COVID-19-Related Cybercrime and the Computer Fraud and Abuse Act featured image

COVID-19-Related Cybercrime and the Computer Fraud and Abuse Act

by John DiGiacomo

Partner

Internet Law

In 1986, Congress enacted the Computer Fraud and Abuse Act (“CFAA”). See 18 U.S.C. § 1030, et seq. The CFAA is one of the major federal statutes that empowers the federal government to seek criminal penalties against hackers and cybercriminals. The statute has also been used to punish employees and others who “misuse” computers to which they have access. Civil parties can also use the CFAA to obtain civil penalties against those who commit computer fraud and misuse.

The CFAA has been a focus of news reports lately for two reasons. First, in April 2020, the United States Department of Justice (“DOJ”) announced a crackdown on computer hacking, cybercrime, fraud, scams and phishing schemes related to COVID-19 pandemic. Reprehensibly, hackers and cybercriminals have been exploiting the pandemic to scam donations and access to technology from businesses, universities, and individuals. During its announcement of its crackdown efforts, the DOJ highlighted examples like of a fake website pretending to be the Red Cross soliciting donations to fight COVID-19 and various fake websites and using look-alike domain names mimicking government websites tricking victims into turning over their bank account information and other personal information.

During the announcement, the DOJ also highlighted its powers under the CFAA and promised vigorous and tenacious prosecution of cybercriminals seeking to take advantage of the COVID-19 crisis. The CFAA makes computer hacking a crime. In particular, the CFAA makes it a crime to intentionally access a computer “without authorization” or by exceeding “authorized access” and, as a result, obtaining “information from any department or agency of the United States.” 18 U.S.C. § 1030(a)(2)(B). Originally, the CFAA only applied to hacking or unauthorized access of government computers, but the Act now applies to what are called “protected computers” which essentially mean all computers that are connected to the internet. Depending on the severity of the violation of the CFAA, the DOJ can seek substantial monetary fines and prison terms from as low as one year to as many as 20 years.

The CFAA has also been in the news lately because the US Supreme Court has agreed to hear an appeal related to a criminal conviction under the CFAA in the case of US v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019). The DOJ has long taken the view that the CFAA can be used to criminally punish employees who abuse their employer’s computer by exceeding the authority granted to them as employees. In Van Buren, the defendant — Nathan Van Buren — was a sergeant with the Police Department in Cumming, Georgia. As a police officer, Van Buren had authorized access to the Department’s computer system for police-related operations. However, Van Buren used the computer system for personal — criminal — business. In exchange for a “loan” by a man interested in a woman he met at a strip club, Van Buren ran a search for a woman’s vehicle license plate number in the police database.

Unfortunately for Van Buren, the whole thing was an FBI sting operation. Van Buren was eventually arrested, charged with violating the CFAA and was convicted. On appeal to the Eleventh Circuit, Van Buren argued that the CFAA did not apply to situations, like his, where an employee violates an employer’s use-of-computer policies.

On this particular legal point, there is a split among the Federal Circuit Courts of Appeal. Like the First, Fifth and Seventh Circuits, the Eleventh Circuit agrees with the DOJ that the CFAA criminalizes using data for unauthorized purposes even if accessing the data was otherwise authorized. That is what Van Buren did. As a police officer, he was authorized to access license plate related information. However, he was not authorized to personally use that information and, obviously, not authorized to give the information to another in exchange for a “loan.”

By contrast, three Circuit Courts — the Second, Fourth, and Ninth Circuits — disagree with the DOJ’s interpretation. Those Circuits interpret the CFAA to only criminalize access to data that the employee was not authorized to access (regardless of what the data was ultimately used for). These Circuits are concerned about potential overreach and about criminalizing common employee behaviors. Imagine that a workplace provides work email addresses and the email-use policy states that the email addresses can only be used for company business. If an employee uses the email for personal business, under the broad interpretation of the FCAA, that employee has committed a crime.

The US Supreme Court is expected to hear arguments on the Van Buren case later this year. We, here at Revision Legal will be following the case with interest.

If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case