This article argues that the existing regime for sentencing violations of the Computer Fraud and Abuse Act (“CFAA”) is based on a conceptual error that consistently leads to improper sentencing recommendations. The Federal Sentencing Guidelines treat CFAA violations as economic crimes. Most CFAA crimes are rooted in trespass, however, instead of economic wrongs such as fraud. The difference is significant. The economic crimes framework leads guidelines calculations to focus too much on economic loss and not enough on the circumstances of the crime. The Article concludes by sketching out a better way to calculate sentencing recommendations in CFAA cases.
The Computer Fraud and Abuse Act (“CFAA”) is controversial in part because its punishments are widely perceived as draconian. Some of those perceptions are the result of flawed reporting. Media coverage of CFAA prosecutions routinely emphasizes statutory maximum sentences instead of Federal Sentencing Guidelines recommendations, fostering wildly unrealistic perceptions of likely punishments. But part of the perception is accurate, and it results from the quirky way the Guidelines characterize CFAA offenses. Sentencing recommendations for CFAA crimes are calculated using the economic crimes guideline, section 2B1.1. That guideline hinges sentencing recommendations primarily on the victim’s consequential loss. A focus on loss makes sense for sentencing economic crimes such as theft. That approach is inappropriate in most CFAA prosecutions, however, because they involve a different set of harms.
This Article argues that the Sentencing Commission should rewrite the Guidelines for CFAA cases because the current approach is based on a conceptual error. Most CFAA offenses are trespass offenses, not economic crimes. The primary harm in most CFAA cases is invasion of privacy and interference with the right to exclude, not economic loss. Although CFAA offenses can cause economic losses, their extent is usually a matter of bad luck rather than design. The result is a poor fit between many CFAA crimes and the current Guidelines. Assumptions about how to measure culpability built into section 2B1.1 often misfire when applied to CFAA crimes. Applying the Guidelines can lead to sentences far removed from what the goals of punishment would suggest are appropriate.
The Sentencing Commission should take a fresh approach. First, it should enact a new guideline for convictions under the computer trespass sections of the CFAA, 18 U.S.C. § 1030(a)(2)–(3) and (a)(5)(B)–(C). The new guideline should account for consequential losses, but only as a small adjustment rather than the sledgehammer it plays in the current economic crimes guideline. Second, the Sentencing Commission should continue to use the economic crimes guideline for convictions under the fraud and intentional damage sections of the CFAA, § 1030(a)(4)–(5)(A), but it should amend that guideline to better treat CFAA offenses. Finally, the Sentencing Commission should narrow the use of the sophisticated means and special skills enhancements in CFAA cases.
Part I of this Article explains the evolution of the CFAA-related sentencing guidelines. Part II argues that the current approach is a poor fit for many CFAA offenses. Part III sketches out new principles that should guide sentencing for CFAA crimes.