We often see “hacking” portrayed in movies and television as cases where an individual attempts to access a secure database or computer system in order to get information that would not be accessible through legal means. However the media often talks about hacking in generic terms. Many people do not have a true sense of what federal laws are being violated when someone “hacks” a computer, and what makes these acts illegal. The primary statute that deals with federal computer crimes is 18. U.S.C. 1030, known as the Computer Fraud and Abuse Act (CFAA).
The CFAA makes it illegal for an individual or group to distribute computer code or place code into the stream of commerce if it is intended to create an economic loss or damage. The CFAA was originally enacted in 1984 and was intended to apply to government-owned computers and computers belonging to financial institutions. However, as computer technology became more prevalent, cyber crimes occurred more often. Thus, the statue was expanded to give the government broad authority to prosecute anyone who accessed “a protected computer,” which courts have interpreted as being any computer connected to the internet. The CFAA in its present form prohibits the following activities:
- Accessing a computer without authorization and transmitting classified government information. 18 U.S.C. § 1030(a)(1).
- Intentionally accessing a computer without authorization to obtain financial information from a financial institution or card issuer. 18 U.S.C. § 1030(a)(2)(A).
- Intentionally accessing a computer without authorization to obtain information from any department or agency of the United States. 18 U.S.C. § 1030(a)(3).
- Knowingly and with the intent to defraud, access a protected computer without authorization. 18 U.S.C. § 1030(a)(4).
- Knowingly or intentionally cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer. 18 U.S.C. § 1030(a)(5).
- Knowingly and with the intend to defraud, traffic in any password of similar information through which a computer may be accessed without authorization if such trafficking affects interstate or foreign commerce; of such computer is used by or for the Government of the United States. 18 U.S.C. § 1030(a)(6).
Sentencing for Federal Computer Crimes
Under the CFAA, an individual convicted of a computer crime can face a prison sentence of up to 20 years and a fine of up to $250,000. However, the punishment varies under each subsection of the CFAA. For example, the punishment for an offense under subsection (a) or (b) would have a maximum imprisonment period of 10 years. However, if an individual had a previous conviction under the CFAA, a maximum period of 20 years imprisonment would be applicable. The United States Sentencing Guidelines is the main driving force as to what sentence an individual may get under the statute. The guidelines contemplate a range of punishment derived from an individual’s Base Offense Level and criminal history category (which spans from 1-6). The maximum Base Offense Level “BOL” that can be given is 43. The BOL is dictated by loss amount or damage caused to computer systems and various enhancements may be given to increase the BOL and range of punishment.
Sentencing Enhancements for Federal Computer Crimes
There are also other factors under the Sentencing Guidelines which may have an impact. The sophistication of crime, number of victims, and the potential for the information to be used to blackmail victims may also enhance a sentence. Ultimately, these prosecutions and the sentences accompanying them are based upon the scope of the hack, its overall monetary value, and the sophistication of the crime. Under most scenarios, these are serious felonies that carry prison time.
Defending Federal Computer Crimes
The CFAA is a complex federal statute that uses technical language and may be confusing to someone not familiar with legal or computer fields. However, it is clear in its purpose and seeks to deter individuals from accessing protected computers without authorization and to distribute code that causes economic loss or damage to protected computers. It is important to note that a “protected computer’ has been defined by the courts as any computer connected to the internet, so the definition is very broad and almost universally applicable. If charged with a crime under the CFAA, it is important to have a solid defense strategy that can be used to attack any weaknesses in the case. A key component in attacking any federal case lies within commandeering experts that can forensically examine computers and programming code to determine if the government’s allegations are legally justifiable and whether the Government can establish the identity of the person who actually accessed sensitive data. Defense attorneys who specialize in computer crimes will also thoroughly review the discovery provided by the government early in the case to determine whether weaknesses exist and will reach out to the prosecutors to facilitate communication to try to establish that the data upon which the Government relies does not necessarily mean what prosecutors think it does. Opening lines of communication and compiling data to establish such a possibility needs to be done as quickly as possible.
It is also important that individuals facing such charges, and their professionals who are recruited to assist them, are proactive. The Government will not likely evaluate if alternate suspects may be actually responsible nor will it necessarily evaluate whether the “hack” was knowingly conducted. Professionals protecting an accused hacker’s interests are charged with establishing such possibilities.
If you have been charged with a federal computer crime, call us at (817) 203-2220 or contact us online to discuss our strategy for your defense:
Also published on Medium.