Practitioners handling computer intrusion, unauthorized access, and data theft cases in Alabama must navigate a two-track legal framework: Alabama's own criminal statutes addressing digital offenses, and the federal Computer Fraud and Abuse Act's civil remedy. The two regimes have materially different scopes, damage standards, and procedural requirements. Following Van Buren v. United States, 593 U.S. 374 (2021), the CFAA's civil reach has been significantly narrowed, making the interaction between federal and state law more consequential for plaintiffs.
I. Doctrinal Framing
Alabama has two principal computer-crime statutory frameworks. The original Alabama Computer Crime Act, codified at Ala. Code §§ 13A-8-100 through 13A-8-103 (Article 5), was enacted in the 1990s and addresses offenses against intellectual property (§ 13A-8-102) and offenses against computer equipment or supplies (§ 13A-8-103). These provisions are primarily criminal in nature and provide no express civil remedy.
The Alabama Digital Crime Act, codified at Ala. Code §§ 13A-8-110 through 13A-8-119 (Article 5A), was enacted in 2012 (Act 2012-432) and substantially replaced and expanded the state's computer-crime framework. It covers computer tampering (§ 13A-8-112), encoded data fraud (§ 13A-8-113), phishing (§ 13A-8-114), and unauthorized disclosure of stored electronic communications (§ 13A-8-115), among other offenses. Like the original Act, the Digital Crime Act is structured as a criminal statute; Article 5A does not contain an express civil remedy provision.
The absence of an express private right of action under either the original Alabama Computer Crime Act or the Alabama Digital Crime Act means that civil plaintiffs in Alabama computer-intrusion cases must rely principally on: (1) the federal CFAA's civil cause of action; (2) Alabama common-law claims (trespass to chattels, conversion, invasion of privacy, fraud); and (3) other applicable state or federal privacy statutes such as the Stored Communications Act.
II. The Alabama Digital Crime Act: Key Provisions
A. Computer Tampering: Section 13A-8-112
The core offense of the Alabama Digital Crime Act is computer tampering, defined at Ala. Code § 13A-8-112. A person commits computer tampering by acting without authority or exceeding authorization of use and knowingly:
- Accessing and altering, damaging, or destroying any computer, computer system, or computer network
- Altering, damaging, deleting, or destroying computer programs or data
- Disclosing, using, controlling, or taking computer programs, data, or supporting documentation
- Introducing a computer contaminator or virus
- Disrupting computer services or denying service to authorized users
- Preventing a user from exiting a site (compelled access)
- Obtaining information required by law to be kept confidential by accessing a government or medical computer system
- Disclosing another's password or access credentials without consent
Criminal penalties escalate by harm and intent:
- Class A misdemeanor (baseline)
- Class C felony if the actor intends to commit an unlawful act, obtain a benefit, or defraud or harm another
- Class B felony if victim expenditures exceed $2,500, or if the offense impairs governmental operations or public utilities
- Class A felony if victim expenditures exceed $100,000, or if physical injury results
The "acts within the scope of lawful employment" defense at § 13A-8-112(b)(1) exempts employees performing acts reasonably necessary to their work assignments, mirroring—but not identical to—the CFAA's own authorization framework.
B. Phishing: Section 13A-8-114
Section 13A-8-114 addresses phishing—the use of fraudulent electronic communications to induce individuals to disclose financial or personal identification information. This is a Class C felony. Phishing is a crime in Alabama under state law even if no computer tampering occurs, and the statute's broad definition of "phishing" encompasses spoofed emails, fake websites, and social engineering schemes.
C. Unauthorized Disclosure of Stored Communications: Section 13A-8-115
Section 13A-8-115 criminalizes unauthorized disclosure of stored wire or electronic communications—a state-law parallel to the federal Stored Communications Act, 18 U.S.C. §§ 2701–2712. This provision is particularly relevant to cases involving unauthorized access to email systems or cloud-hosted data.
D. The Civil Remedy Gap
The Alabama Digital Crime Act's Article 5A contains no civil remedy provision in §§ 13A-8-110 through 13A-8-119. Practitioners should not confuse this with § 13A-8-199, which does provide a civil remedy—but that provision belongs to Article 5B (§§ 13A-8-190 through 13A-8-199), which addresses image-based sexual abuse ("revenge porn"), not computer crime. The civil remedy for computer intrusion must come from another source.
III. The Federal CFAA Civil Cause of Action: 18 U.S.C. § 1030
A. CFAA Overview
The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is the primary federal computer-crime statute. It creates both criminal offenses and a private civil cause of action. Section 1030(g) authorizes any person who "suffers damage or loss" from a violation of the CFAA to maintain a civil action against the violator "for compensatory damages and injunctive relief or other equitable relief." Civil CFAA claims require:
- A violation of one of the substantive subsections of § 1030(a)
- "Damage" (impairment to the integrity or availability of data, a program, a system, or information) or "loss" (any reasonable cost to the victim, including response costs and revenue lost due to service interruption)
- Satisfaction of one of the jurisdictional predicates at § 1030(c)(4)(A)(i)—most importantly, a loss to one or more persons during any one-year period aggregating at least $5,000
The $5,000 aggregate loss threshold is the primary civil standing gate for CFAA claims. Investigation costs—including forensic analysis, remediation, and damage assessment—count as "loss" under 18 U.S.C. § 1030(e)(11) and do not require interruption of service to qualify.
B. Van Buren v. United States: The Scope Restriction
Van Buren v. United States, 593 U.S. 374 (2021), is the Supreme Court's first definitive interpretation of the CFAA's "exceeds authorized access" clause. Former Georgia police sergeant Nathan Van Buren used his valid patrol-car computer credentials to run a license-plate search in exchange for money—violating department policy but using access he was otherwise authorized to have. The Eleventh Circuit, applying its then-prevailing broad view, affirmed his CFAA conviction. The Supreme Court reversed, 6-3, in an opinion by Justice Barrett.
The Court held that the "exceeds authorized access" clause in 18 U.S.C. § 1030(a)(2) covers only individuals who access computer systems with authorization but then obtain information from particular areas—"files, folders, or databases"—to which their access does not extend. It does not cover individuals who use their authorized access for improper purposes. The Court adopted what it called a "gates-up-or-gates-down" inquiry: a user who can access a folder may do so for any reason without violating the CFAA; a user who accesses a folder that is technically off-limits violates the CFAA regardless of purpose.
Key holdings:
- The "exceeds authorized access" clause requires that the defendant access an area of the computer to which access does not extend—not merely use authorized access for an unauthorized purpose.
- Employer policies, contractual terms, and workplace rules that restrict what one may do with authorized access do not define the CFAA's scope.
- The Court declined to resolve whether technological (code-based) vs. policy-based restrictions on access can constitute enforceable CFAA gates. This question remains unresolved in the lower courts.
Impact on civil CFAA practice: Van Buren significantly narrows the category of CFAA defendants. Employees who access files they were technically authorized to access—even for clearly improper purposes such as stealing trade secrets or copying client lists—no longer fall within the "exceeds authorized access" provision post-Van Buren if those files were within their technical authorization. This is a major limitation on using CFAA for unfair competition and trade-secret cases. By contrast, outsiders who hack into systems, insiders who access off-limits systems or databases, and anyone who uses stolen credentials remain clearly within the CFAA's scope.
C. Damages Under the CFAA
Civil CFAA damages under § 1030(g) encompass compensatory damages and equitable relief, subject to the $5,000 loss threshold for most civil claims. The statute does not expressly authorize punitive damages, though some courts have considered whether state-law punitive damages can accompany a CFAA claim. Attorney's fees are generally not recoverable under the CFAA unless the plaintiff also has a fee-shifting claim under another statute.
IV. Comparison: Alabama Digital Crime Act vs. Federal CFAA
| Feature | Alabama Digital Crime Act | Federal CFAA |
|---|---|---|
| Civil remedy | None express | Yes, 18 U.S.C. § 1030(g) |
| Scope | "Without authority or exceeds authorization" | "Without authorization or exceeds authorized access" |
| "Authorized" standard | Not directly addressed by appellate courts | Van Buren "gates-up-or-down" test |
| $5,000 loss threshold | N/A (no civil remedy) | Required for most civil claims |
| Attorney's fees | N/A | Not expressly authorized |
| Criminal penalties | Class A misdemeanor to Class A felony | Fine or imprisonment up to 10 years |
| Intent requirement | Varies by subsection; felony requires intent to defraud/harm | Intentional access required |
V. Civil Strategy: Combining State and Federal Claims
Where no express state civil remedy exists, Alabama computer-intrusion plaintiffs should consider stacking the following theories:
1. Federal CFAA § 1030(g). This is the principal civil vehicle. Focus on establishing the $5,000 loss through documented forensic and remediation costs, lost revenue, or service interruption costs. After Van Buren, ensure the CFAA theory is grounded in access to technically off-limits files or systems, not merely misuse of authorized access.
2. Alabama common-law trespass to chattels. Alabama courts recognize trespass to chattels as an available cause of action for intentional interference with personal property, including electronic systems. The tort requires intentional interference, actual harm, and causation. Unlike the CFAA, it is not subject to the "authorization" framework, and post-Van Buren technical limitations do not apply.
3. Alabama common-law fraud or theft by deception. Where the computer intrusion is accompanied by false representations—as in phishing under § 13A-8-114—common-law fraud or suppression claims may provide remedies unavailable under the purely technical CFAA analysis.
4. Stored Communications Act, 18 U.S.C. §§ 2701–2712. Where the computer intrusion involved unauthorized access to stored electronic communications (emails, messages), a separate SCA civil claim under § 2707 is available. The SCA's authorization standard operates differently from the CFAA and is addressed in a companion post.
5. Trade secret misappropriation. The Defend Trade Secrets Act, 18 U.S.C. § 1836, provides a federal civil cause of action for misappropriation of trade secrets that can accompany a CFAA claim without requiring the defendant to have "exceeded authorized access."
VI. Open Questions and Developing Law
The code-based access restriction question. Van Buren expressly reserved the question of whether only technological restrictions (passwords, firewalls, access-control lists) can constitute "gates" for CFAA purposes, or whether a cease-and-desist letter or website's terms of service can also close a gate. This question is actively litigated in the lower courts and will determine the scope of CFAA liability for scraping, terms-of-service violations, and similar conduct.
Alabama Digital Crime Act civil remedy gap. The legislature's failure to include a civil remedy in the Digital Crime Act leaves Alabama computer-crime victims in a worse position than victims in states that have enacted corresponding private civil rights. Legislative amendments adding a civil remedy provision to Article 5A would substantially improve the plaintiff's toolkit for Alabama computer-intrusion cases.
Interaction between Alabama criminal conviction and civil claims. Where a defendant has been criminally convicted under the Alabama Digital Crime Act, that conviction may support collateral estoppel and related arguments in a civil proceeding for damages under CFAA or common-law theories.
VII. Closing
The absence of an express civil remedy in the Alabama Digital Crime Act is the defining limitation for civil computer-intrusion plaintiffs in the state. The CFAA fills most of the gap but has been substantially narrowed by Van Buren, which eliminates "misuse of authorized access" as a theory and restricts civil CFAA claims to true unauthorized-access scenarios. Practitioners should build multi-theory complaints that include common-law trespass to chattels, CFAA, SCA, and—where data or code constitutes a trade secret—the DTSA, to ensure that the plaintiff's civil remedy survives the post-Van Buren CFAA scope restriction.
Talk to Yates Anderson
If you are litigating a matter in this area — or weighing whether to — the working analysis above only goes so far. Request a case evaluation and a Yates Anderson attorney will respond within one business day.
Informational only. Not legal advice. No attorney-client relationship is created by reading this post. Consult a licensed attorney in your jurisdiction.