Federal CFAA Charges for IT Consultants (18 U.S.C. § 1030): Understanding Authorized Access and Legal Risk
What IT Consultants Need to Know About Federal Computer Hacking Laws
In the Computer Fraud and Abuse Act (CFAA), federal prosecutors can charge an IT consultant, penetration tester, or competitive intelligence specialist with computer fraud based on access that the client explicitly requested and the consultant genuinely believed was sanctioned.
The line between a thorough engagement and a federal felony is drawn around the concept of "authorized access," which is far less stable than most technical professionals realize.
When the DOJ decides that your methodology crossed a technical boundary, the intent behind your work ceases to matter.
To ensure you receive the best possible outcome for your case, you need a strong defense.
Eisner Gorin LLP is available to assist you in any type of computer crime allegation.
Please schedule your consultation by contacting us at (818) 781-1570 or through the contact form.
What the CFAA Prohibits
The CFAA was enacted in 1986 to address computer hacking, but Congress repeatedly expanded its scope.
Today, it applies not just to external attackers but also to insiders, contractors, and third-party consultants whose access rights are ambiguous or defined solely by a consulting agreement.
The three subsections most relevant to IT professionals:
- § 1030(a)(2): Intentionally accessing a protected computer without authorization, or exceeding authorized access, to obtain information. Most commonly charged against consultants who access systems outside their explicit engagement scope.
- § 1030(a)(4): Accessing a protected computer without authorization with the intent to defraud and obtain anything of value. The most dangerous provision is for consultants whose work produced a competitive advantage at a prior client's or employer's expense.
- § 1030(a)(5): Unauthorized access causing damage or loss. Relevant when penetration testing or assessment activity causes unintended system disruption.
Penalties for first offenses under the most commonly charged subsections range from five years in federal prison to ten years for repeat violations or when losses exceed statutory thresholds.
Nearly every computer connected to the internet qualifies as a “protected computer,” meaning federal jurisdiction attaches to almost any professional engagement involving networked systems.
Federal internet-based offenses are aggressively investigated by federal agencies such as the FBI, DHS, and IRS.
CFAA Penalty Chart (18 U.S.C. § 1030)
Below is a clear, structured chart outlining federal penalties associated with Computer Fraud and Abuse Act (CFAA) violations:
| Type of Offense | Description of Conduct | Charge Level | Potential Penalties |
|---|---|---|---|
|
Attempted Unauthorized Access |
Attempting to access a protected computer without completing the act |
Misdemeanor or Low-Level Felony |
Up to 1 year (misdemeanor) or up to 5 years (felony), fines |
|
Unauthorized Access to Obtain Information |
Accessing data without authorization or exceeding permitted access |
Felony |
Up to 5 years in federal prison (first offense), fines |
|
Access with Intent to Defraud |
Using unauthorized access to obtain value, financial data, or competitive advantage |
Felony |
Up to 5 years in prison (first offense), higher for repeat offenses |
|
Causing Damage or System Disruption |
Introducing malware, deleting data, or impairing system integrity or availability |
Felony |
Up to 10 years in prison depending on severity and loss |
|
Theft of Sensitive or Government Data |
Accessing confidential, proprietary, or national security information |
Felony |
Up to 10 years in prison, enhanced penalties possible |
|
Repeat Offenses |
Prior conviction under CFAA or related statutes |
Enhanced Felony |
Up to 20 years in federal prison, increased fines |
|
Conspiracy or Attempt |
Planning or attempting a CFAA violation without completion |
Misdemeanor or Felony |
Penalties aligned with underlying offense |
|
Civil Liability (18 U.S.C. § 1030(g)) |
Lawsuits filed by victims for damages or losses |
Civil Action |
Monetary damages, injunctive relief, legal costs |
Factors That Influence Sentencing
Federal penalties can vary significantly based on:
- Amount of financial loss (e.g., exceeding $5,000 threshold)
- Number of victims impacted
- Whether the conduct involved fraud or identity theft
- Prior criminal history
- Level of intent and sophistication
Additional Consequences
In addition to criminal penalties, a CFAA conviction may result in:
- Restitution to victims
- Asset forfeiture
- Supervised release or probation
- Long-term reputational and employment consequences
Related Federal Crimes Often Charged with Computer Hacking
Computer hacking charges are frequently accompanied by additional federal offenses, including:
- Identity theft (18 U.S.C. § 1028)
- Credit card fraud (18 U.S.C. § 1029)
- Embezzlement (18 U.S.C. § 641)
- Mail fraud (18 U.S.C. § 1341)
- Wire fraud (18 U.S.C. § 1343)
- Bank fraud (18 U.S.C. § 1344)
- Counterfeiting (18 U.S.C. § 472)
These charges can significantly increase potential penalties.
The "Authorized Access" Problem
The most dangerous phrase in the CFAA for technical professionals is not "hacking." It is "exceeds authorized access." And the meaning of that phrase was unsettled for decades.
In Van Buren v. United States (2021), the Supreme Court narrowed the statute significantly.
The law prohibits obtaining information from areas of a computer, such as files, folders, or databases, that are beyond the individual's authorized access. It does not cover someone who uses valid access for an unauthorized purpose.
In practical terms, if a person has authorized access to information stored in a particular folder, they do not violate the CFAA by obtaining that information, regardless of the purpose for which they used it.
The Court called this a "gates-up-or-down inquiry." Either you had access to that area of the system, or you did not. Van Buren was a significant win for technical professionals.
But it left a critical question unresolved: whether authorization can be limited solely by technical barriers, or whether the scope of a consulting agreement or terms of service also constrains what "authorized access" means.
The Court did not rule on what an organization must do to indicate that a person lacks authorization to access a particular part of a computer, or whether technological measures are required in addition to policies.
That unresolved question is where consultant exposure lives today.
The Scenarios That Trigger Federal Investigation
Three recurring fact patterns drive CFAA charges against IT professionals:
The competitor intelligence engagement
A consultant is hired to assess a competitor's infrastructure. During the work, they discover credentials or access points that allow deeper entry into systems the competitor considers private. The consultant uses those credentials, believing the access is a natural extension of the engagement. The competitor files a complaint. The DOJ opens an investigation.
The penetration test was conducted without a written scope agreement
A consultant is verbally authorized to conduct a penetration test. During the test, they discover that the client's environment shares infrastructure with a neighboring organization and inadvertently access systems outside the agreed scope.
Without a written authorization agreement defining the engagement's boundaries, there is no documentation establishing that the disputed access was sanctioned.
The engagement that produces competitive data
Even where initial access was clearly authorized, a CFAA charge can attach if the consultant extracts, retains, or transmits data in a way that benefits a competing interest. When access logs show movement into restricted directories not covered by the engagement scope, the government's charging analysis shifts regardless of what the consultant believed their mandate to be.
The former employer's system with revoked credentials
A consultant departs an employer, transitions to a new client in the same industry, and accesses systems at the former employer using credentials that were never formally disabled.
Even without any attempt to bypass a technical control, accessing those systems after the employment relationship ended can constitute access "without authorization" under the CFAA.
The Nosal case confirmed that using a current employee's credentials at a former employer, even with that employee's consent, can still constitute unauthorized access.
Credentials that technically still work are not the same as credentials that are still authorized. Former employers who discover the access frequently pursue both criminal referrals and civil claims simultaneously.
How Federal CFAA Investigations Develop
Federal computer fraud investigations targeting consultants rarely begin with a grand jury subpoena. They typically start with a civil complaint from a former employer or competitor, which triggers an FBI referral.
From that point, the investigative sequence is consistent:
- Agents obtain logs from targeted systems through the judicial process, identifying timestamps, IP addresses, session data, and the specific files or directories accessed. They map that access against the consulting agreement and any written authorization the consultant possesses. The gap between what the agreement authorizes and what the logs show becomes the evidentiary foundation of the case.
- Agents then interview the client who retained the consultant, often seeking to characterize the engagement as more limited than the consultant understood it to be. Emails, Slack messages, and text threads about the engagement's purpose are subpoenaed and reviewed for language suggesting an intent to access information beyond what was legitimately authorized.
Defense Strategies for CFAA Charges
A CFAA defense for a technical professional is built around documentation, scope definition, and the Van Buren framework.
The core argument in nearly every consultant case is that the access was authorized, either because the client sanctioned it or because Van Buren precludes liability for accessing information through technically permitted means.
Establishing written authorization: When a detailed engagement agreement exists and covers the access at issue, it directly contradicts the government's theory. Defense counsel obtains every version of the agreement, every written communication about scope, and every approval from the client on record.
Applying Van Buren to the fact pattern: Post-Van Buren, the government cannot charge a CFAA violation based solely on the argument that a consultant used valid access for a purpose outside the engagement's intent. If the consultant accessed data through credentials that technically granted access and bypassed any computational restriction, Van Buren may foreclose the core theory.
Challenging the technical gate element: The DOJ's own charging policy requires that the division between accessible and restricted areas of a system must be established computationally, through code or configuration, not merely through a policy or contract. If no technical barrier prevented access, the "exceeds authorized access" theory may fail as a matter of law.
Attacking intent: CFAA charges require that the defendant intentionally accessed the protected computer and did so knowingly without authorization. Evidence that a consultant understood themselves to be acting within a legitimate engagement, supported by client communications, prior approvals, and methodology documentation, directly challenges this element.
Pre-indictment engagement: As with all federal white-collar cases, the most effective intervention occurs before charges are filed. Defense counsel presenting a documented scope authorization, a Van Buren-based legal analysis, and a credible account of the consultant's methodology to the assigned AUSA can close a case before indictment.
Hypothetical Case Study: Penetration Test Beyond Agreed Scope
A cybersecurity consultant was retained to conduct a penetration test of a client's web application environment, as scoped in a written statement of work covering the client's primary domain and staging environment.
During the test, the consultant discovered that the client's application shared authentication infrastructure with a partner organization's API.
Following that chain, the consultant accessed the partner's development environment using recovered credentials and identified a significant vulnerability.
The partner filed a complaint with the FBI. Agents confirmed the consultant's session in the partner's environment and opened a federal investigation.
Defense counsel was retained before any agent contact. Counsel gathered the full engagement record: the statement of work, all pre-engagement correspondence, methodology documentation, and the disclosure report filed with the client within 24 hours of discovery. Two arguments were developed.
- First, under Van Buren, the consultant accessed the partner's environment through credentials that the partner's own authentication system accepted without resistance. No password was cracked, and no access control was bypassed. The access was technically permitted; the only dispute was over purpose, which Van Buren says is not enough.
- Second, the immediate disclosure report demonstrated that the intent throughout was to identify and report vulnerabilities, not to exploit or retain data. Nothing from the partner environment was retained.
Defense counsel presented both arguments before grand jury proceedings were initiated. The government declined to prosecute.
The lesson: A documented methodology, immediate disclosure, and a precise Van Buren analysis of the technical access architecture can close a federal CFAA investigation before it becomes an indictment.
The Civil Track Runs Parallel to the Criminal Case
A CFAA criminal investigation and a civil lawsuit are not mutually exclusive. The statute provides a private right of action under § 1030(g), allowing any person or business that suffers damage or loss from a CFAA violation to sue for compensatory damages and injunctive relief.
The threshold for civil liability is lower than the criminal standard, requiring only a preponderance of the evidence rather than proof beyond a reasonable doubt.
For IT consultants, this means that a former employer or competitor can file a civil CFAA claim while the DOJ is still deciding whether to bring criminal charges, and that civil discovery can produce documents and admissions that find their way into the criminal proceeding.
A defense strategy that addresses only the criminal investigation while ignoring the civil track leaves the client exposed on both fronts. Counsel should be engaged to manage both simultaneously from the outset.
Frequently Asked Questions (FAQs)
How can IT consultants reduce the risk of criminal liability?
IT consultants can reduce legal risk by clearly defining the scope of their work and documenting all authorization. Best practices include using detailed written agreements, confirming access boundaries in advance, and avoiding any systems or data not explicitly approved by the client.
Can CFAA charges be avoided or dismissed?
In some cases, yes. Charges may be avoided or dismissed when there is strong evidence of authorization, lack of intent, or insufficient proof that access exceeded permitted boundaries. Early legal intervention is often critical.
What penalties can apply in CFAA cases?
Penalties for violations of 18 U.S.C. § 1030 can include federal prison time, significant fines, restitution to victims, and enhanced sentencing if the conduct involves fraud or repeat offenses.
Can civil lawsuits be filed in addition to criminal charges?
Yes. The CFAA allows businesses and individuals to file civil lawsuits for damages and injunctive relief. These civil cases often proceed alongside or independently of criminal investigations.
Defending the Specialized Consultant
A CFAA investigation targeting a consultant moves fast and relies heavily on the documentation the government collects before the target knows an investigation has begun.
Early intervention, before interviews are conducted and before a grand jury is convened, is where these cases are most effectively resolved.
Eisner Gorin LLP's federal defense team represents IT consultants, cybersecurity professionals, competitive intelligence specialists, and technology executives facing CFAA investigation and prosecution.
Your best chance for a positive outcome is working with an experienced California federal criminal defense attorney at Eisner Gorin LLP. To set up a consultation, feel free to call us at (818) 781-1570 or reach out to us here.
