Computer and Cyber Crime

Given how ubiquitous technology has become in our daily lives, it is no wonder computers are often both the objects and instrumentalities of crimes.

Computer fraud and other cybercrimes are serious offenses that can carry heavy penalties, including lengthy prison sentences and large fines. If you are being investigated for or are facing charges of computer fraud, computer hacking, or other cybercrimes, engaging experienced defense counsel early in the process is critical. We understand this complex area of the law and have significant experience successfully defending clients in these types of investigations and proceedings. If you are or think you could be the target of a computer fraud or cybercrime investigation, call us at (404) 658-9070.

There are many types of computer crimes, and while most states have their own computer crime laws, the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is the federal statute that forms the basis for most federal prosecutions of computer-related crimes.

The CFAA is an anti-hacking statute that applies to “protected computers” and prohibits damaging a protected computer or accessing a protected computer “without authorization.”

The CFAA criminalizes seven kinds of computer-related activities:

1. Hacking into a protected computer
2. Hacking that results in exposure to certain governmental, credit, financial, or computer-housed information
3. Damaging a protected computer
4. Using a protected computer to commit fraud
5. Threatening to damage a protected computer
6. Trafficking in passwords
7. Electronic espionage

The statute also criminalizes attempts or conspiracies to commit any of these offenses.

A “computer” includes not only laptops and desktop computers, but also cell phones; iPads and other tablets; Kindles and other e-readers; and gaming systems such as Xbox.

A “protected” computer is defined under the statute as a United States government computer, a bank or other financial institution computer, or any computer used in or affecting interstate or foreign commerce. Any computer that is connected to the Internet is deemed to be used in or affecting interstate or foreign commerce. Under this definition, almost any computer will come within the statute’s broad sweep.

Courts have held that accessing a protected computer “without authorization” simply means “accessing a protected computer without permission.”

Under the statute, one exceeds authorized access if he accesses a computer with authorization but “use[s] such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” 18 U.S.C. § 1030(e)(6).

Some courts interpret this provision narrowly, while other courts interpret it more broadly. Courts applying a narrow interpretation generally look at whether controls were in place to prevent the accesser from accessing the information, and not at how the accesser ultimately used the information. In other words, if an individual’s access to a certain computer or server was authorized and the individual accesses that computer or server, he has not violated the law, regardless of how he uses the information obtained. For example, under this narrow interpretation of the statuet, a employee who, using valid log-in credentials, accesses her employer’s confidential information and uses it for personal gain has not “exceeded authorized access” under the statute because she was permitted to access the information. This is true even if her personal use of confidential company information was strictly prohibited.

Courts applying a broader interpretation of the CFAA’s “exceeds authorized access” provision generally look at how the accesser uses (or misuses) the information he or she lawfully obtains. Our circuit – the Eleventh Circuit – takes this approach. For example, the Eleventh Circuit has held that a defendant exceeds his authorized access under the CFAA when he accesses personal records for nonbusiness reasons, in violation of his employer’s policy that the use of databases to obtain personal information is permitted only if done for business reasons.

It is important to remember that any unauthorized invasion of privacy via computer constitutes hacking and can be criminally prosecuted under 18 U.S.C. § 1030.

Depending on the violation, penalties can range from one year to 20 years in prison.

Merely obtaining information that is worth less than $5,000 under 18 U.S.C. § 1030(a)(2) is a misdemeanor, punishable by a fine or one year in prison or a fine. However, obtaining information under Section 1030(a)(2) carries up to five years’ imprisonment if (i) the offense was committed for purposes of commercial advantage or private financial gain; (ii) the offense was committed in furtherance of any criminal or tortious act; or (iii) the value of the information obtained is greater than $5,000.

Penalties for other violations include:

• Up to 10 years for hacking that results in obtaining national security information
• Up to 5 years for accessing a computer to defraud
• 1 to 10 years for intentionally damaging a computer
• Up to 5 years for using a computer to commit extortion
• 1 year for trafficking in passwords

The Stored Communications Act, 18 U.S.C. § 2701, et seq., is a criminal statute that prohibits the intentional access, without authorization, of a “facility through which an electronic communication service is provided” and to “thereby obtain access to an … electronic communication while it is in electronic storage.” The SCA thus protects unauthorized access to emails, text messages, instant messages, and social media accounts. The SCA also provides for a civil right of action to recover both actual and punitive damages as well as attorneys’ fees and costs. Given the similarities between the SCA and the CFAA, it is not uncommon for hackers to violate both statutes.

The Federal Wiretap Act makes it a crime to intentionally intercept, use, or disclose any wire, oral, or electronic communication through the use of any electronic, mechanical or other device. The Wiretap Act thus protects communications in transit, while the SCA protects communications at rest.

Violations of the SCA and the Wiretap Act are generally punishable by up to five years’ imprisonment and/or a fine of up to $250,000 for individuals and $500,000 for organizations.

Computer fraud laws are incredibly complex. In any case involving computer fraud, it may be necessary to obtain the services of a forensic expert with significant computer expertise. This should be done through defense counsel in order to ensure that the expert’s findings remain protected by the attorney-client privilege. Our firm has been involved in reconstructing digital data, reviewing hard drives, and otherwise accessing deleted materials to determine whether federal crimes have occurred and, if so, who participated in their commission. Because this is a sophisticated area of the law that involves sophisticated computer technology, such forensic expertise is oftentimes indispensable in defending against alleged violations of 18 U.S.C. § 1030 and other laws.

If you have a cybercrime matter you would like to discuss with experienced federal criminal defense lawyers, please contact us at (404) 658-9070.