1. [align=left]
        1. Whoever—

          (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it ...

          shall be punished as provided in subsection (c) of this section.
        <LI class=heading3>1. Knowingly Access a Computer Without Authorization or In Excess of Authorization A violation of this section requires proof that the defendant knowingly accessed a computer without authorization or in excess of authorization. This covers both completely unauthorized individuals who intrude into a computer containing national security information as well as insiders with limited privileges who manage to access portions of a computer or computer network to which they have not been granted access. The scope of authorization will depend upon the facts of each case. However, it is worth noting that computers and computer networks containing national security information will normally be classified and incorporate security safeguards and access controls of their own, which should facilitate proving this element.

        Please see page 4 for the discussion of the concept of access without or in excess of authorization.
        <LI class=heading3>2. Obtain National Security Information
        A violation of this section requires that the information obtained is national security information, meaning information "that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954." An example of national security information used in section 1030(a)(1) would be classified information obtained from a Department of Defense computer or restricted data obtained from a Department of Energy computer.
        <LI class=heading3>3. Information Could Injure the United States or Benefit a Foreign Nation
        A violation of this section requires proof that the defendant had reason to believe that the national security information so obtained could be used to the injury of the United States or to the advantage of any foreign nation. The fact that the national security information is classified or restricted, along with proof of the defendant's knowledge of that fact, should be sufficient to establish this element of the offense.
      2. 4. Willful Communication, Delivery, Transmission, or Retention A violation of this section requires proof that the defendant willfully communicated, delivered, or transmitted the national security information, attempted to do so, or willfully retained the information instead of delivering it to the intended recipient. This element could be proven through evidence showing that the defendant did any of the following: (a) communicated, delivered, or transmitted national security information, or caused it to be communicated, delivered, or transmitted, to any person not entitled to receive it; (b) attempted to communicate, deliver, or transmit national security information, or attempted to cause it to be communicated, delivered, or transmitted to any person not entitled to receive it; or (c) willfully retained national security information and failed to deliver it to an officer or employee of the United States who is entitled to receive it in the course of their official duties.
      3. 5. Penalties Convictions under this section are felonies punishable by a fine, imprisonment for not more than ten years, or both. 18 U.S.C. § 1030(c)(1)(A). A violation that occurs after another conviction under section 1030 is punishable by a fine, imprisonment for not more than twenty years, or both. 18 U.S.C. § 1030(c)(1)(B).
      4. 6. Historical Notes Section 1030(a)(1) was originally enacted in 1984 and was substantially amended in 1996. As originally enacted, section 1030(a)(1) provided that anyone who knowingly accessed a computer without authorization or in excess of authorization and obtained classified information "with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation" was subject to a fine or imprisonment for not more than ten years for a first offense. This scienter element mirrored that of 18 U.S.C. § 794(a), the statute that prohibits gathering or delivering defense information to aid a foreign government. Section 794(a), however, provides for life imprisonment, whereas section 1030(a)(1) is only a ten-year felony. Based on that distinction, Congress amended section 1030(a)(1) in 1996 to track more closely the language of 18 U.S.C. § 793(e), which also provides a maximum penalty of ten years' imprisonment, for obtaining from any source certain information connected with the national defense and thereafter communicating or attempting to communicate it in an unauthorized manner.
        Violations of this subsection are charged quite rarely. The reason for this lack of prosecution may well be the close similarities between sections 1030(a)(1) and 793(e). In situations where both statutes are applicable, prosecutors may tend towards using section 793(e), for which guidance and precedent are more prevalent.
        However, a four-count information was filed in the U.S. District Court for the District of New Jersey on May 4, 2006, which charged Leandro Aragoncillo, an FBI intelligence analyst assigned to the Ft. Monmouth Information Technology Center, with, among other things, a section 1030(a)(1) violation. Aragoncillo pleaded guilty to the information, and admitted that he used his FBI computer to access classified documents through the FBI's Automated Case System and transmit the information contained in the documents to former and current officials of the Philippine government. For more information about this case, please contact the Counterespionage Section of the National Security Division.
        Although sections 793(e) and 1030(a)(1) overlap, the two statutes do not reach exactly the same conduct. Section 1030(a)(1) requires proof that the individual knowingly accessed a computer without or in excess of authority and thereby obtained national security information, and subsequently performed some unauthorized communication or other improper act with that data. In this way, it focuses not only on the possession of, control over, or subsequent transmission of the information (as section 793(e) does), but also focuses on the improper use of a computer to obtain the information itself. Existing espionage laws such as section 793(e) provide solid grounds for the prosecution of individuals who attempt to peddle governmental secrets to foreign governments. However, when a person, without authorization or in excess of authorized access, deliberately accesses a computer, obtains national security information, and seeks to transmit or communicate that information to any prohibited person, prosecutors should consider charging a violation section 1030(a)(1) in addition to considering charging a violation of Section 793(e).
        One other issue to note is that section 808 of the USA PATRIOT Act added section 1030(a)(1) to the list of crimes in that are considered to be "Federal Crime[s] of Terrorism" under 18 U.S.C. § 2332b(g)(5)(B). This addition affects prosecutions under section 1030(a)(1) in three ways. First, because offenses listed under section 2332b(g)(5)(B) are now incorporated into 18 U.S.C. § 3286, the statute of limitation for subsection (a)(1) is extended to eight years, and is eliminated for offenses that resulted in, or created a foreseeable risk of, death or serious bodily injury to another person. Second, the term of supervised release after imprisonment for any offense listed under section 2332b(g)(5)(B) that resulted in, or created a foreseeable risk of, death or serious bodily injury to another person, can be any term of years or life. 18 U.S.C. § 3583. Formerly, the maximum term of supervised release for any violation of section 1030 was five years. Third, the USA PATRIOT Act added the offenses listed in section 2332b(g)(5)(B) to 18 U.S.C. § 1961(1), making them predicate offenses for prosecution under the Racketeer Influenced and Corrupt Organizations (RICO) statute. As a result, any "RICO enterprise" (which may include terrorist groups) that carries out acts of cyberterrorism in violation of section 1030(a)(1) (or section 1030(a)(5)(A)(i)) can now be prosecuted under the RICO statute.
      1. C. Compromising Confidentiality: 18 U.S.C. § 1030(a)(2)
      2. Summary
      1. Intentionally access a computer
      2. without or in excess of authorization
      3. obtain information from:
        • financial records of financial institution, OR
        • the U.S. Government, OR
        • a protected computer if interstate or foreign communication involved
      1. The distinct but overlapping crimes established by the three subsections of section 1030(a)(2) punish the unauthorized access of different types of information and computers. Violations of this section are misdemeanors unless aggravating factors exist. Also, some intrusions may violate more than one subsection. For example, a computer intrusion into a federal agency's computer might be covered under the latter two subsections.
      2. Section 1030(a)(2) does not impose a monetary threshold for a violation, in recognition of the fact that some invasions of privacy do not lend themselves to monetary valuation but still warrant federal protection. If not authorized, downloading sensitive personnel information from a company's computer (via an interstate communication) or gathering personal data from the National Crime Information Center would both be serious violations of privacy which do not easily lend themselves to a dollar valuation of the damage. Although there is no monetary threshold for establishing an offense under section 1030(a)(2), the value of the information obtained during an intrusion is important when determining whether a violation constitutes a misdemeanor or a felony.
      3. Title 18, United States Code, Section 1030(a)(2) provides:
        1. Whoever—
        2. (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
          (B) information from any department or agency of the United States; or
          (C) information from any protected computer if the conduct involved an interstate or foreign communication ... shall be punished as provided in subsection (c) of this section.
        <LI class=heading3>1. Intentionally Access a Computer
        A violation of this section requires that the defendant actually be the one to access a computer without authorization rather than merely receive information that was accessed without authorization by another. For example, if A obtains information in violation of section 1030(a)(2) and forwards it to B, B has not violated this section, even if B knew the source of the information. See Role Models America, Inc. v. Jones, 305 F.Supp.2d 564 (D. Md. 2004). Of course, B might be subject to prosecution for participating in a criminal conspiracy to violate this section.
        <LI class=heading3>2. Without or In Excess of Authorization
        Please see page 4 for the discussion of access without or in excess of authorization.
        <LI class=heading3>3. Obtained Information The term "obtaining information" is an expansive one which includes merely viewing information online without downloading or copying it. See S. Rep. No. 99-432, at 6; America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000). Information stored electronically can be obtained not only by actual physical theft, but by "mere observation of the data." Id. The "crux of the offense under subsection 1030(a)(2)(C) ... is the abuse of a computer to obtain the information." Id.
        "Information" includes intangible goods, settling an issue raised by the Tenth Circuit's decision in United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991). In Brown, the appellate court held that purely intangible intellectual property, such as a computer program, did not constitute goods or services that can be stolen or converted. In the 1996 amendments to section 1030, Congress clarified this issue, stating that section 1030(a)(2) would "ensure that the theft of intangible information by the unauthorized use of a computer is prohibited in the same way theft of physical items are protected." S. Rep. No. 104-357, at 7, available at 1996 WL 492169.
      4. 4. Financial Institution or Consumer Reporting Agency To prove a violation of section 1030(a)(2)(A), obtaining information related to the Fair Credit Reporting Act (FCRA), the violation must be willful. See Ausherman v. Bank of America Corp., 352 F.3d 896 at 900 n.4 (4th Cir. 2003). To prove willfulness under the FCRA, the government must show that the defendant knowingly and intentionally committed an act in conscious disregard for the rights of a consumer. Id.
      5. 5. Department or Agency of the United States Whether a company working as a private contractor for the government constitutes a "department or agency of the United States" for purposes of prosecution under subsection (a)(2)(B) has not been addressed by any court. However, the argument that private contractors are intended to be covered by this section may be undercut by section 1030(a)(3), which includes language permitting prosecution of trespass into government systems and non-government systems, if "such conduct affects that use by or for the Government of the United States." The existence of this language suggests that if Congress had intended to extend the reach of section 1030(a)(2) beyond computers owned by the federal government, it would have done so using language it used elsewhere in section 1030.
      [/align]