What is the Computer Fraud and Abuse Act?

The Computer Fraud and Abuse Act is a United States federal law prohibiting the unauthorized access or use of protected computers. Created by Congress in 1986 in response to the growing popularity of computers, the law has been subject to numerous modifications since its inception. Penalties for violating it are quite strict, with up to 20 years in jail possible for some violations.

The scope of the Computer Fraud and Abuse Act is limited to certain types of computers that the government deems worthy of protection. In the initial act, protection was limited mainly to computers intended for government use. Later provisions expanded this definition to include computers used by financial institutions and computer systems both inside the US and abroad that are used in interstate commerce and communication.

Courts have long wrangled over the vagueness the law displays in defining “unauthorized” or “authorized” use of a computer. Several important legal questions have been raised by this controversy, including at what point a former employee's authorization to use a computer system expires. Though case law has varied, it is generally held that authorization expires when the employee begins working for a rival company, and thus could use information garnered through a former employer's computer system to help one of its competitors. In one significant case, LVRC Holdings LLC v. Brekka, the 9th Circuit Court of Appeals threw out some earlier rulings to insist that authorization cannot be revoked while an employee remains working for the company, even if he or she uses obtained data to assist a competitive business.

In addition to protecting information, such as national security data or trade secrets, the Computer Fraud and Abuse Act also protects against using a protected computer to commit fraud or unlawfully obtain items of value. This may include altering or deleting records or using information gained to commit fraud. Punishments for this type of violation may include up to five years in prison, fines, and seizure of any goods or items obtained through fraudulent activities.

The provisions of the Computer Fraud and Abuse Act remain in constant flux, thanks to the ever-changing atmosphere of the computer world. When conceived in the 1980s, governments were only just beginning to use computers in daily activities, and the private sector had barely begun to glimpse the capacity of computer innovation. As rules and boundaries about privacy and protected information continue to shift, it is likely that the law will continue to see regular additions and alterations in the future.