Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.

CFAA was originally designed to protect computer systems operated by the U.S. government and some financial institutions, but expanded in scope after several amendments. Following the 2001 terrorist attacks, the country's Patriot Act amended the Computer Fraud and Abuse Act to allow search and seizure of records from an ISP. In addition to prosecuting illegal intruders, the Computer Fraud and Abuse Act has been cited by private corporations seeking to safeguard trade secrets and other proprietary information. After Congress amended the CFAA in 1994 to cover private litigans pursuing civil damages, several businesses cited the law primarily to sue employees and former employees suspected of stealing information for competitive purposes.

Critics of the Computer Fraud and Abuse Act have argued that the legislation has been interpreted so broadly that it could be used to criminally charge employees for violating a companies’ acceptable use policy or individuals for violating an Internet Service Provider (ISP) or website's terms of use policy. In September 2011, an amendment to the CFAA was introduced to bring the law back to its original focus on illegal intruder prevention as part of the Personal Data Privacy and Security Act of 2011. Under the amendment, employees cannot be prosecuted or held civilly liable under the CFAA for violating an acceptable use policy issued by a non-government employer.