Computer Crimes

 

I. Introduction: Legislative Reform

Computer crimes related state and federal investigations are on the rise.

A computer may be the target of the offense. In these cases, the goal is to steal information from, or cause damage to, a computer, computer system, or computer network. Second, the computer may be a tool of the offense. This occurs when an individual uses a computer to facilitate some traditional offense such as fraud (e.g., a bank teller who once stole money from a cash drawer may now use a computer program to skim money directly from depositors' accounts). Last, computers are sometimes incidental to the offense, but significant to law enforcement because they contain evidence of a crime.

Although certain computer crimes appear simply to be old crimes committed in new ways (e.g., the bank teller who uses a computer program to steal money is still committing bank fraud), some computer offenses find their genesis in our new technologies and must be specifically addressed by statute. For example, the widespread damage caused by inserting a virus into a global computer network cannot be prosecuted adequately by relying upon common law criminal mischief statutes. Indeed, it is questionable whether Robert Morris, the individual responsible for launching the Morris worm and crippling 6,000 computers around the world, could have been prosecuted had Congress not had the foresight to enact the Computer Fraud and Abuse Act.

Whether classified as "old" or "new," computer crime creates unique problems for law enforcement and the lawyers working on both sides of the case. The most significant legislative problems stem from technology's shift from a corporeal to an intangible environment. This departure from a physical world (where items are stored in a tangible form that can be carried, such as information written on paper) to an intangible, electronic environment means that computer crimes (and the methods used to investigate them) are no longer subject to traditional rules and constraints.

In the information age, of course, these limitations no longer apply. A person seeking information stored in a networked computer with dial-in access can acquire that information from virtually anywhere in the world. The quantity of information stolen or the amount of damage caused by malicious programming code may be limited only by the speed of the network and the criminal's computer equipment. Moreover, such conduct can easily occur across state and national borders.

This clear shift to a borderless, incorporeal environment and the increased risk that information will be stolen and transported in electronic form is difficult to address by relying upon older laws written to protect physical property.

Specific Amendments: Protecting the Confidentiality, Integrity, and Availability of Systems and Information

Section 1030(a)(1)

Title 18, Section 1030(a)(1) originally provided that anyone who knowingly accesses a computer without authorization or exceeds authorized access and obtains classified information "with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation" is subject to a fine or imprisonment for not more that ten years (for a first offense). 18 U.S.C. § 1030(a)(1)(emphasis added). This scienter element apparently was included when this subsection was originally drafted because it is contained in 18 U.S.C. § 794(a). Section 794(a), however, provides for life imprisonment, whereas § 1030(a)(1) is only a ten-year felony. Therefore, it is more appropriate that the language of § 1030(a)(1) should track the language of 18 U.S.C. § 793(e), which also provides a maximum penalty of ten years' imprisonment for obtaining from any source certain information connected with the national defense and thereafter communicating or attempting to communicate it in an unauthorized manner.

It should be noted that, although there is considerable overlap between § 793(e) and § 1030(a)(1) as amended, the two statutes do not reach exactly the same conduct. Section 1030(a)(1) would require proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information or restricted data, and subsequently performed some unauthorized communication or other improper act. In this sense then, it is the use of the computer which is being proscribed, not the unauthorized possession of, control over, or subsequent transmission of the information itself. Existing espionage laws would provide an adequate basis for the prosecution of individuals who attempt to peddle governmental secrets to foreign governments. However, a person who deliberately breaks in to a computer for the purpose of obtaining properly classified or restricted information, or attempts to do so, should be subject to criminal prosecution for this conduct.

B. Section 1030(a)(2)

Subsection (a)(2) is, in the truest sense, a provision designed to protect the confidentiality of computer data. As was noted in 1986 by the Senate Judiciary Committee,

[t]he premise of 18 U.S.C. 1030(a)(2) will remain the protection,
for privacy reasons, of computerized credit records and computerized
information relating to customers' relationships with financial
institutions. . . . Because the premise of this subsection is
privacy protection, the Committee wishes to make clear that 'obtaining
information' in this context includes mere observation of the data.

S. Rep. No. 99-432 at 6.

With the continued evolution of the National Information Infrastructure (NII), however, Congress has come to recognize that not only financial records and credit information warrant federal protection. As noted in the commentary to the Draft Principles, "with the NII, the assumption is that large amounts of sensitive information will be on line, and can be accessed, perhaps without authority, by a large number of network users." 59 Fed. Reg. at 27207. Moreover, "the NII will only achieve its full potential if individual privacy is properly protected." Id. Therefore, the new subsection 1030(a)(2) is designed to insure that it is punishable to misuse computers to obtain government information and, where appropriate, information held by the private sector. Moreover, the provision has been restructured so that different paragraphs protect different types of information, thus allowing easy additions or modifications to offenses if events require.

Certainly not all computer misuse warrants federal criminal sanctions. The problem is that no litmus test can accurately segregate important from unimportant information, and any legislation may therefore be under- or over-inclusive. For example, a frequent test for determining the appropriateness of federal jurisdiction--a monetary amount--does not work well when protecting information. The theft from a computer of a judge's draft opinion in a sensitive case or the copying of medical records might not meet such a monetary threshold, but clearly such information should be protected. Therefore, the act of taking all of this kind of information is now criminalized. Even so, it is important to remember that the elements of the offense include not just taking the information, but abusing one's computer authorization to do so.

The need to protect information is highlighted by recent studies indicating that people are increasingly misusing computers to obtain information. In 1993, the General Accounting Office (GAO) presented testimony before the House Government Operations Committee, Subcommittee on Information, Justice, Agriculture, and Transportation, on the abuse of National Crime Information Center (NCIC) information. The testimony stated that, following an investigation, GAO determined that (1) NCIC information is valuable, (2) such information has been misused by "insiders" (individuals with authorized access), (3) this misuse included selling NCIC information to outsiders and determining whether friends and relatives had criminal records, and (4) incentives for misuse outweighed potential penalties. Statement of Laurie E. Ekstrand, July 28, 1993, p. 6 [hereinafter "Ekstrand Statement"]. The GAO found that some of this misuse jeopardized the safety of citizens and potentially jeopardized law enforcement personnel. Id. at 16. Moreover, because there were no federal or state laws specifically directed at NCIC misuse, most abusers of NCIC were not criminally prosecuted. Id. at 17. GAO concluded that Congress should enact legislation with strong criminal sanctions specifically directed at the misuse of NCIC. Id. at 20.

Of course, protecting only NCIC data (or, more broadly, criminal history information), would be underinclusive, because other types of sensitive data are clearly at risk. For example, during Operation Desert Storm, it was widely reported that hackers accessed sensitive but unclassified data regarding personnel performance reports, weapons development information, and logistics information regarding the movement of equipment and personnel. Teen tapped computers of U.S. military, Chicago Tribune, November 21, 1991 at 3. NASA computers have also been penetrated, Computer Hacker Charged with Entering NASA System, Washington Post, September 26, 1991 at A20, as have at least two federal courthouse computer systems. See, e.g., U.S. Says Hackers Scanned Data, The New York Times, November 15, 1992, at A40. Some Internal Revenue Service employees also improperly used IRS computers to examine tax return information. I.R.S. Staff Is Cited in Snoopings, The New York Times, July 19, 1994, at D1, D5.

Clearly, the government should be able to prosecute individuals who obtain government information by misusing computers. Importantly, 18 U.S.C. § 1030(a)(2), as amended, does not punish the mere acquisition of information (which might unduly impede the free flow of ideas), but prohibits intentionally accessing a computer without or in excess of authority and then obtaining such information. Moreover, to the extent that the information obtained is or should be available, it should be obtained through legal means (e.g., public sources or FOIA) and not through hacking.

Subsection 1030(a)(2)(C) is designed to protect against the interstate or foreign theft of information by computer. Such a provision is necessary in light of the Tenth Circuit's decision in United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991), where the court held that purely intangible intellectual property, such as a computer program, cannot constitute goods, wares, merchandise, securities, or moneys which have been stolen, converted, or taken within the meaning of § 2314. "Information" as used in this subsection is meant to be broadly construed and includes information stored in intangible form. Moreover, consistent with Congress's prior construction of § 1030(a)(2), "obtaining information" includes merely reading it; i.e., there is no requirement that the information be copied or transported. This is critically important because, in an electronic environment, information can be "stolen" without asportation, and the original usually remains intact.

Some computers may qualify under more than one subsection of § 1030(a)(2); for example, a particular government computer might be covered by both § 1030(a)(2)(B) and (a)(2)(C). This overlap serves to eliminate legal issues that might have arisen had Congress made the provisions mutually exclusive. Conceivably, in a given case, it may not be clear whether information taken from a government contractor's computer constitutes "information from any department or agency of the United States" under § 1030(a)(2)(B), but the offense might still be chargeable under § 1030(a)(2)(C) if the elements of that subsection are satisfied.

The seriousness of a breach in confidentiality depends, in considerable part, on either the value of the information or the defendant's motive in taking it. Thus, the statutory penalties are structured so that merely obtaining information of minimal value is only a misdemeanor, but certain aggravating factors make the crime a felony. More specifically, the crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.

As for enhancements not based on the value of the property obtained, recent documented cases indicate that individuals misuse information for a variety of unacceptable purposes. The terms "for purposes of commercial advantage or private financial gain" and "for the purpose of committing any criminal or tortious act" are taken from the copyright statute (17 U.S.C. § 506(a)) and wiretap statute (18 U.S.C. § 2511(1)(d)) respectively.

As for the monetary threshold, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property "in the thieves' market," can be used to meet the $5,000 valuation. See, e.g., United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988).

The relationship between the existing § 1030(a)(3) provision and the newly amended § 1030(a)(2) merits some discussion. Section 1030(a)(3) protects the computer from outsiders, even if the hacker obtains no information. Thus, an intruder who violates the integrity of a government machine to gain network access is nonetheless liable for trespass even when he has not jeopardized the confidentiality of data. Section 1030(a)(2), on the other hand, protects the confidentiality of data, even from intentional misuse by insiders. Additionally, although a first violation of § 1030(a)(3) is always a misdemeanor, a § 1030(a)(2) violation may constitute a felony if the information taken is valuable or sufficiently misused. See § 1030(c)(2)(B)(raising the offense to felony level based upon the value or intended use of the improperly acquired data). Although a single act may violate both provisions, the provisions protect against different harms and, in any event, the actor's conduct would be aggregated for the purposes of sentencing.

C. Subsection 1030(a)(3)

Three substantive changes were made to § 1030(a)(3). First, the word "adversely" has been deleted because including this term suggests, inappropriately, that trespassing in a government computer may be benign.

Second, for clarity, the term "the use of the Government's operation of such computer" has been replaced with the term "that use by or for the Government of the United States." When a computer is used for the government, the government is not necessarily the operator, and the old term may have led to confusion. Consistent with this change, a similar change was made to the definition of "federal interest computer" (redesignated as "protected computer") in § 1030(e)(2)(A). Third, Congress inserted "non-public" to modify "computer of a department or agency of the United States." This change is intended to reflect the growing use of the Internet by government agencies and, in particular, the establishment of World Wide Web home pages and other public services. Arguably, a person charged under the old subsection (a)(3) might have asserted as a defense that he was not "without authorization to access any computer of a department or agency of the United States," because he was authorized to access some publicly available computer of that department or agency, such as a Web site. While this defense would almost have negated the law and thus defied a common-sense interpretation of the former law, Congress added the word "non-public" to make it perfectly clear that a person who has no authority to access any non-public computer of a department or agency may be convicted under (a)(3) even though permitted to access publicly available computers.

D. Subsection 1030(a)(4)

Subsection 1030(a)(4) has been amended to insure that felony level sanctions apply when unauthorized use of the computer (or use exceeding authorization) is significant. At the time the "computer use" exception was originally crafted, the Senate Judiciary Committee noted that:

[T]he mere use of a computer or computer service has a value all its own. Mere trespasses onto someone else's computer system can cost the system provider a "port" or access channel that he might otherwise be making available for a fee to an authorized user. At the same time, the Committee believes it is important to distinguish clearly between acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as misdemeanors. That distinction would be wiped out were the Committee to treat every trespass as an attempt to defraud a service provider of computer time.

S. Rep. No. 99-432, 99th Cong., 2d Sess. 10 (1986). See also H.R. Rep. No. 99-612, 99th Cong., 2d Sess. 12 (1986).

Although Congress retains the concern about converting every trespass into a felony scheme to defraud, this new amendment clearly recognizes that a blanket exception for computer use may be too broad. Hackers, for example, have broken into Cray supercomputers for the purpose of running password cracking programs, sometimes amassing computer time worth far in excess of $5,000. In light of the large expense to the victim caused by some of these trespassing incidents, it is more appropriate to except from the felony provisions of subsection 1030(a)(4) only cases involving no more than $5,000 of computer use during any one-year period.

E. Subsection 1030(a)(5)

Subsection 1030(a)(5) was completely restructured in 1994, but the 1994 law may have had some unintended consequences. Most notably, certain government and financial institution computers may have been denied previously existing federal protection; some hacking activities may have been inappropriately decriminalized; and certain insider conduct may have been inappropriately criminalized.

In the 1994 amendments, the reach of this subsection was broadened by replacing the term "federal interest computer" with the term "computer used in interstate commerce or communications." The latter term is broader because the old definition of "federal interest computer" in 18 U.S.C. § 1030(e)(2)(B) covered a computer "which is one of two or more computers used in committing the offense, not all of which are located in the same State." This meant that a hacker who attacked other computers in the same state was not subject to federal jurisdiction, even when these actions may have severely affected interstate or foreign commerce. For example, individuals who attack telephone switches may disrupt interstate and foreign calls. The 1994 change remedied that defect.

However, the definition of federal interest computer actually covered more than simply interstate activity. More specifically, 18 U.S.C. § 1030(e)(2)(A) covered, generically, computers belonging to the United States Government or financial institutions, or those used by such entities on a non-exclusive basis if the conduct constituting the offense affected the Government's operation or the financial institution's operation of such computer. By changing § 1030(a)(5) from "federal interest computer" to "computer used in interstate commerce or communications," Congress may have inadvertently eliminated federal protection for those government and financial institution computers not used in interstate communications. For example, the integrity and availability of classified information contained in an intrastate local area network may not have been protected under the 1994 version of 18 U.S.C. § 1030(a)(5), although its confidentiality continued to be protected under

18 U.S.C. § 1030(a)(1). To remedy this situation in the 1996 Act, 18 U.S.C. § 1030(a)(5) was redrafted to cover any "protected computer," a new term defined in § 1030(e)(2) and used throughout the new statute--in § 1030(a)(5), as well as in §§ 1030(a)(2), (a)(4), and the new (a)(7). The definition of "protected computer" includes government computers, financial institution computers, and any computer "which is used in interstate or foreign commerce or communications."

This broad definition addresses the original concerns regarding intrastate "phone phreakers" (i.e., hackers who penetrate telecommunications computers). It also specifically includes those computers used in "foreign" communications. With the continually expanding global information infrastructure, with numerous instances of international hacking, and with the growing possibility of increased global industrial espionage, it is important that the United States have jurisdiction over international computer crime cases. Arguably, the old definition of "federal interest computer" contained in 18 U.S.C. § 1030(e)(2) conferred such jurisdiction because the requirement that the computers used in committing the offense not all be located in the same state might be satisfied if one computer were located overseas. As a general rule, however, Congress's laws have been presumed to be domestic in scope only, absent a specific grant of extraterritorial jurisdiction. E.E.O.C. v. Arabian American Oil Co., 499 U.S. 244 (1991). To ensure clarity, the statute was amended to reference international communications explicitly.

Another concern with the 1994 version of 18 U.S.C. § 1030(a)(5) involved the overall statutory scheme. Under the 1986 version of subsection 1030(a)(5), the actor causing the harm must have been without authority to access the victim computer. As such, the provision never applied to insiders, although insiders are often responsible for intentionally causing computer damage. Indeed, the Justice Department was forced to decline prosecution in some cases where individuals intentionally inserted malicious programming code into computers, because those individuals were authorized to access the attacked system. The 1994 law, in contrast to the 1986 version, appropriately applied to both insiders and those without authorized access who intentionally caused damage.

Unfortunately, however, by eliminating the trespassing requirement, and at the same time requiring the government to prove that the actor either intentionally or recklessly caused damage, the 1994 law no longer punished a person who broke into a federal interest computer and "thereby caused loss." See

18 U.S.C. § 1030(a)(5)[1986 version]. Thus, the enactment of the 1994 legislation decriminalized some hacking and inadvertently sent the message that breaking into computers was acceptable so long as the actor neither intended nor recklessly caused damage. However, in these 1996 amendments, criminal liability for such behavior has been restored. This was clearly necessary in light of the increased importance of computer networks in today's society and the nation's considerable interest in creating a trusted national information infrastructure that insures the confidentiality, integrity, and availability of information and systems.

This problem, now corrected, arose because the 1986 and 1994 versions of section 1030(a)(5) defined improper conduct in completely different ways--the former by focusing only on the actor's authority to access the computer; the latter by considering solely the actor's intent. Of course, these two separate litmus tests each cover important aspects of criminal computer damage, but neither measure, taken alone, fully succeeds in describing the acts which should be criminal. For example, although those who intentionally damage a system should be punished regardless of whether they are authorized users, it is equally clear that anyone who knowingly invades a system without authority and causes significant loss to the victim should be punished as well, even when the damage caused is not intentional. In such cases, it is the intentional act of trespass that makes the conduct criminal. To provide otherwise is to openly invite hackers to break into computer systems, safe in the knowledge that no matter how much damage they cause, they commit no crime unless that damage was either intentional or reckless. Rather then send such a dangerous message (and deny victims any relief), it is better to insure that § 1030(a)(5) criminalizes all computer damage done by outsiders, as well as intentional damage by insiders, albeit at different levels of severity.

Conceptually, a comprehensive statutory scheme does not treat these two tests--mental state and authority to access--as mutually exclusive. Instead, it integrates them to cover all kinds of serious misconduct. Just as important, it recognizes that some behaviors are less serious, or should not be criminal offenses at all. For example, the 1994 law created a misdemeanor for reckless damage without distinguishing between trespassers and authorized users. Whether authorized users should ever be criminally liable for reckless damage is a debatable question. For example, it could be deemed reckless in today's computer environment to intentionally copy a file from a floppy diskette to a hard drive without first running a virus scan--although imposing criminal sanctions for such conduct is clearly inappropriate, absent other evidence of criminal intent. On the other hand, reckless trespassers warrant felony prosecutions, since they are unauthorized users who pose significant risks to computer systems. Thus, Congress has now chosen an approach that integrates access and authority tests in the following way:

Essentially, this new statute provides that individuals who access protected computers without authority are responsible for the consequences of their actions, but those accessing with authority are criminally liable only if they intend to cause damage to the victim.

Although subsections § 1030(a)(5)(B) and (a)(5)(C) require that the actor cause damage as a result of his or her unauthorized access, damages are not limited to those caused by the process of gaining illegal entry. Rather, all damage, whether caused while gaining access or after entry, is relevant.

Another concern with the 1994 law was that it required both "damage" and "loss," without clearly articulating what constituted "damage." For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information has been damaged. Nonetheless, the intruder's conduct allowed him to accumulate valid user passwords to the system, required all system users to change their passwords, and required the system administrator to devote resources to re-securing the system. Thus, although there may be no permanent "damage," the victim does suffer "loss." If the loss to the victim meets the required monetary threshold, the conduct should be criminal, and the victim should be entitled to relief.

As discussed further below, the term "damage" remains, but is now defined in 18 U.S.C. § 1030(e)(8). Consistent with the view that § 1030(a)(5) protects the integrity and availability of data and systems, "damage" means any impairment of those attributes. The statutory language avoids listing specific acts that can cause such impairment to insure that its coverage is suitably broad. For example, in the 1986 version, the terms "alters, damages or destroys information," were included, inadvertently raising new issues (e.g., whether encrypting data satisfies this test since the underlying original information remains unchanged). Rather than providing a list of prohibited actions and risk being underinclusive, the statute focuses instead on the harms it seeks to prevent.

This harm-based definition of "damage" can now be found in subsections 1030(e)(8)(A) through (D). As in the past, the term "damage" will require meeting one of several significant thresholds. Two of these measures survive from earlier versions of § 1030: the first is significant financial losses--although raised in these amendments from $1000 to $5000--[§ 1030(e)(8)(A)]; the second is potential impact on medical treatment [§ 1030(e)(8)(B)]. In addition, Congress has listed two new threshold harms in its definition of "damage": causing physical injury to any person [18 U.S.C. § 1030(e)(8)(c)] and threatening the public health or safety [18 U.S.C. § 1030(e)(8)(c)]. As the NII and other network infrastructures continue to grow, computers will increasingly be used for access to critical services such as emergency response systems and air traffic control, and will be critical to other systems that we cannot yet anticipate. Thus, any definition of "damage" must broadly encompass the types of harms against which people should be protected.

Having amended the structure of § 1030(a)(5), Congress needed to amend the civil penalty provision under § 1030(g). The subsection as amended provides that victims of computer abuse can maintain a civil action against the violator to obtain compensatory damages, injunctive relief, or other equitable relief, but damages are limited to economic damages for cases where the only damage suffered by the plaintiff is monetary loss as defined by § 1030(e)(8)(A).

F. Subsection 1030(a)(7)

New subsection (a)(7) is designed to respond to a growing problem: the interstate transmission of threats directed against computers and computer networks. Such threats, if accompanied by an intent to extort, may already be covered in some instances by the Hobbs Act, 18 U.S.C. § 1951, which applies to interference with commerce by extortion. They also may be covered in some instances by 18 U.S.C. § 875(d), which applies to interstate communication of a threat to injure the property of another. However, under both of these statutes, it is not absolutely clear that "property" includes the unimpaired operation of a computer or the unrestricted access to the data or programs stored in a computer and its peripheral equipment. Moreover, it is not clear that certain actions (such as encrypting someone's data and then demanding money for the key) constitute a threat to "injure the property of. . .another." See 18 U.S.C. § 875(d).

These concerns are not theoretical. In one recent case, for example, an individual threatened to crash a computer system unless he was granted access to the system and given an account. Another case involved an individual who penetrated a city government's computer system and encrypted the data on a hard drive, thus leading the victim to suspect an extortion demand was imminent. (This demand never came, however, and fortunately the victim was able to recover from the incident.) Although the number of such incidents is currently small, the explosion in network access has substantially increased the risk that such conduct will occur, and our nation's increased reliance on computers clearly suggests that such activities, if not deterred, will severely impair our ability to use the NII effectively. Moreover, since such extortion and threats will normally involve interstate and foreign communications, federal law enforcement needed a clear basis to address this new problem quickly.

It is worth noting that subsection (a)(7) covers any interstate or international transmission of threats against computers, computer networks, and their data and programs, whether the threat is received by mail, a telephone call, electronic mail, or through a computerized message service. The provision is worded broadly to cover threats to interfere in any way with the normal operation of the computer or system in question, such as denying access to authorized users, erasing or corrupting data or programs, or slowing down the operation of the computer or system. The extortion element is modeled after that in 18 U.S.C. §§ 875(b) and (d).

G. Sentencing Provisions: Subsection 1030(c)

The sentencing provisions of § 1030 have been altered to reflect the new statutory scheme and to address an old, technical error. As previously enacted, recidivists were only subject to enhanced penalties if they violated the same subsection twice. For example, if an individual violated the Act by committing fraud by computer [subsection (a)(4)] and later committed another computer crime offense by intentionally destroying medical records [subsection (a)(5)], he was not a recidivist because his conduct violated two separate subsections of § 1030. Congress has changed the statutory language to provide that anyone who is convicted twice of committing a computer offense will be subjected to enhanced penalties.

H. Jurisdiction: Subsection 1030(d)

Having created several new crimes in 18 U.S.C. § 1030, Congress needed to consider the jurisdictional grant in 18 U.S.C. § 1030(d). For some time, the Federal Bureau of Investigation and the United States Secret Service have shared concurrent jurisdiction over § 1030 based upon a Memorandum of Understanding. This new Act, by creating certain new crimes, does not alter any existing agreements, nor limit or alter an agency's "traditional" jurisdiction. Thus, there is new language in 18 U.S.C. § 1030(d) to insure that the status quo is maintained. For example, the new 18 U.S.C. § 1030(a)(2)(C) addressed gaps in 18 U.S.C. § 2314 (interstate transportation of stolen property), and the new 18 U.S.C. § 1030(a)(7) addressed gaps in 18 U.S.C. § 1951 (the Hobbs Act) and 18 U.S.C. § 875 (interstate communications). All of these statutes are within the traditional jurisdiction of the FBI, therefore 18 U.S.C. § 1030(d) did not extend to the United States Secret Service concurrent jurisdiction over these types of offenses, even when committed by computer. Subsections over which the Secret Service maintains concurrent jurisdiction are § 1030(a)(2)(A) and (B), (a)(3), (a)(4), (a)(5), and (a)(6).

§ 1029. Fraud and related activity in connection with access devices

(a) Whoever--

(1) knowingly and with intent to defraud produces, uses, or traffics in one or more counterfeit access devices;

(2) knowingly and with intent to defraud traffics in or uses one or more unauthorized access devices during any one-year period, and by such conduct obtains anything of value aggregating $1,000 or more during that period;

(3) knowingly and with intent to defraud possesses fifteen or more devices which are counterfeit or unauthorized access devices;

(4) knowingly, and with intent to defraud, produces, traffics in, has control or custody of, or possesses device-making equipment;

(5) knowingly and with intent to defraud effects transactions, with 1 or more access devices issued to another person or persons, to receive payment or any other thing of value during any 1-year period the aggregate value of which is equal to or greater than $1,000;

(6) without the authorization of the issuer of the access device, knowingly and with intent to defraud solicits a person for the purpose of--

(A) offering an access device; or

(B) selling information regarding or an application to obtain an access device;

(7) knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services;

(8) knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a scanning receiver;

(9) knowingly uses, produces, traffics in, has control or custody of, or possesses hardware or software, knowing it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization; or

(10) without the authorization of the credit card system member or its agent, knowingly and with intent to defraud causes or arranges for another person to present tothe member or its agent, for payment, 1 or more evidences or records of transactions made by an access device;

shall, if the offense affects interstate or foreign commerce, be punished as provided in subsection (c) of this section.

(b)(1) Whoever attempts to commit an offense under subsection (a) of this section shall be subject to the same penalties as those prescribed for the offense attempted.

(2) Whoever is a party to a conspiracy of two or more persons to commit an offense under subsection (a) of this section, if any of the parties engages in any conduct in furtherance of such offense, shall be fined an amount not greater than the amount provided as the maximum fine for such offense under subsection (c) of this section or imprisoned not longer than one-half the period provided as the maximum imprisonment for such offense under subsection (c) of this section, or both.

(c) Penalties.--

(1) Generally.--The punishment for an offense under subsection (a) of this section is--

(A) in the case of an offense that does not occur after a conviction for another offense under this section--

(i) if the offense is under paragraph (1), (2), (3), (6), (7), or (10) of subsection (a), a fine under this title or imprisonment for not more than 10 years, or both; and

(ii) if the offense is under paragraph (4), (5), (8), or (9) of subsection (a), a fine under this title or imprisonment for not more than 15 years, or both;

(B) in the case of an offense that occurs after a conviction for another offense under this section, a fine under this title or imprisonment for not more than 20 years, or both; and

(C) in either case, forfeiture to the United States of any personal property used or intended to be used to commit the offense.

(2) Forfeiture procedure.--The forfeiture of property under this section, including any seizure and disposition of the property and any related administrative and judicial proceeding, shall be governed by section 413 of the Controlled Substances Act, except for subsection (d) of that section.

(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section--

(1) the term "access device" means any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument);

(2) the term "counterfeit access device" means any access device that is counterfeit, fictitious, altered, or forged, or an identifiable component of an access device or a counterfeit access device;

(3) theterm "unauthorized access device" means any access device that is lost, stolen, expired, revoked, canceled, or obtained with intent to defraud;

(4) the term "produce" includes design, alter, authenticate, duplicate, or assemble;

(5) the term "traffic" means transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of;

(6) the term "device-making equipment" means any equipment, mechanism, or impression designed or primarily used for making an access device or a counterfeit access device;

(7) The term "credit card system member" means a financial institution or other entity that is a member of a credit card system, including an entity, whether affiliated with or identical to the credit card issuer, that is the sole member of a credit card system;

(8) the term "scanning receiver" means a device or apparatus that can be used to intercept a wire or electronic communication in violation of chapter 119 or to intercept an electronic serial number, mobile identification number, or other identifier of any telecommunications service, equipment, or instrument;

(9) the term "telecommunications service" has the meaning given such term in section 3 of title I of the Communications Act of 1934 (47 U.S.C. 153);

(10) the term "facilities-based carrier" means an entity that owns communications transmission facilities, is responsible for the operation and maintenance of those facilities, and holds an operating license issued by the Federal Communications Commission under the authority of title III of the Communications Act of 1934; and

(11) the term "telecommunication identifying information" means electronic serial number or any other number or signal that identifies a specific telecommunications instrument or account, or a specific communication transmitted from a telecommunications instrument.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of this title. For purposes of this subsection, the term "State" includes a State of the United States, the District of Columbia, and any commonwealth, territory, or possession of the United States.

(g)(1) It is not a violation of subsection (a)(9) for an officer, employee, or agent of, or a person engaged in business with, a facilities-based carrier, to engage in conduct (other than trafficking) otherwise prohibited by that subsection for the purpose of protecting the property or legal rights of that carrier, unless such conduct is for the purpose of obtaining telecommunications service provided by another facilities-based carrier without the authorization of such carrier.

(2) In a prosecution for a violation of subsection (a)(9), (other than a violation consisting of producing or trafficking) it is an affirmative defense (which the defendant must establish by a preponderance of the evidence) that the conduct charged was engaged in for research or development in connection with a lawful purpose.

(h) Any person who, outside the jurisdiction of the United States, engages in any act that, if committed within the jurisdiction of the United States, would constitute an offense under subsection (a) or (b) of this section, shall be subject to the fines, penalties, imprisonment, and forfeiture provided in this title if--

(1) the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity within the jurisdiction of the United States; and

(2) the person transports, delivers, conveys, transfers to or through, or otherwise stores, secrets, or holds within the jurisdiction of the United States, any article used to assist in the commission of the offense or the proceeds of such offense or property derived therefrom.

§ 1030. Fraud and related activity in connection with computers

(a) Whoever--

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer if the conduct involved an interstate or foreign communication;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and

(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--

(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(iii) physical injury to any person;

(iv) a threat to public health or safety; or

(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if--

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States;

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;

shall be punished as provided in subsection (c) of this section.

(b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

(c) The punishment for an offense under subsection (a) or (b) of this section is--

(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if--

(i) the offense was committed for purposes of commercial advantage or private financial gain;

(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii) the value of the information obtained exceeds $5,000;

(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(4)(A) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(A)(i), or an attempt to commit an offense punishable under that subsection;

(B) a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(A)(ii), or an attempt to commit an offense punishable under that subsection;

(C) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to commit an offense punishable under either subsection, that occurs after a conviction for another offense under this section.

(d)(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.

(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.

(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section--

(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

(2) the term "protected computer" means a computer--

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

(3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;

(4) the term "financial institution" means--

(A) an institution with deposits insured by the Federal Deposit Insurance Corporation;

(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;

(D) a member of the Federal home loan bank system and any home loan bank;

(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;

(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;

(G) the Securities Investor Protection Corporation;

(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and

(I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act.

(5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution;

(6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

(7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;

(8) the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information;

(9) the term "government entity" includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;

(10) the term "conviction" shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;

(11) the term "loss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and

(12) the term "person" means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).

 

 

 

[ Back to top ]

  John T. Floyd

Site menu:

John T. Floyd

Travels: To All Federal Criminal Courts In the U.S.

(713) 224-0101 Phone
jfloyd@JohnTFloyd.com

Principal Office
440 Louisiana,
Ste. 1900
19th Floor
Lyric Centre
Houston, TX 77002

All other locations by appointment only

City Links

• Angleton
• Austin
• Beaumont
• Brownsville
• Corpus Christi
• Dallas
• Del Rio
• El Paso
• Federal Crimes
• Fort Worth
• Galveston
• Houston
• Laredo
• Lufkin
• Marshall
• Midland
• Mc Allen
• Pearland
• Richmond
• San Antonio
• Sherman
• Sugar Land
• Texarkana
• Tyler
• Victoria
• Waco

In case of EMERGENCY after hours and weekends, please e-mail at jfloyd@JohnTFloyd.com