Computer Fraud and Abuse Act

Definition of Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is a United States federal law enacted in 1986 that primarily aims to combat hacking, unauthorized access, and other cybercrimes. It criminalizes activities such as unauthorized access to protected computer systems, theft of financial or personal information, and the distribution of malicious software. The Act has been amended multiple times to keep up with the evolving landscape of cybersecurity threats and technology advancements.


Here’s the phonetic pronunciation of “Computer Fraud and Abuse Act”:kəmˈpyo͞odər frôd ən(d) əˈbyo͞os akt

Key Takeaways

  1. The Computer Fraud and Abuse Act (CFAA) is a US federal law that criminalizes unauthorized access to computer systems and electronic communications, including hacking, data theft, and unauthorized password trafficking.
  2. CFAA also covers the transmission of malicious software, such as viruses, worms, and ransomware, as well as cyberstalking and online harassment, thus providing legal protection against various forms of cybercrime.
  3. Violations of the CFAA can lead to severe penalties, ranging from fines to imprisonment, depending on the nature and extent of the offense. However, the law is sometimes criticized for its broad scope, which could potentially stifle legitimate security research and criticism.

Importance of Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is a crucial legislation in the realm of cybersecurity and technology as it provides the necessary legal framework for protecting computer systems from unauthorized access, hacking, and other forms of cybercrimes.

Enacted in 1986, the CFAA serves as a deterrent against malicious activities targeting personal, business, and government computer networks, thus bringing a sense of security to the rapidly expanding digital landscape.

By prescribing penalties and criminalizing such offenses, the Act not only safeguards sensitive data and critical systems but also plays a vital role in maintaining user confidence and fostering a responsible and safe computing environment.


The primary purpose of the Computer Fraud and Abuse Act (CFAA) is to provide a legal framework for prosecuting and deterring cybercrimes, protecting computer systems, and safeguarding sensitive information from unauthorized access or damage. Enacted in 1986 in the United States, the CFAA targets those who intentionally access computer systems without proper authorization, engage in hacking activities, or participate in a range of fraudulent practices.

By imposing strict penalties ranging from fines to imprisonment, the CFAA serves as a critical instrument for upholding cybersecurity and establishing robust standards for an increasingly digital world. In addition to addressing the key cybersecurity concerns, the CFAA establishes stringent legal measures against those who disseminate malicious software, distribute confidential information, or perpetrate cyber attacks aimed at crippling essential infrastructures and government systems.

The legislation has evolved over the years to adapt to emerging security threats and the ever-changing technological landscape. As such, the CFAA is instrumental in maintaining the integrity of computer networks, safeguarding sensitive intellectual property, and ensuring that the responsible use of technology remains at the core of the digital era.

By holding perpetrators accountable, the CFAA works relentlessly to foster an environment of cybersecurity and trust among users and stakeholders in the online realm.

Examples of Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is a United States federal law enacted in 1986 to prevent and prosecute unauthorized access, fraud, or abuse involving computer systems, networks, and data. Here are three real-world examples related to the CFAA:

United States v. Swartz (2011): In this case, internet activist Aaron Swartz was charged under the CFAA for downloading a large number of academic journal articles from the online database JSTOR without authorization. Swartz accessed the Massachusetts Institute of Technology’s computer network to download the articles, intending to make them freely available on the internet. Facing a potential prison sentence of 35 years, Swartz committed suicide in 2013, leading to substantial criticism and calls for CFAA reform.

United States v. Nosal (2016): David Nosal, a former employee of executive search firm Korn/Ferry, was charged under the CFAA for convincing his former colleagues to use their login credentials to gain access to the Korn/Ferry computer system and steal confidential client data for Nosal’s new competing business. The case eventually reached the United States Court of Appeals for the Ninth Circuit, where the court upheld the conviction and determined that unauthorized access to a protected computer system constitutes a violation of the CFAA.

United States v. Lori Drew (2008): In this highly-publicized case, Lori Drew was charged under the CFAA for her involvement in a cyberbullying incident leading to the suicide of a 13-year-old girl, Megan Meier. Drew created a fake MySpace account, pretending to be a teenage boy, and communicated with Megan, at one point sending cruel messages that led to the teenager’s suicide. Although the jury initially convicted Drew under the CFAA for unauthorized access to MySpace’s computer systems, the judge later threw out the verdict, ruling that it would set a dangerous precedent for criminalizing violations of website terms of service agreements. Despite the overturned conviction, the case attracted significant attention and spurred advocacy for stronger cyberbullying laws.

FAQs about the Computer Fraud and Abuse Act

What is the Computer Fraud and Abuse Act?

The Computer Fraud and Abuse Act (CFAA) is a United States federal law enacted in 1986, which primarily focuses on protecting computer systems and networks from unauthorized access, data theft, and cybercrimes by imposing criminal penalties for such activities.

What are the main provisions of the CFAA?

The CFAA prohibits unauthorized access to protected computers, access to government systems without authorization, modification or destruction of information in protected systems, trafficking of counterfeit access devices, and several other computer-related cybercrimes. Penalties for violating the provisions range from fines to imprisonment depending on the severity of the offense.

What kind of computer systems are protected under the CFAA?

The CFAA protects computers used in interstate or foreign commerce, government systems, financial institutions, and computers owned by federal, state, and local governments. It also covers computers used by non-profit organizations, educational institutions, and business entities.

What is considered unauthorized access under the CFAA?

Unauthorized access under the CFAA is defined as accessing a protected computer without permission, or exceeding the allowed access. This includes any activity that circumvents security measures, misuses login credentials, or employs hacking tools to gain unauthorized entry into computer systems.

What are the penalties for violating the CFAA?

Penalties for violating the CFAA depend on the severity of the crime and the specific provision that was breached. For first-time offenders, penalties can range from fines and probation to imprisonment. For repeat offenders and more severe infractions, longer prison sentences and higher fines may be imposed. Additionally, civil remedies supporting damage recovery might be available to affected entities.

Has the CFAA been criticized or faced controversy?

Yes, the Computer Fraud and Abuse Act has faced criticism for its broad language and the potential to be used to prosecute relatively minor offenses. The act has been called into question for its potential to stifle security research or limit the freedom of information. Several cases, such as the prosecution of Aaron Swartz, have led to discussions on the need for reforming the CFAA.

Related Technology Terms

  • Unauthorized access
  • Data theft
  • System damage
  • Misuse of information
  • Cybersecurity

Sources for More Information


About The Authors

The DevX Technology Glossary is reviewed by technology experts and writers from our community. Terms and definitions continue to go under updates to stay relevant and up-to-date. These experts help us maintain the almost 10,000+ technology terms on DevX. Our reviewers have a strong technical background in software development, engineering, and startup businesses. They are experts with real-world experience working in the tech industry and academia.

See our full expert review panel.

These experts include:


About Our Editorial Process

At DevX, we’re dedicated to tech entrepreneurship. Our team closely follows industry shifts, new products, AI breakthroughs, technology trends, and funding announcements. Articles undergo thorough editing to ensure accuracy and clarity, reflecting DevX’s style and supporting entrepreneurs in the tech sphere.

See our full editorial policy.

More Technology Terms

Technology Glossary

Table of Contents