Quiz 1A — CFAA and the Federal Criminal Toolkit | LawZeee — Know Your Cyber Laws Before You Break It

Question 1

Under Van Buren v. United States (2021), which of the following best describes when someone "exceeds authorized access" under the CFAA?

AWhen they access data for an unauthorized purposeBWhen they access an area of a computer system they were not permitted to access at allCWhen they violate the terms of service of a platformDWhen they access any data they do not personally own

Question 2

A ransomware group encrypts a hospital's servers and demands payment. Which CFAA subsection most directly applies to the damage caused?

A18 U.S.C. § 1030(a)(2) — obtaining informationB18 U.S.C. § 1030(a)(4) — fraudC18 U.S.C. § 1030(a)(5) — intentional damageD18 U.S.C. § 1030(a)(6) — credential trafficking

Question 3

What makes 18 U.S.C. § 1028A (aggravated identity theft) particularly significant in cyber prosecution plea negotiations?

AIt adds civil liability for the victimBIt requires proof of specific criminal intent beyond CFAACIt carries a mandatory consecutive 2-year term that cannot be made concurrent with other sentencesDIt doubles the sentence for all underlying felonies

Question 4

Prosecutors charged a hacking syndicate with CFAA, wire fraud, identity theft, AND RICO. What additional element do they need to prove for the RICO charges that they do not need for CFAA?

AProof that a computer was accessedBProof of enterprise and a pattern of racketeering activityCProof of a financial loss exceeding $5,000DProof that the defendant is a U.S. citizen

Question 5

A company's employee accesses the company's HR database (which she is authorized to use) and downloads salary data to sell to a competitor. Under Van Buren, is this a CFAA violation?

AYes — she misused data from an authorized system, which CFAA coversBNo — she had authorized access to that area of the system; CFAA may not reach mere misuseCYes — any theft of company data is a CFAA violationDNo — CFAA only applies to external hackers, not employees

Question 6

Under 18 U.S.C. § 1343 (wire fraud), what is the maximum prison term for a single count of wire fraud in most cyber-fraud cases?

A5 yearsB10 yearsC20 yearsDLife imprisonment

Question 7

What does the "protected computer" standard under CFAA (18 U.S.C. § 1030(e)(2)) practically mean?

AOnly government computers are coveredBOnly computers storing classified data are coveredCAlmost any internet-connected device qualifies because internet use affects interstate commerceDOnly computers physically located in the United States are covered

Question 8

The FTC uses 15 U.S.C. § 45 to enforce data security standards. Against whom is this enforcement primarily directed?

AThe hackers who breach company systemsBThe companies that failed to maintain adequate security practicesCForeign governments sponsoring cyberattacksDInternet service providers who failed to detect intrusions

Question 9

A hacker operating from Eastern Europe steals credentials from a U.S. e-commerce platform and sells them on a dark web marketplace. Which CFAA subsection most directly covers the credential trafficking conduct?

A§ 1030(a)(2)B§ 1030(a)(4)C§ 1030(a)(5)D§ 1030(a)(6)

Question 10

What is the primary significance of Van Buren for security researchers who probe company systems with valid authentication tokens against the company's terms of service?

AThey are clearly criminally liable under CFAA regardless of authorizationBVan Buren suggests that ToS violations alone likely do not constitute "exceeding authorized access" under CFAACVan Buren only applies to law enforcement defendants, not civiliansDVan Buren expanded CFAA coverage to include ToS violations