use of actual or threatened fear, violence, or force.

Transmit Communication In Interstate or Foreign Commerce
The extortion threat must be transmitted in interstate or foreign commerce. However, the threat need not be sent electronically. Rather, the statute covers "any interstate or international transmission of threats against computers, computer networks, and their data and programs where the threat is received by mail, a telephone call, electronic mail, or through a computerized messaging service."

Threat to Cause Damage to a Protected Computer
The term "damage" is defined in Section 1030(e)(8) and is discussed in the context of Section 1030(a)(5) above. Unlawful threats to cause damage include interference in any way with the normal operation of the computer or system in question, including denying access to authorized users, erasing or corrupting data or programs, slowing down the operation of the computer or system, or encrypting data and demanding money for the decryption key. In contrast, unlawful threats to the business that owns the computer system, such as threats to reveal flaws in the network, or reveal that the network has been hacked, are not threats to a protected computer under Section 1030(a)(7). However, a threat to a business, rather than to a protected computer, is a classic example of a violation of the Hobbs Act.

Penalties
A violation of Section 1030(a)(7) is punishable by a fine and up to five years in prison. 18 U.S.C. §1030(c)(3)(A). If the defendant has a previous conviction under Section 1030, the maximum sentence increases to 10 years' imprisonment. .

Relation to Other Statutes
The elements of Section 1030(a)(7) generally parallel the elements of a Hobbs Act, interference with commerce by extortion) violation with some important differences. First, the intent to extort from any person money or other thing of value is the same under Section 1030(a)(7) and under section 1951. However, in contrast to section 1951, Section 1030(a)(7) does not require proof that the defendant delayed or obstructed commerce. Proving that the threat was transmitted in interstate or foreign commerce is sufficient.

At least one case has recognized the similarities between the two statutes. In United States v. Ivanov, the defendant hacked into the victim's network and obtained root access to the victim's servers. He then proposed that the victim hire him as a "security expert" to prevent further security breaches, including the deletion of all of the files on the server. Without much discussion, the court determined that the analysis under Section 1030(a)(7) was the same as that for the Hobbs Act.

Historical Background
Congress added Section 1030(a)(7) to the CFAA in 1996 to fill perceived gaps in the application of existing anti-extortion statutes:

"These cases, although similar in some ways to other cases involving extortionate threats directed against persons or property, can be different from traditional extortion cases in certain respects. It is not entirely clear that existing extortion statutes, which protect against physical injury to persons or property, will cover intangible computerized information."

For example, the "property" protected under existing laws, such as the Hobbs Act, 18 U.S.C. §1951 (interference with commerce by extortion) or 18 U.S.C. §875(d) (interstate communication of a threat to injure the property of another), does not clearly include the operation of a computer, the data or programs stored in a computer or its peripheral equipment, or the decoding keys to encrypted data. }}

Legislative History
From 1996 until the passage of the USA PATRIOT Act in 2001, Section 1030(e)(8) had defined "damage" to mean:

"any impairment to the integrity or availability of data, a program, a system, or information, that (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals; (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (C) causes physical injury to any person; or (D) threatens public health or safety. . .."

Under that version of the statute &mdash; the version that was in effect at the time of the Shurgard decision &mdash; a violation of Section 1030(a)(5) required that damage be proved in one of four ways; proving loss in excess of $5,000 was one of the ways of proving damage.

An earlier version of the statute that was in effect between 1994 and 1996, required proof of both "damage" and "loss" to show a violation of Section 1030. }}

Congress amended the statute in 1996 to the version that was in effect at the time of the Shurgard decision. The 1996 amendments changed the definition of "damage" as set forth above to mean impairment that causes loss or other harms. As the Shurgard opinion noted, in the 1996 amendments Congress equated damage and loss to address situations wherein monetary loss might be demonstrated but other forms of damage might be difficult to demonstrate. In the Senate Report accompanying the 1996 amendments to the statute, Congress gave the following example as justification for the change:

"The 1994 amendment required both "damage" and "loss," but it is not always clear what constitutes "damage." For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the intruders can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information is damaged. Nonetheless, this conduct allows the intruder to accumulate valid user passwords to the system, requires all system users to change their passwords, and requires the system administrator to devote resources to securing the system. Thus, although there is arguably no "damage," the victim does suffer "loss." If the loss to the victim meets the required monetary threshold, the conduct should be criminal, and the victim should be entitled to relief. The bill therefore defines "damage" in new subsection 1030(e)(8), with a focus on the harm that the law seeks to prevent."

According to this view, Congress wanted to recognize a criminal or civil cause of action when a victim incurred significant response costs as a result of an intrusion, even where no data was changed and the computer functioned as before. Accordingly, Congress defined "damage" to include the causation of loss in excess of a certain threshold amount ($5,000) or other special harms, such as physical injury to any person. With this understanding, the password sniffer example in the Senate Report, as well as the community college intrusion example discussed on page 36, were each likely subject to prosecution from 1996 through 2001 provided the $5,000 monetary threshold of "loss" was met.

Attempt (18 U.S.C. §1030(b))
Subsection 1030(b) makes it a federal crime to attempt to violate any of the paragraphs of subsection 1030(a). Subsection 1030(b) states in its entirety:

"Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section."

The subsection dates from the original enactment and evokes no comment in the legislation history other than the notation of its existence. This is not particularly unusual. There is no general federal attempt statute, but Congress has elected to penalize attempts to commit many individual federal crimes. A body of case law has grown around them that provides a common understanding of their general dimensions. Thus, as a general rule, in order to convict a defendant of attempt, the government must prove beyond a reasonable doubt that, acting with the intent required to commit the underlying offense, the defendant took some substantial step towards the commission of the underlying offense that strongly corroborates his criminal intent. Mere preparation does not constitute a substantial step. The line between preparation and a substantial step towards final commission depends largely upon the facts of a particular case, and the courts have offered varying descriptions of its location.