Mehmet Halit Sezgin

Information Privacy & Cyber Security Lawyer

18 U.S.C. § 1030(a) Computer Crimes Summary DO NOT CITE

1030(a)(1) Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or attempts to communicate, deliver, transmit or cause to be communicated, delivered or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; – Accessing a computer to obtain and transmit classified national defense information. penalties 1st Offense: Fine and/or Imprisonment up to 10 years (c)(1)(A)

Subsequent Offense: including others in title. Fine and/or Imprisonment up to 20 years 1030(c)(1)(B)
elements 1. Knowingly accessed computer without/exceeding authorization
2. Obtained classified national defense/foreign relations information
3. Reason to believe information could harm US/benefit foreign nation
4. Willfully transmitted to unauthorized person
1030(a)(2) Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— – Unauthorized access to obtain information.
1030(a)(2)(A) Information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act. – Unauthorized access to obtain financial records from financial institutions. penalties Basic offense: Fine/Imprisonment up to 1 year (c)(2)(A)
If Enchanced: Fine/Imprisonment up to 5 years (c)(2)(B)
Subsequent Offense: Fine/Imprisonment up to 10 years (c)(2)(C)

(c)(2)(B) Enhanced penalties if:
 (i) purpose of commercial advantage or Private financial gain
 (ii) furtherance crime/tort in violation of law.
   */note double counting issue re Cioni.
 (iii) Value of information > $5,000
   */ Depravation of Property Required
   */ “Obtains”: includes accessing info.
elements 1. Intentional access without/exceeding authorization
2. Obtained information from financial record
3. Record belonged to financial institution/card issuer/consumer reporting agency
1030(a)(2)(B) Information from any department or agency of the United States. – Unauthorized access to obtain information from U.S. government departments. penalties Basic offense: Fine/Imprisonment up to 1 year (c)(2)(A)
If Enchanced: Fine/Imprisonment up to 5 years (c)(2)(B)
Subsequent Offense: Fine/Imprisonment up to 10 years (c)(2)(C)

(c)(2)(B) Enhanced penalties if:
 (i) purpose of commercial advantage or Private financial gain
 (ii) furtherance crime/tort in violation of law.
   */note double counting issue re Cioni
 (iii) Value of information > $5,000
   */ Depravation of Property Required
   */ “Obtains”: includes accessing info
elements 1. Intentional access without/exceeding authorization
2. Obtained information
3. Information was from U.S. department/agency
1030(a)(2)(C) Information from any protected computer. – Unauthorized access to obtain information from any protected computer. penalties Basic offense: Fine/Imprisonment up to 1 year (c)(2)(A)
If Enchanced: Fine/Imprisonment up to 5 years (c)(2)(B)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(2)(C)

(c)(2)(B) Enhanced penalties if:
 (i) purpose of commercial advantage or Private financial gain
 (ii) furtherance crime/tort in violation of law.
   */note double counting issue re Cioni.
 (iii) Value of information > $5,000
   */ Depravation of Property Required
   */ “Obtains”: includes accessing info.
elements 1. Intentional access without/exceeding authorization
2. Obtained information
3. Information was from protected computer
Relevant Cases:
United States v. Batti
Established that value of information uses market value or reasonable production/research/design costs if no market value exists. Court found value of information is unrelated to whether value was diminished by defendant’s actions. Important for determining felony enhancement under 1030(c)(2)(B)(iii).
United States v. Cioni
Court ruled that using same SCA violation for both predicate crime and felony enhancement violates double jeopardy principle. Key case for understanding limitations on using same conduct for multiple CFAA enhancements.
United States v. Steele
Found that state-law larceny can serve as predicate crime for felony enhancement as long as elements differ from CFAA violation. Important for understanding how state law crimes can be used for CFAA enhancements.
1030(a)(3) Intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States. – Unauthorized access to U.S. government computers. penalties Basic offense: Fine/Imprisonment up to 1 year (c)(2)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(2)(C)

   */Starts off as misdemeanor
elements 1. Intentional access without authorization
2. Nonpublic government computer
3. Computer exclusively for/used by U.S. government
4. Conduct affects government use
1030(a)(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; – Computer fraud to obtain anything of value. penalties Fine/Imprisonment up to 5 years 1030(c)(3)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years 1030(c)(3)(B)

   */Not applicable if object of fraud consists only of use of computer
   */value < $5,000 in any 1-year period
   */Deprivation of property required, <$5,000 in 1-year period
elements 1. Knowing access without/exceeding authorization
2. Intent to defraud
3. Furthered intended fraud
4. Obtained anything of value
Relevant Cases:
United States v. Czubinski
IRS employee’s mere browsing of taxpayer records without further use/disclosure did not constitute obtaining “anything of value”. Distinguished from Seidlitz where defendant intended to use information for competing business. Crucial case for understanding what constitutes “obtaining anything of value” under 1030(a)(4).
United States v. Seidlitz
Court found fraudulent intent even without proof defendant used stolen data, because information was obtained through subterfuge. Important for understanding fraudulent intent requirement doesn’t require actual use of obtained information.
1030(a)(5) Whoever— – Causing damage through unauthorized computer access.
1030(a)(5)(A) Knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer. – Knowingly causing damage to protected computers through transmission of programs/code. penalties Up to 1 year/fine (c)(4)(G)

Up to 10 yrs/fine if (I)-(VI) of (a)(5)(A) satisfied (c)(4)(B)(i)

Up to 20 yrs/fine if attempts or knowingly/recklessly causes serious body injury (c)(4)(E)

Up to Life/fine if attempts or knowingly/recklessly causes death (c)(4)(F)

If Enhanced Penalties of (c)(4)(A)(i): Up to 10 years.

Subsequent Offense: Up to 20 years 1030(c)(4)(C)

For (a)(5)(A) and (a)(5)(B), enhanced penalties for damage applicable if (c)(4)(A)(i):
 (I): loss to 1 or more people of $5,000 or more
 (II): medical treatment modification or impairment
 (III): phys. Inj.
 (IV): Threat to public health/safety
 (V): Damage to gov’t computer re justice, natsec, natdef.
 (VI): Damage affecting at least 10 prot. comp during 1 year
elements 1. Knowing transmission of program/code
2. Intentional causation of damage
3. Without authorization
4. To protected computer
1030(a)(5)(B) Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage. – Recklessly causing damage through unauthorized computer access. penalties Up to 1 year/fine (c)(4)(G)
If Enhanced Penalties of (c)(4)(A)(i): Up to 5 years

Subsequent Offense: Up to 20 years 1030(c)(4)(C)

For (a)(5)(A) and (a)(5)(B), enhanced penalties for damage applicable if (c)(4)(A)(i):
 (I): loss to 1 or more people of $5,000 or more
 (II): medical treatment modification or impairment
 (III): phys. Inj.
 (IV): Threat to public health/safety
 (V): Damage to gov’t computer re justice, natsec, natdef.
 (VI): Damage affecting at least 10 prot. comp during 1 year
1030(a)(5)(C) Intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. – Causing damage and loss through unauthorized computer access. penalties Up to 1 year/fine (c)(4)(G)

Subsequent Offense: Up to 10 years 1030(c)(4)(D)

For (a)(5)(A) and (a)(5)(B), enhanced penalties for damage applicable if (c)(4)(A)(i):
 (I): loss to 1 or more people of $5,000 or more
 (II): medical treatment modification or impairment
 (III): phys. Inj.
 (IV): Threat to public health/safety
 (V): Damage to gov’t computer re justice, natsec, natdef.
 (VI): Damage affecting at least 10 prot. comp during 1 year
Relevant Cases:
International Airport Centers v. Citrin
Ruled that transmitting secure-erasure program constitutes “transmission” under statute, while mere pressing delete key might not qualify. Key case for understanding what constitutes “transmission” under 1030(a)(5).
United States v. Thomas
IT administrator who destroyed employer files exceeded authorization even though generally authorized to delete files. Intent to cause damage was key factor. Important for understanding how authorized access can become unauthorized based on intent.
United States v. Middleton
Established that calculating $5,000 loss threshold involves determining reasonable costs including employee time spent responding to damage. Essential case for understanding how to calculate loss under the statute.
United States v. Sablan
Held that felony enhancements are strict liability; no need to prove mens rea regarding damage amount. Important for understanding mens rea requirements for felony enhancements.
1030(a)(6) Knowingly and with intent to defraud traffics in any— – Trafficking in passwords or similar information.
1030(a)(6)(A) Password or similar information through which a computer may be accessed without authorization, if such trafficking affects interstate or foreign commerce. – Trafficking in passwords affecting interstate/foreign commerce. penalties 1st Offense:Fine/Imprisonment up to 1 year (c)(2)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(2)(C)

 Requires intent to transfer to another person
 Must affect interstate or foreign commerce
elements 1. Knowing trafficking in passwords
2. Intent to defraud
3. Affects interstate/foreign commerce
4. Enables unauthorized access
1030(a)(6)(B) Such password or similar information through which a computer may be accessed without authorization, if such computer is used by or for the Government of the United States. – Trafficking in passwords for U.S. government computers. penalties 1st Offense: Fine/Imprisonment up to 1 year (c)(2)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(2)(C)

 Requires intent to transfer to another person
 Must affect interstate or foreign commerce
elements 1. Knowing trafficking in passwords
2. Intent to defraud
3. Computer used by/for U.S. government
4. Enables unauthorized access
1030(a)(7) With intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any— – Extortion related to protected computers.
1030(a)(7)(A) Threat to cause damage to a protected computer. – Extortion through threats to damage protected computers. penalties 1st Offense: Fine/Imprisonment up to 5 years 1030(c)(3)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(3)(B)

 Must be done with intent to extort money or other thing of value
elements 1. Intent to extort money/value
2. Interstate/foreign transmission
3. Threat to damage protected computer
1030(a)(7)(B) Threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access. – Extortion through threats to obtain or impair confidentiality of information. penalties 1st Offense: Fine/Imprisonment up to 5 years 1030(c)(3)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(3)(B)

   */Must be done with intent to extort money or other thing of value
elements 1. Intent to extort money/value
2. Interstate/foreign transmission
3. Threat to obtain unauthorized information
4. Or threat to impair confidentiality
1030(a)(7)(C) Demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion. – Extortion through demands related to computer damage. penalties 1st Offense: Fine/Imprisonment up to 5 years 1030(c)(3)(A)

Subsequent Offense: Fine/Imprisonment up to 10 years (c)(3)(B)

   */Applies even after damage has already occurred
elements 1. Intent to extort money/value
2. Interstate/foreign transmission
3. Demand related to damage
4. Damage caused to facilitate extortion
“Access” Cases:
United States v. Morris
Found unauthorized access when defendant exploited vulnerabilities rather than using features for intended functions. Key case for understanding what constitutes “unauthorized access” when dealing with system vulnerabilities.
Van Buren v. United States
Supreme Court ruled exceeding authorized access covers obtaining information from areas of computer one lacks permission to access, not misusing properly accessible information. Landmark case for interpreting “exceeds authorized access” under CFAA.
hiQ v. LinkedIn
Distinguished between sites with no restrictions (no gate), those requiring authorization (gate up), and those explicitly denying access (gate down). Important for understanding authorization in context of public websites.
Pulte Homes v. Laborers’ Union
Held that overwhelming public-facing systems with traffic was not unauthorized access since systems were open to public use. Key for understanding authorization in context of public-facing systems.
United States v. Shahulhameed
Determined that firing notice revokes authorization even if account access remains technically possible. Important for understanding how non-technical actions can affect authorization status.
United States v. Nosal (Nosal II)
Split on whether account holders can grant authorization to others or if only system owners can authorize access. Key case for understanding who has power to grant authorization.
Craigslist v. 3Taps
Found access became unauthorized after cease-and-desist letter combined with IP blocking. Important for understanding how technical and non-technical measures combine to establish lack of authorization.