Federal law broadly prohibits hacking in order to gain information. It criminalizes obtaining three categories of information from different types of computer systems:
- Financial data, including records of financial institutions, credit card companies, and credit bureaus
- Information from any department or agency of the United States
- Information from any computer used in interstate or foreign communication
These are known in the Computer Fraud and Abuse Act as “protected” computer systems. The last category—computers used in interstate or foreign communication—essentially covers most computers connected to the Internet. The law does not go into detail on the types of information it intends to protect; instead, the intent is to prohibit unauthorized access to any information on protected systems. Minimum penalties may include fines, imprisonment for up to one year, or both.