Computer Fraud and Abuse Act
The
Computer Fraud and Abuse Act is a law passed by the
United States Congress in 1986 intended to reduce "hacking" of commercial computer systems. It was amended in
1994,
1996 and in
2001 by the
USA PATRIOT Act.
The USA PATRIOT Act increased the scope and penalties of this act by:
- raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense
- ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold
- allowing aggregation of damages to different computers over a year to reach the $5,000 threshold
- enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military
- including damage to foreign computers involved in US interstate commerce
- including state law offenses as priors for sentencing
- expanding the definition of loss to expressly include time spent investigating and responding for damage assessment and for restoration.
Decisions referring to this act
- [1] Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is “patently unlawful”, “bad faith” and “at least gross negligence” to gain access to stored email is a breach of this act and the Stored Communications Act.