The Electronic Communications Privacy Act (“ECPA”) protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. ECPA applies to email, telephone conversations, and data stored electronically. The Act has three titles which include the Wiretap Act, the Stored Communications Act, and the Pen Register Act.
The Wiretap Act (codified under 18 U.S.C. §§ 2510-2522) prohibits the intentional actual or attempted interception, use, disclosure, or “procurement of any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” It provides exceptions for operators and service providers for uses “in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service” and for “persons authorized by law to intercept wire, oral, or electronic communications or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act (“FISA”) of 1978.” It provides procedures for Federal, State, and other government officers to obtain judicial authorization for intercepting such communications, and regulates the use and disclosure of information obtained through authorized wiretapping. A judge may issue a warrant authorizing interception of communications for up to 30 days upon a showing of probable cause that the interception will reveal evidence that an individual is committing, has committed, or is about to commit a “particular offense” listed in section 2516. It also prohibits the use of illegally obtained communications as evidence.
The Wiretap Act makes the following actions related to the interception of electronic communications illegal: (i) intentionally intercepting an electronic communication; (ii) intentionally disclosing the contents of a communication to a third party with knowledge that it was obtained through an unauthorized interception; and (iii) intentionally using the contents of an interception with the knowledge that it was obtained through unauthorized interception.
There are severe civil and criminal penalties for violation of the Wiretap Act. Pursuant to section 2511 subsection (4)(a), an individual can be fined or imprisoned for up to five years or both. Section 2520(a) establishes a civil cause of action for any person whose electronic communication is either intercepted, disclosed or used in violation of the Wiretap Act. In addition, the remedies associated with violations includes, but may not be limited to, injunctions, statutory damages of $100 per day for each day of violation or $10,000 (whichever is greater) and attorney’s fees.
The Stored Communications Act (“SCA”) protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses. The SCA is codified under 18 U.S.C. § 2701 et seq. Basically, it prevents the illegal access to a facility which provides electronic communication services. It also makes the disclosure of contents of any electronic communication held by the provider of electronic communication services to anyone other than the intended recipient illegal.
The Pen Register and Trap and Trace Statute requires government entities to obtain a warrant before collecting real-time information, such as dialing, routing, and addressing information related to communications. Real-time collections of this information are usually done using a pen register or trap and trace device.
The Computer Fraud and Abuse Act (“CFAA”) prohibits unauthorized access to certain and known computers with the intent to cause damage. A person commits a crime by knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; intentionally accessing a protected computer without authorization, and as a result of such conduct, recklessly causes damage, or intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage. A plaintiff can file a lawsuit in civil court for damages and injunctive relief only if party has suffered a loss of at least $5,000 in any one-year period. For example, an interference with a computer-based radio system used by a city for emergency communications violates the CFAA, which prohibits the intentional interference with computer-related systems used in interstate commerce.
Basically, the CFAA outlaws conduct that victimizes computer systems. Stated otherwise, it’s a computer security law which protects computers wherein there is a federal interest (e.g., federal computers, bank computers, and computers used in interstate and foreign commerce). This federal law shields the aforesaid federal interests from trespass, threats, damage, espionage, and from being corruptly used as instruments of fraud. Any violation of the CFAA is punishable by fine or imprisonment, or both.