As computing technologies developed through the 1980s, Congress grappled with then-emerging computer crimes. Its efforts culminated in 1986 with the passage of the Computer Fraud and Abuse Act (CFAA). Between 1986 and 2008, CFAA was amended numerous times to update and expand the types of activities covered by the law.

CFAA is the primary Federal anti-hacking criminal statute. Generally, it prohibits the unauthorized access, or knowingly exceeding authorized access, to “protected computers.” This covers computers used by financial institutions, the Federal government, or those used in, or affecting interstate or foreign commerce and communication. In practice, a wide range of computing devices have come under its jurisdiction given the nature of internet communication and commerce. The CFAA also criminalizes the knowing or intentional transmission of malicious code, causing damage to a protected computer.

Different jurisdictions have interpreted the scope of ‘exceeding authorized access’ varyingly, with certain courts taking a broad view and others a more narrow approach. This has created a lack of clarity.