What Is Computer Fraud Law and How Does It Affect Corporate Liability?

The CFAA defines unauthorized access as entry into a computer system without permission or by circumventing security measures. Exceeding authorized access occurs when an employee or contractor uses legitimate credentials to obtain information or systems beyond their job scope. Courts interpret these terms narrowly in some circuits and broadly in others, creating jurisdictional variation in what conduct triggers liability. The statute also requires that the defendant act knowingly, which means the defendant must have understood the unauthorized nature of the access or the prohibited use of authorized access. Damages thresholds activate criminal penalties only when losses exceed specified amounts or when the conduct involves national security or critical infrastructure.

Intent separates criminal computer fraud from negligent security practices or inadvertent employee misconduct. A corporation cannot be held criminally liable under the CFAA for the negligent failure to prevent unauthorized access; the individual actor must have acted knowingly and with intent. This distinction is critical because it narrows corporate criminal exposure to scenarios in which an employee or contractor deliberately misused systems or stole data. However, corporations remain exposed to civil liability for negligence in maintaining reasonable security, and to regulatory enforcement by agencies such as the Federal Trade Commission (FTC) and state attorneys general for failing to implement adequate safeguards.

Federal prosecutors often pursue corporate liability theories that hold a company accountable for employee fraud committed within the scope of employment and intended to benefit the organization. Courts examine whether the employee acted with apparent authority, whether the fraud was foreseeable given the company's industry and practices, and whether the corporation's policies and training created a culture tolerant of misconduct. A single employee's unauthorized access to customer data or competitor systems does not automatically trigger corporate liability, but systematic failures in access controls, weak password policies, or inadequate monitoring can support an inference that the corporation was negligent or reckless. In New York state courts, prosecutors may also charge corporations under state penal law if they fail to exercise due diligence in preventing employee crime.

New York General Business Law Section 668 requires businesses to notify affected individuals and the state attorney general without unreasonable delay if personal information is compromised. Failure to notify or delay in disclosure can result in additional regulatory liability and civil damages beyond the underlying fraud exposure. The statute defines personal information broadly to include names, Social Security numbers, financial account data, and biometric identifiers. Corporations must also comply with industry-specific regulations such as HIPAA for healthcare data, GLBA for financial institutions, and PCI-DSS for payment card processing. Breach notification requirements create a procedural fork: corporations must balance the need for forensic investigation and law enforcement coordination against the statutory deadline for disclosure.

Once a corporation suspects computer fraud or receives notice of a regulatory inquiry, it must implement a litigation hold to prevent destruction or alteration of relevant digital evidence. Courts in New York and federal districts routinely impose sanctions for spoliation of evidence, including adverse inferences that support liability findings and monetary penalties. The duty to preserve extends to employees' personal devices and cloud storage accounts if they were used for business purposes or contain relevant data. Corporations should document the timing and scope of the litigation hold, communicate it clearly to all custodians, and maintain a record of compliance efforts. Failure to act promptly after discovery can result in loss of critical evidence and exposure to judicial sanctions.

The CFAA provides federal criminal jurisdiction and a private right of action for civil damages, but state laws often provide additional or alternative remedies. New York Penal Law Section 156 criminalizes unauthorized computer access and data theft under state criminal standards that may differ from the CFAA in scope and intent requirements. State civil claims for conversion, breach of contract, and breach of fiduciary duty may also apply when employees steal trade secrets or customer lists. Corporations should evaluate both federal and state exposure when assessing the full scope of potential liability and determining settlement or defense strategies.

Corporations should formalize their response to suspected fraud by documenting the discovery date, initial investigation findings, and steps taken to contain the breach. Maintaining contemporaneous records of access controls, employee training on data security, and prior audits or compliance assessments can demonstrate good-faith efforts to prevent fraud and may reduce regulatory penalties. The table below outlines essential documentation categories and their practical significance in corporate liability disputes.

Corporations should also consider whether the fraud involves trade secrets or customer data that trigger specialized reporting obligations. For example, if the perpetrator is an employee or contractor, the corporation may have a duty to notify affected customers and relevant regulatory agencies. If the fraud involves auto fraud and lemon law claims or other industry-specific schemes, additional disclosure requirements may apply. Timing of these notifications and the accuracy of initial disclosures can significantly affect regulatory outcomes and civil exposure. Corporations should document the rationale for their investigation scope, notification timing, and remedial measures taken to prevent recurrence, as these records demonstrate the corporation's commitment to lawful conduct and may influence prosecutorial discretion or judicial assessment of damages.