CFAA Charge Subsection Spotter
The Computer Fraud and Abuse Act (18 USC 1030) has seven subsections, each targeting different conduct. This tool identifies the likely subsection charged based on the conduct, examines the $5,000 loss threshold for felony-level charging, and evaluates Van Buren authorization-scope issues after the 2021 Supreme Court ruling.
Cite this tool
Bluebook: Reggie London & Njeri London, CFAA Charge Subsection Spotter, L&L Law Group (May 31, 2026), https://landllawgroup.com/tools/cfaa-charge-subsection-spotter/.
APA: London, R., & London, N. (2026, May 31). CFAA Charge Subsection Spotter. L&L Law Group.
The 7 Subsections of 18 USC 1030 — What Each Targets
The Computer Fraud and Abuse Act, codified at 18 U.S.C. §1030, criminalizes seven distinct categories of computer-related conduct. Each subsection has its own elements, mens rea requirement, and grading scheme. Understanding which subsection the government is charging — and which it could have charged instead — is the first move in any CFAA defense.
| Subsection | Conduct Targeted | Mens Rea | Default Grade |
|---|---|---|---|
| §1030(a)(1) | Accessing computer to obtain national security or restricted data and willfully delivering or retaining it | Knowing + willful | Felony (up to 10 years) |
| §1030(a)(2) | Intentionally accessing without authorization (or exceeding authorized access) and obtaining information — the broadest CFAA charge | Intentional | Misdemeanor unless enhanced |
| §1030(a)(3) | Intentionally accessing a nonpublic government computer without authorization | Intentional | Misdemeanor unless repeat |
| §1030(a)(4) | Knowingly and with intent to defraud accessing a protected computer and obtaining anything of value | Knowing + fraudulent intent | Felony (up to 5 years) |
| §1030(a)(5)(A) | Knowingly causing the transmission of code/command that intentionally damages a protected computer | Knowing + intentional damage | Felony (up to 10 years) |
| §1030(a)(5)(B) | Intentionally accessing without authorization and recklessly causing damage | Intentional access, reckless damage | Misdemeanor or felony |
| §1030(a)(5)(C) | Intentionally accessing without authorization and causing damage and loss | Intentional access, negligent damage | Misdemeanor |
| §1030(a)(6) | Knowingly trafficking in passwords or similar information through which a computer may be accessed without authorization | Knowing + intent to defraud | Misdemeanor unless enhanced |
| §1030(a)(7) | Transmitting threats to damage a protected computer or extort money or thing of value | Intent to extort | Felony (up to 5 years) |
Prosecutors typically charge the subsection that best fits the conduct and that yields the strongest sentencing exposure. The (a)(2), (a)(4), and (a)(5) trio account for the vast majority of CFAA prosecutions. The (a)(1) and (a)(3) subsections are reserved for national-security and government-computer cases. The (a)(6) trafficking subsection is often paired with (a)(2) or (a)(4) when the conduct involves selling or distributing access credentials.
The "Protected Computer" Definition — §1030(e)(2)
Most CFAA subsections require access to a "protected computer." That term is defined broadly in 18 U.S.C. §1030(e)(2) to include any computer used in or affecting interstate or foreign commerce or communication, any computer used by a financial institution or the United States government, and any computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
In practical effect, any computer connected to the internet is a "protected computer" for CFAA purposes. Courts have held that the jurisdictional hook is satisfied by ordinary email, web browsing, or interstate data transmission. This breadth has been criticized but remains the controlling reading. The result is that the CFAA reaches almost any computer-related conduct that touches interstate commerce — which is to say, nearly all of it.
"Without Authorization" vs "Exceeding Authorized Access" — Van Buren v. United States
The single most important development in CFAA law in the last decade is Van Buren v. United States, 593 U.S. 374 (2021). The Supreme Court resolved a circuit split on the meaning of "exceeds authorized access" — a phrase that appears in §1030(a)(2) and §1030(a)(4). The Court held, in a 6-3 decision authored by Justice Barrett, that the phrase covers only conduct where the user accesses files, folders, databases, or other areas of a computer that they are not entitled to access at all. It does not cover misuse of information from areas the user was permitted to enter.
The Court adopted what it called a "gates-up or gates-down" inquiry. The question is: was the gate to that part of the system open to the user, or closed? If the gate was open and the user walked through it, the access is authorized — even if the user then used the information for a forbidden purpose. If the gate was closed and the user picked the lock or climbed over the fence, the access exceeds authorization.
The Van Buren ruling does not eliminate CFAA prosecutions. The government can still charge conduct involving stolen credentials, bypassed access controls, gates that were clearly closed, and access by terminated employees whose authorization was revoked. But the broad "violation of usage policy equals exceeding access" theory is dead. Counsel should evaluate every CFAA charge through the gates-up or gates-down lens.
The $5,000 Loss Threshold — §1030(e)(11)
Several CFAA subsections grade as misdemeanors unless an enhancement applies. The most common enhancement is the $5,000-in-loss threshold. Section 1030(c)(4)(A)(i)(I) makes a §1030(a)(5) damage offense a felony if the offense caused (or would have caused) "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value."
The statutory definition of "loss" is in 18 U.S.C. §1030(e)(11): "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."
What counts:
- Forensic incident-response costs (internal IT time, outside consultants)
- Damage-assessment time and labor
- Restoration and remediation costs (rebuilding systems, restoring data)
- Lost revenue during the period of service interruption
- Consequential damages from the service interruption
What does not count: speculative future losses, the value of the data itself (apart from restoration cost), and losses that would have occurred regardless of the conduct. The $5,000 figure aggregates across victims over a one-year period — a useful prosecution tool but also a target for defense challenges where the government's loss calculation includes items outside the statutory definition.
Sentencing Under USSG §2B1.1 + Special Enhancements
CFAA offenses are sentenced under the United States Sentencing Guidelines. Most CFAA charges run through USSG §2B1.1, the general theft and fraud guideline. The base offense level is 6 or 7 depending on the statutory maximum, and the loss-table enhancements at §2B1.1(b)(1) add levels based on the amount of loss, which can quickly drive the guideline range upward.
Special enhancements relevant to CFAA cases include:
- Sophisticated means (§2B1.1(b)(10)) — adds 2 levels for sophisticated technical conduct
- Number of victims (§2B1.1(b)(2)) — adds 2 to 6 levels for 10, 50, or 250+ victims
- Stolen personally identifiable information (§2B1.1(b)(17)) — special table for PII and access devices
- Critical infrastructure — enhancements for conduct affecting public safety, healthcare, or critical infrastructure systems
- Abuse of position of trust (§3B1.3) — adds 2 levels for insider misconduct
For sentencing exposure on a specific guideline calculation, the Federal Sentencing Guidelines Calculator at /federal-sentencing-guidelines/ walks through the §2B1.1 loss table and Chapter 3 adjustments.
Texas State-Court Parallel — Penal Code §33.02 Breach of Computer Security
Texas state law has its own computer-crimes statute, Texas Penal Code §33.02 — Breach of Computer Security. The statute prohibits intentionally accessing a computer, computer network, or computer system without the effective consent of the owner. The grade depends on the aggregate amount involved and the conduct:
- Class B misdemeanor — no harm threshold
- Class A misdemeanor — aggregate amount less than $2,500
- State jail felony — aggregate amount $2,500 to less than $30,000, or access to a critical-infrastructure facility computer
- Third-degree felony — aggregate amount $30,000 to less than $150,000
- Second-degree felony — aggregate amount $150,000 to less than $300,000
- First-degree felony — aggregate amount $300,000 or more, or access to a government computer used in administration of justice or critical infrastructure
Texas Penal Code §33.022 — Electronic Access Interference — adds a separate Class B misdemeanor for intentional interruption or suspension of access to a computer or network. Texas has not adopted a state-law analog to Van Buren, and the "effective consent" element under §33.02 can be litigated on similar theories of authorization scope.
Federal and state charges are not mutually exclusive. The same conduct can support both a CFAA prosecution in federal district court and a §33.02 prosecution in Texas state court. Counsel must coordinate defense strategy across both forums when the conduct could be charged in either.
Frequently Asked Questions
Is using a coworker's password a CFAA violation?
It can be. Using someone else's credentials to access a computer system typically constitutes access "without authorization" under 18 USC 1030. Even if the coworker gave permission, the employer's policies and the system owner's authorization scope control. After Van Buren v. United States, 593 U.S. 374 (2021), the analysis focuses on whether the user accessed areas of the system they were not authorized to enter at all, rather than whether they violated a usage policy in an area they could access. Password-sharing prosecutions remain viable where the credentials belonged to a separate user account with different authorization scope, where the coworker lacked authority to delegate access, or where the system's terms unambiguously forbade credential sharing.
What is "authorized access" after Van Buren?
In Van Buren v. United States, 593 U.S. 374 (2021), the Supreme Court held that "exceeds authorized access" under the CFAA refers only to accessing files, folders, databases, or other areas of a computer that are off-limits to the user. It does not cover misuse of information the user was authorized to obtain. The Court adopted a "gates-up or gates-down" inquiry: if the gate to that part of the system was open to you, accessing it is not a CFAA violation even if you used the information for an improper purpose. The Van Buren framework applies to §1030(a)(2) and §1030(a)(4) "exceeds authorized access" charges and informs the "without authorization" analysis by analogy. Lower courts have been working through how to apply the gates framework to specific scenarios including former-employee access, scraping, and password sharing.
What if no damage occurred?
Several CFAA subsections do not require damage. Section 1030(a)(2) (obtaining information) and §1030(a)(4) (fraud-based access) can be charged without any system damage. The (a)(5) family of charges does require damage, but the statutory definition in §1030(e)(8) is broad — "any impairment to the integrity or availability of data, a program, a system, or information." For most felony-level CFAA charging, the government must show $5,000 in "loss" under §1030(e)(11), which includes response costs and lost revenue, not just physical damage. A "no damage" defense to (a)(5) is sometimes paired with a "no loss" challenge to the $5,000 felony threshold to push the charging grade down to a misdemeanor or seek dismissal.
Can scraping public websites be a CFAA violation?
Generally no, after hiQ Labs v. LinkedIn (9th Cir.) and Van Buren v. United States. Scraping publicly available data from a website is not access "without authorization" because the information was not behind any access gate. The Supreme Court's gates-up or gates-down framing in Van Buren reinforces that public data scraping is generally outside the CFAA. The analysis can change if scraping requires bypassing a login, ignoring a cease-and-desist that imposes technical access restrictions, using stolen credentials, or evading IP blocks designed to limit access. Where the technical posture of the website is "open to everyone," CFAA liability is limited. Where the website has implemented an access control that the scraper bypassed, the analysis becomes fact-specific.
What is the difference between §1030(a)(2) and §1030(a)(4)?
Section 1030(a)(2) criminalizes intentionally accessing a computer without or in excess of authorization and obtaining information. It is the broadest CFAA subsection and the most commonly charged. Section 1030(a)(4) criminalizes accessing a protected computer without authorization, with intent to defraud, and obtaining anything of value (other than de minimis use of the computer). The (a)(4) charge requires fraudulent intent and is typically charged when the access was part of a larger fraud scheme. Statutory maxima differ: (a)(2) is generally a misdemeanor unless enhanced (felony exposure up to 5 years on enhancement), while (a)(4) is always a felony with a 5-year maximum. The government often charges both when the facts support both, then narrows at trial or in plea negotiations.