In Forcecross-sector18 U.S.C. § 1030
Computer Fraud and Abuse Act
Also known as: CFAA
The CFAA is the primary US federal law criminalizing unauthorized computer access and computer-related fraud. It applies to any "protected computer" — essentially any computer connected to the internet. Organizations use it to pursue civil remedies against hackers and insiders who exceed authorized access. The law has been controversial for its broad scope and has been used in cases ranging from nation-state hacking to employee misuse of employer systems.
Jurisdiction
United States (Federal)
Regulator
—
Effective
10/16/1986
Sector
cross-sector
Full Text / Summary
The CFAA was enacted in 1986 and has been amended multiple times. It creates criminal liability for: (1) unauthorized access to obtain national security information; (2) unauthorized access to financial records or government computers; (3) unauthorized access to any protected computer to obtain information; (4) computer fraud; (5) knowingly causing damage to protected computers; (6) trafficking in passwords; and (7) threatening to damage computers for extortion. The "exceeds authorized access" provision has been interpreted broadly and narrowly by different courts, creating uncertainty for organizations. The Supreme Court's 2021 Van Buren decision narrowed the scope, holding that the provision applies only to those who obtain information they are not entitled to access, not those who misuse legitimately accessed information.