Two Recent Changes to the CFAA

The National Information Infrastructure Protection Act of 1996 (S. 982, 104th Cong.)
This amendment to the CFAA was prompted by the continued increase of computer based crime. Thus, in 1986, the CFAA was significantly amended to take on an early form of the modern CFAA. The 1986 amendment recognized that legislation of computer crime could take two paths: “comb[ing] through the entire United States Code, identifying and amending every statute potentially affected by the implementation of new computer and telecommunications technologies” or “focus[ing] substantive amendments on the Computer Fraud and Abuse Act to specifically address new abuses that spring from the misuse of new technologies.” [1] By choosing the latter, Congress hoped to provide one “go to” legislation that prosecutors and legislators could use for computer crime that would simplify as well as gather computer crime convictions in one place so that more data can be collected about its extent. (id.) And on this premise, the CFAA was expanded. Section 1030(a)(1) was changed so that the maximum penalty was increased from 10 years to life. Subsection (a)(3) was expanded to government insiders as well as outsiders. Subsection (a)(5) was significantly changed to establish three offenses: (1) intentional damage to a computer by knowingly transmitting a harmful program (2) intentional access to a computer without authorization causing damage recklessly (3) intentionally access a computer without authorization causing damage negligently. (id.) (1) and (2) are classified as felonies and (3) as a misdemeanor. Significantly, this allowed even authorized users to be criminalized if they have an intent to cause damage. The definition of “damage” was also expanded to include any impairment to the availability or integrity of data and systems. (id.) While it made vague what damage was, the amendment compromised by raising the threshold of “significant financial losses” from $1000 to $5000.

U.S.A. PATRIOT Act [2]
The PATRIOT Act further expanded the reach of the CFAA in response to government fears of “cyber terrorism.” Caveats were provided for the $5000 threshold set by the 1996 amendments. The damage threshold was waived in Subsection (c)(2)(C) if a hacker damages a computer “used by or for a government entity in furtherance of the administration of justice, national defense, or national security.” [3] It also allowed aggregate attacks on multiple computers in subsection (c) to be counted together in reaching the $5000 threshold. This meant that a relatively harmless virus, if sent to enough computers, could possibly reach the $5000 even if the actual effect on any one computer is minimal. Along with broadening the reach of the CFAA, this amendment also raised the maxiumum penalties for first timers and repeat offenders from 5 and 10 years to 10 and 20 years, respectively. (id.)


~ by alyssaufl on January 11, 2010.

2 Responses to “Two Recent Changes to the CFAA”

  1. […] intentions over time. Orignally intended to combat hackers, the CFAA has now expanded, with each amendment, to reach employees accessing files on company computers and accessing of open wireless […]

  2. […] CFAA Overbreadth: Employee-Employer Issues The CFAA was created with hackers in mind, yet it has been increasingly used by companies to file civil actions against ex-employees. Subsection (g) provides civil remedies for “any person who suffers damage or loss by reason of a violation of this section.” Since the 1996 amendments, the CFAA now reaches virtually any computer and also applies to “insiders” working within a company or organization. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: