<p>The federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is the primary statutory mechanism for prosecuting cybercrime, including hacking, and also covers some related extortionate crimes such as in the context of ransomware. The CFAA provides for both criminal and civil penalties (which in the criminal context can range from 10 to 20 years imprisonment for some aggravated offences, with the penalties for non-aggravated offences otherwise listed below), and specifically prohibits: (1) unauthorised access (or exceeding authorised access) to a computer and obtaining national security information (imprisonment up to 10 years); (2) unauthorised access (or exceeding authorised access) to a computer that is used in interstate or foreign commerce and obtaining information (imprisonment up to one year); (3) unauthorised access to a non-public computer used by the United States government (imprisonment up to one year); (4) knowingly accessing a protected computer without authorisation with the intent to defraud (imprisonment up to five years); (5) damaging a computer either intentionally or recklessly (imprisonment up to five years); (6) trafficking in passwords (imprisonment up to one year); (7) transmitting threats of extortion, specifically threats to damage a protected computer and threats to obtain information or compromise the confidentiality of information (imprisonment up to one year); and (8) cyber-extortion related to demands of money or property (imprisonment up to five years). In <em>Van Buren v. U.S.</em>, 140 S. Ct. 2667 (2020), the Supreme Court substantially limited the ability of the CFAA to penalise insider threats. </p>
0 commit comments