Computer Fraud: How Federal Prosecutors Build These Cases

Before Van Buren, federal prosecutors routinely charged employees, contractors, and business partners under the CFAA whenever they accessed information they were permitted to view but used in a way the computer owner did not authorize. That theory of liability is no longer viable after Van Buren.

Under the post-Van Buren framework, an employee who logs into a company database using valid credentials and copies files to which they have legitimate access does not commit a CFAA violation simply because they intended to use the information for a competing business. The misuse of legitimately accessed information may give rise to a trade secret claim, a breach of contract claim, or other civil causes of action, but it does not constitute exceeding authorized access under the CFAA.

This distinction matters enormously for defendants facing CFAA charges based on insider access. If the government's theory relies entirely on the argument that the defendant used authorized access for an unauthorized purpose, Van Buren may provide a complete defense to the CFAA count. An attorney who handles The Computer Fraud and Abuse Act cases can analyze the specific access at issue against the Van Buren framework and identify whether the government's theory survives the Supreme Court's limitation on the statute's reach.

Computer fraud cases rarely involve only CFAA charges. Federal prosecutors routinely add wire fraud charges under 18 U.S.C. § 1343 and identity theft charges under 18 U.S.C. § 1028 to CFAA cases when the facts support them, dramatically increasing the total sentencing exposure.

Wire fraud applies when the defendant used electronic communications in furtherance of a scheme to defraud. In computer fraud cases, virtually every act of unauthorized access involves some electronic communication, which means the wire fraud count can be charged for each individual access event. With each wire fraud count carrying a maximum of 20 years compared to the CFAA's 5-year maximum, the stacking effect can be significant. A case that looks like a 5-year exposure under the CFAA alone can become a 20-year or greater exposure when wire fraud counts are added for each access.

Aggravated identity theft under 18 U.S.C. § 1028A adds a mandatory 2-year consecutive sentence for each count involving the use of another person's identification means in connection with a felony. When a computer fraud defendant accessed accounts using stolen login credentials, each use of those credentials is a potential aggravated identity theft count. The mandatory consecutive nature of the § 1028A sentence means it cannot be reduced by cooperation agreements, safety valve provisions, or judicial discretion. An attorney who handles cyber fraud and identity theft defense cases can evaluate the full sentencing exposure across all charged counts and identify which counts present the strongest suppression or dismissal arguments.

Former employee CFAA cases are among the most common civil applications of the statute, and the Van Buren decision has significantly changed which cases survive the pleading stage.

Before Van Buren, employers routinely filed CFAA claims against former employees who accessed company systems after their termination date, who downloaded files before resigning, or who used company access to benefit a competing employer. Post-Van Buren, the viable claim is narrowed primarily to access that occurred after authorization was formally revoked, meaning after the employee's credentials were deactivated or after they received explicit written notice that their access had ended.

An employee who downloads files on their last day of work using still-active credentials, before their access has been terminated, may not have committed a CFAA violation under Van Buren even if the employer views the conduct as a clear breach of the employment relationship. The same conduct almost certainly gives rise to trade secret, breach of fiduciary duty, and breach of contract claims that do not depend on the CFAA's authorization framework. An attorney who handles cybercrime and digital fraud civil litigation can assess whether the specific conduct at issue supports a viable CFAA claim after Van Buren and identify which alternative claims provide the strongest basis for relief.

When a computer fraud investigation targets a business rather than an individual, the investigation triggers obligations and strategic decisions that do not arise in individual cases.

A corporate computer fraud investigation may involve a government search of company premises, grand jury subpoenas for corporate records and employee communications, and requests to interview current and former employees. Each of these contacts requires immediate legal coordination. The corporation's interests and the interests of individual employees who may become targets do not always align, and the attorney-client privilege questions that arise when company counsel interviews employees are among the most consequential early decisions in any corporate investigation.

Document preservation obligations arise from the moment the corporation learns it is under investigation or receives a litigation hold notice. Failure to preserve relevant electronic records, whether through destruction, deletion, or allowing automatic deletion to continue after receiving notice, can result in sanctions that are independent of the underlying computer fraud liability. An attorney who handles internet fraud and corporate cybercrime defense can coordinate the preservation obligation, manage the employee interview process, and assess the scope of the government's investigation before the corporation commits to a response strategy.

When a corporate computer fraud investigation is underway, the government is simultaneously building its case and evaluating whether individual employees should be separately charged. The decisions the corporation makes in the first weeks of the investigation, about document preservation, employee interviews, and voluntary cooperation, affect both the corporate exposure and the individual exposure of every employee the government may later target.

Computer fraud in the United States is governed primarily by the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which prohibits unauthorized access to protected computers and access that exceeds authorization when done with intent to defraud or cause damage. A protected computer includes any device connected to the internet. The CFAA creates both criminal penalties and a private civil right of action, meaning a defendant can face both criminal prosecution and a civil lawsuit arising from the same conduct.

Yes, under certain circumstances. If your employer terminated your access and you continued to log in using your old credentials, that access may be unauthorized under the CFAA. However, the Supreme Court's 2021 decision in Van Buren v. United States held that an employee does not "exceed authorized access" simply by using legitimate access for an improper purpose. If your credentials were still active at the time of access, the CFAA claim against you is significantly weaker than if your access had been formally revoked before you logged in.

Criminal CFAA charges are brought by federal prosecutors and can result in imprisonment, fines, and supervised release. Civil CFAA claims are brought by businesses or individuals who suffered damage and seek monetary recovery. A single unauthorized access event can give rise to both a criminal prosecution and a civil lawsuit, and they proceed on parallel tracks. The criminal case must be proven beyond a reasonable doubt while the civil case uses a preponderance of the evidence standard, meaning the civil plaintiff's burden is significantly lower.

Penalties under the CFAA range from one to ten years per count depending on the specific provision charged and the nature of the conduct. When wire fraud counts under 18 U.S.C. § 1343 are added, each count carries a maximum of 20 years. Aggravated identity theft under 18 U.S.C. § 1028A adds a mandatory two-year consecutive sentence per count that cannot be reduced by cooperation or judicial discretion. A case involving multiple access events, multiple victims, or multiple charged statutes can produce a combined sentencing exposure far exceeding what the CFAA alone would suggest.

Digital evidence in computer fraud cases includes server log files recording each access event, forensic images of seized devices, network traffic captures, metadata embedded in copied files, and communications recovered from email and messaging applications. The government assembles this evidence before the defendant knows an investigation is underway. Challenging digital evidence requires examining the chain of custody for forensic images, the methodology used to extract and interpret log data, and whether specific actions can be reliably attributed to the defendant rather than to a shared account or compromised device.

The civil statute of limitations under 18 U.S.C. § 1030(g) is two years from the date the claim accrues, which is typically the date the plaintiff knew or should have known of the unauthorized access and the resulting damage. This deadline applies independently of any parallel criminal investigation, meaning a business that discovers unauthorized access should evaluate its civil CFAA claim on its own timeline without waiting for a criminal prosecution to run its course. An attorney who handles cyber financial crime civil claims can identify the accrual date and assess whether the claim remains timely.