22 March 2012
Among its various provisions, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, subjects a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer” to criminal penalties (§ 1030(a)(2)(C), (c)). Section 1030(a)(4) also prohibits “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value….” A “protected computer” is one used in or affecting interstate commerce (§ 1030(e)(2)(B)). The phrase “without authorization” is not defined in the statute, but “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” (§ 1030(e)(6)). While a criminal statute, civil suits may be brought under the CFAA in certain circumstances.