Do you work for the government, a financial institution, or a business involved in interstate commerce, and regularly access a secure database that holds personal information such as people's addresses or phone numbers? If so, you need to understand your legal limitations under the Computer Fraud and Abuse Act -- before you run afoul of it. Here's what you should know. 

What is the CFAA?

The Computer Fraud and Abuse Act (CFAA) dates back to 1986, but it has been updated and expanded upon numerous time. It pertains to computers (including those inside mobile smartphones) that are used by the government, a financial institution, and in businesses that engage in interstate commerce. It was designed to protect the integrity of those systems, and prevent leaks of sensitive information that could harm the government, individuals, or businesses.

How can you be in violation?

Different courts have interpreted the vaguely worded CFAA in different ways -- some more broadly than others. Looking at the broadest interpretation (because that's the most likely way to get into trouble) you could be in legal hot water anytime your use of the data exceeds your authorized access.

For example, although the appeals court took the narrow view and threw out the conviction, a police detective with an active fantasy life was convicted of violating the CFAA after using the police database to find out more information about women to whom he was sexually attracted. Had his conviction not been overturned, he would have faced 5 years in prison for the violation. 

It's important to note: the police detective was lucky. In his case, the court determined that his access to the database was permitted, even if he wasn't using it for police business, so he hadn't violated the law. However, the appeals court could have easily gone the other direction and other courts have. Some violations of the CFAA can result in a 20-year prison sentence.

In addition, the charges alone could significantly disrupt your life and put you through a great deal of grief and expense. For example, former internet developer and programmer Aaron Swartz committed suicide as a result of being charged with CFAA violations after downloading academic journals from MIT without authorization.

In order to avoid being in violation of the CFAA it pays to take certain precautions:

• Don't access anyone's personally identifiable information unless you have a work reason for doing so.

• Don't do favors for coworkers and look up information on their friends, relatives, or neighbors.

• Don't access any files that aren't strictly work related and destroy copies of any files that you make if they aren't being used or retained for work purposes.

• Don't download any information from another server outside of your own.

• Don't access someone's private files without their express and written permission, even if you have their password and have done so before.

• Don't test the security of your computer or your company's internal computing system yourself -- leave that to the professionals that are paid to do so.

Keep in mind that people can and do get arrested for what seems like harmless activity or a prank at the time. If you are arrested and charged with a computer crime, seek a lawyer's advice immediately (such as one from O'Brien & Dekker​).