PRIA Logo
Back to search
Criminal JusticeCybercrime

Computer Fraud & Abuse Act (CFAA)

8 min read·Updated May 12, 2026

Computer Fraud & Abuse Act (CFAA)

The Computer Fraud and Abuse Act is the primary federal law criminalizing hacking and unauthorized computer access. Enacted in 1986 and amended multiple times since, 18 U.S.C. § 1030 makes it a crime to access a "protected computer" without authorization or to exceed your authorized access — covering everything from breaking into government systems and stealing trade secrets to launching ransomware attacks and trafficking in passwords — intersecting with broader data privacy law. The CFAA also provides a civil cause of action, allowing victims of computer fraud to sue for damages. With virtually every internet-connected device qualifying as a "protected computer," the CFAA touches nearly every area of modern digital life.

Current Law (2026)

ParameterValue
Governing statute18 U.S.C. § 1030
Protected computersAny computer used in or affecting interstate or foreign commerce (effectively all internet-connected devices)
Key prohibitionsUnauthorized access to government/financial computers, obtaining information, damaging computers, trafficking in passwords, extortion via computer
Civil actionVictims may sue for compensatory damages and injunctive relief
Felony thresholdsPrior CFAA conviction, intent to defraud, damage over $5,000, government/financial computers
Maximum sentences5-20 years depending on offense and prior conviction (1 year for misdemeanors)
Damage threshold for prosecution$5,000 aggregate in any 1-year period (for many subsections)
"Exceeds authorized access"After Van Buren (2021): accessing information for unauthorized purposes using authorized credentials is NOT a violation
  • 18 U.S.C. § 1030(a)(1) — Classified information (accessing classified government information through unauthorized computer access)
  • 18 U.S.C. § 1030(a)(2) — Obtaining information (accessing a protected computer and obtaining information without authorization or exceeding authorization — the most commonly charged provision)
  • 18 U.S.C. § 1030(a)(4) — Fraud and value (accessing a protected computer with intent to defraud and obtaining anything of value)
  • 18 U.S.C. § 1030(a)(5) — Damage to computers (knowingly causing damage through unauthorized transmission of programs, information, code, or commands — covers malware, ransomware, DDoS attacks)
  • 18 U.S.C. § 1030(a)(6) — Password trafficking (knowingly trafficking in passwords or similar access credentials with intent to defraud)
  • 18 U.S.C. § 1030(a)(7) — Extortion (threatening to damage a computer or obtain/release information to extort money or value — covers ransomware demands)
  • 18 U.S.C. § 1030(g) — Civil action (any person who suffers damage or loss by reason of a CFAA violation may bring a civil action for compensatory damages and injunctive relief)

How It Works

The CFAA's reach depends on two threshold concepts: "protected computer" and "without authorization or exceeding authorized access."

A protected computer is defined so broadly that it covers virtually any device connected to the internet. The definition includes any computer "used in or affecting interstate or foreign commerce or communication" — which, in the internet age, means your laptop, your phone, a corporate server, a government database, a hospital network, or an IoT thermostat. This expansive definition ensures the CFAA can reach any computer-based crime.

"Without authorization" is straightforward: you had no right to access the computer at all. "Exceeds authorized access" was historically more controversial — prosecutors argued it covered employees who had legitimate access to a computer system but used it for unauthorized purposes (accessing files outside their job duties, using employer databases for personal benefit). The Supreme Court narrowed this in Van Buren v. United States (2021), holding that "exceeds authorized access" covers only those who access information located in areas of the computer they are not entitled to access — not those who access information for an improper purpose. This decision significantly limited the CFAA's reach in the employment context.

The criminal provisions range from misdemeanors (first-offense unauthorized access obtaining information, carrying up to 1 year) to serious felonies (causing damage to critical infrastructure computers, carrying up to 20 years with a prior CFAA conviction). Damage must typically exceed $5,000 in aggregate over any 1-year period for most prosecution categories — a threshold easily met by incident response costs, system downtime, and remediation expenses.

The civil cause of action (§ 1030(g)) lets victims sue in federal court for compensatory damages and injunctive relief. This has been used by companies against former employees who take data, competitors who scrape websites, and victims of hacking. After Van Buren, the scope of civil CFAA claims has narrowed — data scraping cases and employee-misuse cases are now harder to bring under the CFAA.

How It Affects You

If you use the internet, the CFAA draws the line between ordinary digital activity and federal computer crime. The most important boundary for everyday users: accessing an account that isn't yours — even with shared credentials can constitute unauthorized access under § 1030(a)(2). Sharing passwords to streaming services may technically implicate the CFAA (Netflix, for example, explicitly prohibits account sharing), though DOJ does not prosecute routine password sharing. What clearly qualifies as a crime: logging into someone else's email or social media account without permission (even a former partner's), accessing a workplace system after being fired (your access was terminated with your employment), or guessing/cracking passwords to access any protected account. The Van Buren v. United States (2021) Supreme Court ruling significantly narrowed the "exceeds authorized access" prong: if you have legitimate access to a computer system, using that access for an unauthorized purpose (say, looking up personal information in a work database for personal reasons) is generally not a CFAA violation — but accessing files or areas you're not entitled to access at all still is. For victims of account compromise: report to the FBI's Internet Crime Complaint Center (ic3.gov) and your local FBI field office; CFAA crimes are a federal priority, particularly for ransomware and identity theft.

If you work in IT, security, or hold elevated access privileges at your employer, the post-Van Buren CFAA landscape clarified your risk profile. Under Van Buren, a database administrator who queries employee records outside their job function for personal reasons doesn't automatically commit a CFAA offense if they were authorized to access those records — but if they access a system partition they were never authorized to enter, that's still unauthorized access. The practical implication: role-based access controls matter both for compliance and for limiting CFAA exposure (your employees can't be found liable for accessing what they're not allowed to access if you've configured the system to block it). The CFAA's $5,000 aggregate damage threshold — the minimum required for most criminal prosecutions — is easily met by any meaningful security incident (incident response alone typically costs far more). For terminating employees with IT access: revoke credentials immediately upon separation; continued access after termination is classic CFAA territory regardless of Van Buren.

If you do security research, penetration testing, or bug bounty work, the CFAA's lack of a statutory safe harbor has historically created real legal risk — even for researchers acting in good faith to improve security. The DOJ's revised charging policy (May 2022) instructs prosecutors not to pursue "good-faith security research" — defined as research conducted to improve security, with findings reported to vendors or the public rather than exploited. But DOJ policy can change with administrations and isn't a substitute for statutory protection. The safest approach: always have written authorization from the system owner before testing (bug bounty programs like those on HackerOne and Bugcrowd provide this formally); document your methodology; stay within the authorized scope; don't access data beyond what's needed to demonstrate the vulnerability; report findings promptly. The EFF's Coders' Rights Project (eff.org/issues/coders-rights) provides legal resources for researchers facing CFAA threats.

If your business was hacked, had data stolen, or is experiencing scraping of your systems, the CFAA's civil cause of action (§ 1030(g)) is one of several tools available. To bring a CFAA civil claim, you must show damage or loss of $5,000 or more in any 1-year period — met by any meaningful incident (incident response costs, system downtime, remediation). After Van Buren, the most CFAA-vulnerable corporate scenarios are: external hackers who broke in without any authorization (clearly covered), web scrapers circumventing technical access controls (courts split; hiQ v. LinkedIn in the Ninth Circuit found scraping publicly accessible data may not violate CFAA, but other circuits may disagree), and former employees who retained access after separation and used it to take data (still covered). For the employee-data-theft scenario specifically, the Defend Trade Secrets Act (DTSA) (18 U.S.C. § 1836) is often more useful than CFAA — the DTSA doesn't require the Van Buren authorization analysis and provides federal trade secret misappropriation claims with up to $5M in exemplary damages for willful misappropriation. Combining CFAA with DTSA, breach of contract, and state trade secret claims is standard practice in employee data theft litigation.

State Variations

The CFAA is federal law, but all 50 states have their own computer crime statutes:

  • State computer crime laws vary in scope, definitions, and penalties
  • Some state laws are broader than the CFAA (covering intrastate computer crimes that the CFAA might not reach)
  • State laws may define "unauthorized access" differently than the federal standard post-Van Buren
  • Data breach notification laws (all 50 states have them) create state-level obligations that complement the CFAA's criminal framework
  • State consumer protection statutes may also address computer fraud

Implementing Regulations

The CFAA (18 U.S.C. § 1030) is a criminal and civil statute enforced through federal prosecution and private litigation. No CFR implementing regulations exist — DOJ prosecution policy is set through internal guidelines, most recently updated after Van Buren v. United States (2021).

Pending Legislation

No standalone CFAA reform bills have been introduced in the 119th Congress. Cybercrime-related provisions appear in broader cybersecurity legislation — see Cybersecurity and Data Breach Notification and Cybersecurity Workforce and Education.

Recent Developments

  • AI web scraping cases are testing CFAA's reach (2024–2025): The rise of AI training data collection — where companies scrape vast amounts of web content to train large language models — has generated a new wave of civil CFAA litigation. Platform operators (LinkedIn, X/Twitter, Reddit, various news publishers) have sought to block AI scrapers using CFAA claims alongside copyright and contract arguments. Courts are split on whether scraping publicly accessible data violates the CFAA after Van Buren (2021) narrowed the "exceeds authorized access" prong. The Ninth Circuit's evolving hiQ v. LinkedIn decisions remain the closest thing to a governing precedent but are contested in other circuits. Congress has not yet addressed AI training data scraping specifically in any statute.
  • Van Buren (2021) narrowed criminal exposure but clarified little about civil liability: The Supreme Court's ruling that employees don't "exceed authorized access" simply by using systems for unauthorized purposes (a narrow reading favorable to defendants) closed many employment-context criminal cases. DOJ's 2022 revised charging policy also directed prosecutors to avoid pursuing good-faith security researchers. But the civil CFAA — used by companies to sue competitors, former employees, and scrapers — operates under different precedents and continues expanding. A company that receives an "unauthorized access" cease-and-desist from a platform operator faces CFAA civil liability risk even when no criminal prosecution would occur.
  • Ransomware enforcement drove CFAA prosecution surge (2023–2025): DOJ's ransomware enforcement has generated some of the largest CFAA cases in history — including prosecutions of individuals affiliated with LockBit, Hive, and ALPHV/BlackCat ransomware groups. Charges typically include CFAA § 1030(a)(5) (intentional damage to protected computers) and § 1030(a)(7) (threats to damage), with maximum sentences of 10 years per count. The FBI, working with international partners through Operation Cronos and similar joint operations, has disrupted major ransomware infrastructure. Victims of ransomware attacks may have CFAA civil claims against attackers — though collecting on a judgment against a foreign ransomware group is practically impossible.
  • CFAA reform proposals remain stuck in Congress: A security research exemption — which would explicitly protect good-faith vulnerability researchers from CFAA prosecution — has bipartisan support and has been introduced in multiple Congresses. DOJ's policy guidance partially addressed the concern, but policy guidance can be reversed by a new administration; a statutory safe harbor would provide more durable protection. The broader CFAA modernization debate (adjusting penalties, clarifying the authorization standard, addressing AI and scraping) has not advanced to a floor vote in the 119th Congress.

At My Address

See how Computer Fraud & Abuse Act (CFAA) plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address