Federal computer crime cases are not primarily about dramatic intrusions. They are paper trail cases with technical definitions, intent requirements, and sentencing math that bears little resemblance to what most people picture when they hear the words “computer fraud.”
The primary federal statute, 18 U.S.C. 1030, commonly called the Computer Fraud and Abuse Act, covers a wide range of conduct: unauthorized access to protected systems, computer fraud, damage caused by transmitting malicious code, trafficking in access credentials, trespassing on government systems, and extortion tied to protected computers. That breadth is why these cases reach ordinary people in ordinary workplaces. A login used after employment ended, a database accessed without proper authorization, a script run without approval, or credentials shared informally can become the foundation of a federal investigation. The sentencing exposure often depends less on what the defendant thought they were doing and more on how the government frames authorization, loss, and applicable enhancements.
This post applies equally to executives and professionals, employees and contractors, IT staff, students, and anyone swept into a larger investigation where computers are part of the story.
Retain Counsel Before You Speak
Computer crime cases are built on intent, access logs, messages, and the narrative you provide about why you did what you did. The first interview is often the government’s cleanest opportunity to lock in an admission on authorization, motive, or scope. If you speak before understanding the government’s theory, you are providing an account that will be tested against technical records you have not reviewed.
Do not speak to federal agents without retaining counsel first. Do not consent to device searches or account access without legal advice. If agents have contacted you, if you received a subpoena, or if you believe your devices or accounts are under scrutiny, call for a consultation before answering any questions.
What the CFAA Actually Covers
Section 1030 criminalizes several distinct categories of conduct, each with its own elements, penalties, and defenses. Computer espionage covers unauthorized access to protected information with willful communication or retention of that information with reason to believe it could harm the United States or benefit a foreign nation. Unauthorized access to information covers obtaining information from financial records, government systems, or any protected computer without authorization. Computer fraud requires unauthorized access to a protected computer with intent to defraud, in furtherance of that fraud, and obtaining something of value. Damage or loss by transmission covers intentionally or recklessly causing damage to a protected computer through code, programs, or commands, as well as damage caused by unauthorized access itself. Password trafficking covers dealing in access credentials with intent to defraud in certain contexts. Computer extortion covers threats or demands tied to causing damage or obtaining unauthorized access to protected systems. The statute also criminalizes attempts and conspiracies to commit each of these offenses.
The point is not to memorize the categories but to understand that the government chooses the theory that best fits the story it wants to tell, and different theories carry different elements and different exposure.
“Computer” and “Protected Computer” Are Broader Than You Think
Federal law defines computer broadly enough to include cell phones and devices with data processors. Cloud servers qualify. Almost every networked device in modern use falls within the statute’s reach. A “protected computer” is similarly expansive. It includes computers used by or for the United States government or a financial institution, and computers used in or affecting interstate or foreign commerce or communication. In practice, nearly every modern networked system qualifies because interstate communication is routine. People underestimate federal jurisdiction in computer cases by assuming the conduct is local. The statute generally does not see it that way.
Authorization Is the Central Battlefield
The majority of CFAA prosecutions rise or fall on the authorization question, and the Supreme Court’s decision in Van Buren v. United States is now the governing standard.
The statute defines “exceeds authorized access” as accessing a computer with authorization and then obtaining or altering information you are not entitled to obtain or alter. Van Buren drew a critical line: the statute covers people who access areas of a computer, files, or databases that are off limits to them, but it does not cover people who have improper motives for accessing information they are otherwise permitted to obtain. Having bad intentions for a legitimate access does not make the access unauthorized under Van Buren.
That distinction matters enormously in workplace cases. Someone who had access to some systems but not others, who used a credential after their authorization was revoked, or who accessed a personnel file or financial record beyond their designated access, presents a cleaner government case than someone who accessed permitted information for an improper purpose. The defense in many of these cases turns on system architecture, access control policies, how authorization was defined and communicated, and whether the defendant had notice that the specific access was off limits. Notice, policies, and the clarity of access restrictions are not background details. They are often the core of the case.
Penalties Range From Minor to Catastrophic
One of the most dangerous assumptions in computer cases is that the charge category determines the severity. It does not. Criminal penalties under the CFAA range from misdemeanor exposure to life imprisonment depending on the subsection and the circumstances. Unauthorized access to obtain information can be a one-year offense under some circumstances and a five-year offense under others, depending on factors like commercial advantage, private financial gain, or the value of information obtained. Damage cases can be far more serious, with penalties that vary dramatically based on the nature and consequences of the damage, including whether critical infrastructure was affected.
The right question is not “is this a computer case.” It is what theory the government is using, what aggravating factors are being attached, and where the actual sentencing exposure sits after enhancements are calculated.
Sentencing Is Often Where These Cases Are Really Decided
Most federal computer fraud cases are sentenced under Guideline 2B1.1, the main fraud guideline used across many white collar offenses. That means computer crime sentencing is heavily driven by loss, number of victims, and specific offense characteristics that stack quickly.
Loss under the guidelines for CFAA offenses is calculated broadly. It includes not only the value of what was taken but also costs to victims of responding to the offense, conducting damage assessments, restoring systems, and revenue lost due to service interruptions. This is why a case can involve a relatively modest direct theft but produce a loss calculation that drives the guideline range into a significantly higher tier. The government does not just count what the defendant gained. It counts what the victim spent responding.
Several enhancements appear regularly in computer cases. Sophisticated means is one, and courts evaluate the totality of the scheme rather than requiring that each individual step be technically complex. A coordinated series of ordinary steps can qualify. Enhancements tied to unauthorized access devices apply when usernames, passwords, or access credentials are involved, which is most computer cases. Enhancements for personal information apply when the offense involved intent to obtain sensitive private information including financial records, private correspondence, or personal photographs. Critical infrastructure disruptions carry major enhancements when the offense substantially affects systems vital to national defense, public health, or economic security.
Statements made to agents can become the hook for several of these enhancements. Admissions about what you were looking for, how you obtained credentials, or the scope of a disruption can supply enhancement facts the government could not otherwise cleanly establish.
Abuse of Trust and Special Skill Adjustments
Computer cases frequently involve defendants who had legitimate access to systems as part of their job or professional role. Courts regularly apply the abuse of position of trust adjustment when a defendant had discretionary access and used that position to facilitate or conceal the offense. Employees, contractors, IT staff, and consultants with privileged access are the most common targets of this adjustment. The special skill adjustment also appears in computer cases, though courts have reached different conclusions about when self-taught computer skills qualify. The question is not whether the defendant considers themselves technically sophisticated. It is whether the government can characterize their knowledge as an aggravating factor that warrants a higher guideline range.
What to Do When Agents Contact You
Do not attempt to manage the first contact informally. The instinct to explain the legitimate purpose behind your access, to describe what you were actually trying to accomplish, or to demonstrate that no real harm was done can hand the government the intent and scope admissions it needs before you understand the theory.
Do not delete messages, wipe devices, reset accounts, or reorganize files in response to learning of federal interest. Those actions create parallel obstruction exposure that can be significantly worse than the underlying computer charge. Early defense work in a CFAA case focuses on identifying the specific statute and theory being pursued, analyzing the technical access records and authorization framework, understanding the government’s loss calculation and its vulnerabilities, and building a factual and legal record before the government’s narrative hardens.
The Bottom Line on Federal Computer Crimes
CFAA cases are technical, they are not limited to traditional hacking scenarios, and they are often decided by how authorization is characterized, how loss is measured, and which enhancements can be attached to the conduct. The first interview is the government’s best opportunity to collect the admissions that answer those questions. Retaining counsel before that interview is the single most important protective step.
If federal agents have contacted you, you received a subpoena, or you suspect you are being investigated for unauthorized access, computer fraud, credential trafficking, system damage, or extortion involving protected computers, speak with a lawyer before you speak with the government. Call Glozman Law for a consultation.
Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Reading this article does not create an attorney-client relationship. Every situation is different, and computer crime exposure depends heavily on specific facts including authorization rules, technical access pathways, and loss calculations. If federal agents have contacted you, you have received a subpoena, or you are concerned about potential exposure, you should speak with a qualified attorney about your specific circumstances before making any decisions or speaking with law enforcement.