130
Chapter 4
■
Laws, Regulations, and Compliance
modern type of crime was too far a stretch. Legislators responded by passing specifi c statutes
that defi ned computer crime and laid out specifi c penalties for various crimes. In
the follow-
ing sections, we’ll cover several of those statutes.
The U.S. laws discussed in this chapter are federal laws. But keep in mind
that almost every state in the union has also enacted some form of legis-
lation regarding computer security issues. Because of the global reach of
the
internet, most computer crimes cross state lines and, therefore, fall
under federal jurisdiction and are prosecuted in the federal court system.
However, in some circumstances, state laws can be more restrictive than
federal laws and impose harsher penalties.
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) was the fi rst major piece of cybercrime-specifi c
legislation in the United States. Congress had earlier enacted computer crime law as part of
the Comprehensive Crime Control Act (CCCA) of 1984, but CFAA was carefully written
to exclusively cover computer crimes that crossed state boundaries to avoid infringing on
states’ rights and treading on thin constitutional ice. The major
provisions of the original
CCCA made it a crime to perform the following:
■
Access classified information or financial information in a federal system without
authorization or in excess of authorized privileges
■
Access a computer used exclusively by the federal government without authorization
■
Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to
gain use of the computer itself)
■
Cause malicious damage to a federal computer system in excess of $1,000
■
Modify medical records in a computer when doing so impairs
or may impair the exam-
ination, diagnosis, treatment, or medical care of an individual
■
Traffic in computer passwords if the trafficking affects interstate commerce or involves
a
federal computer system
When Congress passed the CFAA, it raised the threshold of damage from $1,000 to
$5,000 but also dramatically altered the scope of the regulation. Instead of merely cover-
ing federal computers that processed sensitive information, the act was changed to cover all
“federal interest” computers. This widened the coverage of the act to include the following:
■
Any computer used exclusively by the U.S.
government
■
Any computer used exclusively by a financial institution
■
Any computer used by the government or a financial institution when the offense
impedes the ability of the government or institution to use that system
■
Any combination of computers used to commit an offense when they are not all located
in
the same state