OVERVIEW OF CRIMINAL PROSECUTIONS FOR UNAUTHORIZED ACCESS TO A COMPUTER AND EXCEEDING AUTHORIZATION TO ACCESS A COMPUTER IN VIOLATION OF FEDERAL LAW
By John Teakell
What is Computer Fraud and Abuse?
The Computer Fraud Abuse Act (CFAA) is codified as Title 18 U.S.C Section 1030(a), and it lists offenses for federally-prosecuted computer crimes, with the common charges being Unauthorized Access to a Computer and Exceeding Authorization to a Computer. The allegations of accessing a computer without authorization can contain different variations within the charges. These include: (1) with the intent to harm the United States or for the benefit of a foreign country; (2) to obtain protected financial or credit information; (3) with intent to defraud; (4) to intentionally damage a computer; and (5) accessing a computer that is exclusively for government use.
An Indictment (formal charge) can be brought against someone also for exceeding the authorization a person has been given for the subject computer or computer network. That is, even though a person was authorized to access information in the computer system, he/they may be restricted from accessing sensitive information or certain financial data, and thus, they were not given authorization to access that information or certain files, even though the person being investigated or prosecuted may have been given general authorization and a log-in and password to access the computer/computer system.
An Indictment with the allegation of exceeding one’s authorization can be a specific allegation based upon the facts of the particular case, and it can contain the variations of alleged intentions of the defendant as listed in the first paragraph above, from 18 U.S. Code §1030.
Computer Fraud Charges
An offense of Unauthorized Access to a Computer, or Exceeding Access to a Computer would naturally be charged as such pursuant to 18 U.S. Code, Section 1030, although in theory it could be prosecuted also as a Conspiracy to Commit Fraud, or Wire Fraud, also.
Practical Aspects of Prosecution
People are prosecuted in federal court by the U.S. Attorney’s Office for Unauthorized Access to a Computer, and for Exceeding Authorized Access to a Computer, when a person accesses sensitive information, financial data, confidential company information, etc., when they are not given the authority to obtain or use this information. Also, hackers into a computer network who obtain these types of information are also prosecuted under this federal statute.
Statutes for Computer Fraud Violations
Part of the statute, 18 U.S. Code, §1030, used to prosecute access to computer violations in federal court, are listed here:
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
V. Similar State Statute
A similar Texas state charge for unauthorized access to a computer, or exceeding one’s authorized access to a computer, is found in Title 7, Chapter 33 of the Texas Penal Code, titled “Computer Crimes.” Specifically, the similar charge as the federal statutes is Breach of Computer Security, §33.02 of Title 7, Texas Penal Code. This statute reads:
(a) A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.
(b) An offense under Subsection (a) is a Class B misdemeanor, except that the offense is a state jail felony if:
(1) the defendant has been previously convicted two or more times of an offense under this chapter; or
(2) the computer, computer network, or computer system is owned by the government or a critical infrastructure facility.
(b-1) A person commits an offense if with the intent to defraud or harm another or alter, damage, or delete property, the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.
(b-2) An offense under Subsection (b-1) is:
(1) a state jail felony if the aggregate amount involved is less than $20,000;
(2) a felony of the third degree if the aggregate amount involved is $20,000 or more but less than $100,000;
(3) a felony of the second degree if:
(A) the aggregate amount involved is $100,000 or more but less than $200,000;
(B) the aggregate amount involved is any amount less than $200,000 and the computer, computer network, or computer system is owned by the government or a critical infrastructure facility; or
(C) the actor obtains the identifying information of another by accessing only one computer, computer network, or computer system; or
(4) a felony of the first degree if:
(A) the aggregate amount involved is $200,000 or more; or
(B) the actor obtains the identifying information of another by accessing more than one computer, computer network, or computer system.
(c) When benefits are obtained, a victim is defrauded or harmed, or property is altered, damaged, or deleted in violation of this section, whether or not in a single incident, the conduct may be considered as one offense and the value of the benefits obtained and of the losses incurred because of the fraud, harm, or alteration, damage, or deletion of property may be aggregated in determining the grade of the offense.
(d) A person who is subject to prosecution under this section and any other section of this code may be prosecuted under either or both sections.
(e) It is a defense to prosecution under this section that the person acted with the intent to facilitate a lawful seizure or search of, or lawful access to, a computer, computer network, or computer system for a legitimate law enforcement purpose