Call us today: 646-820-0224

CFAA – Computer Fraud and Abuse Act

Computer Crime

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. 1030, criminalizes a number of activities involving computers.  The CFAA also provides for civil remedies.  Computer crime continues to occupy the front page of the news as hacking, corporate espionage and employee crimes increase in frequency and severity.  Computer crimes can cause serious potential harm and the U.S. Department of Justice has turned its focus on these types of offenses.  In the last couple of years the DOJ has created and expanded the computer crime division in Washington D.C. and many local U.S. Attorney’s offices have create computer crime teams.  As a result, more of these crimes will be discovered and prosecuted.

The white collar criminal defense attorneys at The Henry Law Firm PLLC have significant experience representing individuals and corporations facing Computer Fraud and Abuse Act crimes. We have developed a highly organized team of litigators and experts who have experience representing some of the most high profile computer crime cases in the United States. CFAA cases can carry severe jail sentences, can lead to significant monetary penalties, and are prosecuted domestically and abroad.  In many instances international extradition is sought to bring suspected individuals to the United States for prosecution.  In many instances, Computer Fraud and Abuse Act cases are charged along with bank fraud, wire fraud, identity theft and other federal crimes.

Seven Categories of CFAA Crimes

18 U.S.C. 1030 defines seven categories of prohibited conduct:

18 U.S.C. § 1030(a)(1): Computer Espionage
18 U.S.C. § 1030(a)(2): Unauthorized Access and Obtaining Information
18 U.S.C. § 1030(a)(3): Computer trespassing in a government computer
18 U.S.C. § 1030(a)(4): Committing fraud with computer
18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)
18 U.S.C. § 1030(a)(6): Trafficking in passwords of a government or commerce computer
18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer

The breadth of the statute is significant and Congress continues to discuss adding enforcement provisions to the statute.  As it stands, the statute has been amended multiple times including 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.  There is an ongoing debate about the viability of the current statute, and multiple arguments exist regarding the definition of certain aspect of the statute.  Those arguments generally focus on constitutional vagueness and an inability by courts to interpret the statute on a consistent basis.

18 U.S.C. § 1030(a)(1): Computer Espionage

Subsection (a)(1) defines the crime of computer espionage and includes significant language from the Espionage Act of 1917, but also covers information related to “Foreign Relations”, not simply “National Defense” like the Espionage Act.  The Department of Justice recognizes that this offense subsection is rarely used, and that prosecution under this subsection requires the prior approval of the National Security Division of the Department of Justice, through the Counterespionage Section.  A violation of this subsection is punishable by up to 10 years in prison, or 20 years in prison for a second conviction.

In order to convict someone of this subsection, the government must prove the following:

  1. Knowingly access computer without or in excess of authorization
  2. obtain national security information
  3. reason to believe the information could injure the U.S. or bene t a foreign nation
  4. willful communication, delivery, transmission (or attempt)ORwillful retention of the information

National security information is defined as information, “that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as de ned in paragraph y. of section 11 of the Atomic Energy Act of 1954.”  Very often the information defined is classified information belonging to the Department of Defense or Department of Energy.  But, the government must also prove that the information obtained could injure the United States or benefit a foreign nation.

The government’s ability to show that once the information was obtained it was willfully transmitted can depend on if it can be shown that:

[T]he defendant did any of the following: (a) communicated, delivered, or transmitted national security information, or caused it to be communicated, delivered, or transmitted, to any person not entitled to receive it; (b) attempted to communicate, deliver, or transmit national security information, or attempted to cause it to be communicated, delivered, or transmitted to any person not entitled to receive it; or (c) willfully retained national security information and failed to deliver it to an o cer or employee of the United States who is entitled to receive it in the course of their official duties.

Section 808 of the USA PATRIOT Act added section 1030(a)(1) to the list of crimes in that are considered “Federal Crime[s] of Terrorism” under 18 U.S.C. 2332b(g)(5)(B).  Among other issues, this means that a violation of this subsection can be used as a predicate offense under the RICO statute, may have an extended statute of limitations and could result in an additional term of supervised release.


18 U.S.C. § 1030(a)(2): Unauthorized Access and Obtaining Information

Subsection (a)(2) criminalizes the unauthorized access of different kinds of computers and information.  This subsection contains both a misdemeanor and felony alternative.  As a starting point, violations of this subsection begin as misdemeanors unless aggravating factors exist that increase the crime to a felony.  One factor is the value of the information obtained.  While the statute has no minimum monetary threshold for a misdemeanor offense, this subsection does require the information obtained to be valued above $5,000 for the offense to become a felony.

To prove a misdemeanor violation of subsection (a)(2) the government must prove that a person did the following:

  1. Intentionally access a computer
  2. Without or in excess of authorization
  3. Obtain information
  4. From financial records of financial institution or consumer reporting agency OR the U.S. government OR a protected computer

To take the offense from a misdemeanor to a felony, the government must prove the elements listed above in addition to showing that a person:

  1. Committed for commercial advantage or private financial gain OR committed in furtherance of any criminal or tortious act OR the value of the information obtained exceeds $5,000

Unlike subsection (a)(1) which requires knowing access to a computer, this subsection requires intentional access.  In 1986, Congress changed the intent standard to emphasize that “intentional acts of unauthorized access—rather than mistaken, inadvertent, or careless ones— are precisely what the Committee intends to proscribe.” S. Rep. No. 432, 99th Cong., 2d Sess., reprinted in 1986 U.S.C.C.A.N. 2479, 2483.  Thus, a slightly heightened standard for accessing information is required under this subsection.

However, one of the biggest debates surrounding prosecutions under the Computer Fraud and Abuse Act is the meaning and application of “unauthorized access” and “in excess of authorization.”  Unauthorized access is not defined by the statute.  So, courts around the country have been left to interpret the meaning of what constitutes access and when is that access unauthorized.  The statute does define in excess of authorization as, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. 1030(e)(6).

The legislative history of the CFAA reflects an expectation that persons who “exceed authorized access” will be a person who has some authorization to use the computer or network (i.e. employees, contractors, IT specialists), while persons who access computers “without authorization” will typically be hackers or other outsiders who exploit the system without having been given any authorization at all. See S. Rep. No. 99- 432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479 (discussing section 1030(a)(5).  However difficult questions arise when courts try to determine whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. There is no definitive answer to this question currently, but there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded.  This will typically happen in the context of employee termination or layoffs.

Where the statute permits prosecution for exceeding authorization, the government should be prepared to present evidence proving (a) how the person’s authority to obtain or alter information on the computer was limited, rather than absolute, and (b) how the person exceeded those limitations in obtaining or altering information.  The most significant issue that comes up is whether a particular defendant exceeded authorized access by accessing the computer for an improper purpose where no explicit or implicit restrictions on access existed. The argument typically arises in three ways:

(1) the authorizing party has expressly prohibited the defendant from accessing the computer for the improper purpose; (2) the authorizing party has expressly prohibited the defendant from using the authorizing party’s data for the improper purpose but did not condition the defendant’s computer access on compliance with this prohibition; and (3) the authorizing party did not expressly prohibit the defendant from using its data for the improper purpose, but the defendant was acting against the authorizing party’s interests.

Obviously, the answers to these questions in court opinions become more difficult to distill in questions 2 and 3.  As a result, significant litigation occurs surrounding these issues.

In the next prong, the meaning of “obtaining information” is very broad.  It includes not only downloading or physically copying information, but also includes mere observation or viewing.  Thus, a violation of this subsection can include scenarios where information is accessed and simply looked at, without more.  Information in the context of this statute includes computer programs and other intellectual or intangible property.

In terms of heavily litigated areas of the CFAA, “protected computer” is another area that is heavily contested.  Basically, a protected computer is any computer used in or affecting interstate or foreign commerce and computers used by the federal government and financial institutions.  The computer must only be “used in or affecting” interstate commerce.  The government need not prove that the defendant specifically used that computer in affecting interstate commerce.  Based on case law, it is typically enough that the computer is connected to the Internet to meet the interstate commerce prong. The statute does not require proof that the defendant also used the Internet to access the computer or used the computer to access the Internet.  A protected computer can also include a computer outside the United States as long as it affects interstate commerce.

In terms of one of the aggravating felony factors requiring proof that the information was valued at over $5,000, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs or the value of the property “in the thieves’ market” can be used to meet the $5,000 valuation. See, e.g., United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988).

18 U.S.C. § 1030(a)(3): Computer trespassing in a government computer

Subsection (a)(3) specifically protects government computers.  To violate this subsection the government must prove:

  1. Intentionally access
  2. without authorization
  3. a nonpublic computer of the U.S. that was exclusively for the use of U.S. or was used by or for U.S.
  4. affected U.S. use of computer

There is no requirement that information be obtained.  It is the act of trespassing alone that is criminalized.  A violation of (a)(3) is a misdemeanor offense.  There is no provision that would increase a violation of this section to a felony.  However, a second conviction of the CFAA under his subsection results in a felony carrying a maximum of 10 years in prison.

A nonpublic computer includes most government computers, but does not include government servers that, by design, are intended for public use.  As an example, a government agency’s database server is probably “nonpublic,” while the same agency’s web servers are “public.”


18 U.S.C. § 1030(a)(4): Committing fraud with computer

Subsection (a)(4) is typically charged in conjunction with or in lieu of subsection (a)(2) violations because this subsection carries felony penalties.  The government will also charge (a)(4) violations in addition to wire fraud because this subsection contains an intent to defraud element.  A violation of this section requires the government to prove:

  1. Knowingly access a protected computer without or in excess of authorization
  2. with intent to defraud
  3. access furthered the intended fraud
  4. obtained anything of value, including use if value exceeded $5000

While this subsection of the CFAA significantly resembles the mail and wire fraud statutes, it purposefully includes the use of a computer without authorization or in excess of his authorization to obtain property of another, which property furthers the intended fraud.  In that way it is more narrowly tailored that mail and wire fraud.

“Knowingly and with intent to defraud is not defined by the CFAA.  There is little case law intercepting the meaning, but it seems Congress intended to punish attempts to steal valuable data, not just mere unauthorized access.  However, courts may use the definition of the term “defraud” as it relates to mail and wire fraud cases to inform their decisions.

The requirement that the access must further the intended fraud can be met in a number of ways.  Some examples are deleting or altering computer files to receive some value, obtaining information from a computer that is later used to complete a fraud (i.e. stealing credit card information), or producing falsified records that are later used to commit a fraud (i.e. creating and printing backdated winning lottery tickets).

The government must also prove that the offender obtained money, cash, or a good or service with measurable value. However, two cases that are more dfficult arise (1) when the defendant obtains only the use of a computer, and (2) when the defendant obtains only information.  Legislative history suggests that obtaining some computer data or information, alone, is not valuable enough to qualify.

A violation of (a)(4) is punishable by up to five years in prison and a fine.  A second conviction, like other subsections, is punishable by up to 10 years in prison.

18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)


Subsection (a)(5) is perhaps the most widely used subsection of the CFAA.  It prohibits damage to protected computers, and can be violated in a number of ways.  Hackers who access computers and delete or alter files, install malware, initiate denial of service (DDoS) attacks or unleash computer viruses or worms are frequently charged under this subsection.

Subsection (a)(5) has three alternatives.  Each of the subsection, if violated as outlined below without any aggravating factors is a misdemeanor.  However, there are a number of ways that a violation of subsections (a)(5)(A) and (a)(5)(B) can elevate the crime to a felony.  Subsection (a)(5)(A) prohibits:

1. Knowingly cause transmission of a program, information, code, or command

2. intentionally cause damage to protected computer without authorization

Subsection (a)(5)(B) prohibits:

1. Intentionally access a protected computer without authorization

2. recklessly cause damage

Subsection (a)(5)(C) prohibits:

  1. Intentionally access a protected computer without authorization
  2. cause damage
  3. cause loss

A violation of subsection (a)(5)(A) and (a)(5)(B) can be a felony if the offense:

results in loss of $5,000 during 1 year


modifies medical care of a person


causes physical injury


threatens public health or safety


damages systems used by or for government entity for administration of justice, national defense, or national security


damages affect 10 or more protected computers during 1 year

In basic terms, subsection (a)(5)(A) prohibits anyone from intentionally damaging a computer (without authorization) while subsection (a)(5)(B) prohibits unauthorized users from causing damage recklessly and subsection (a)(5)(C) from causing damage (and loss) negligently.

Damaging a computer can have far-reaching effects. For example, a business may not be able to operate if its computer system stops functioning or it may lose sales if it cannot retrieve the data in a database containing customer information. Similarly, if a computer that operates a hospital or power plant stops functioning, people could be injured or die as a result of not receiving emergency services. Such damage to a computer can occur following a successful intrusion, but it may also occur in ways that do not involve the unauthorized access of a computer system.

Subsections (a)(5)(B) and (a)(5)(C), unlike (a)(5)(A) require that the offender “access” the computer without authorization and hold intruders accountable for any damage they cause while intentionally trespassing on a computer, even if they did not intend to cause that damage.  Section 1030(a)(5)(A) requires proof only of the knowing transmission of data, a command, or software to intentionally damage a computer without authorization. The government does not need to prove “access.”

Section (a)(5)(A) prohibits knowingly causing the transmission of a “program, information, code, or command” and intentionally causing damage to a protected computer.  “Program, information, code, or command” broadly covers all transmissions that are capable of having any effect on a computer’s operation.  This can include keystroke commends to change or delete computer files, software packages that alter the operation of a computer (i.e. worms, malware) and even DDoS attacks that flood the network connection of a computer or server taking its operation offline without actually accessing the computer itself.  These acts do not have to be directly sent to the victim computer in order to violate this statute.

Subsections (a)(5)(B) and (a)(5)(C) do not include offenses defined as “exceeds authorized access.”  A violation of these subsection is only available in the prosecution of offenders who are unauthorized to access the computer.

Damage under each prong of (a)(5) requires the proof of damage.  The computer accessed need not be the same computer that was damaged.  “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. 1030(e)(8).  Impairment of integrity can include situations where, for example, where an act causes data or information to be deleted or changed (i.e. deleted log files or changed entries in a bank database).  Installing key logger software or altering security software so the intruders changes go undetected can also constitute damage.  Additionally, damage includes making information on a computer unavailable through a DDOS attack or other ways of consuming a computers computational power.

In addition to damage, under (a)(5)(C) the government must also prove loss.  Loss is defined as, “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In addition to the statutory penalties prescribed for offenses to the CFAA additional enhancements under the federal sentencing guidelines exist specifically for violation of section (a)(5)(A).  Those increases result in an elevated guideline range, which often leads to a  more severe sentence.


18 U.S.C. § 1030(a)(6): Trafficking in passwords of a government or commerce computer


Violations of (a)(6) prohibit knowingly and with intent to defraud trafficking in computer passwords and similar information when the trafficking affects interstate or foreign commerce, or when the password may be used to access without authorization a computer used by or for the federal government.  Violations of (a)(6) may often be charged with or in addition to violations of 18 U.S.C. 1029, access device fraud.  To convict, the government must prove:

  1. Trafficking
  2. in computer password or similar information
  3. knowingly and with intent to defraud
  4. trafficking affects interstate or foreign commerce OR computer used by or for U.S.

“Traffic” in section 1030(a)(6) is defined by reference to the definition of the same term in 18 U.S.C. 1029, which means “transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of.” 18 U.S.C. 1029(e)(5).  Mere possession of passwords without intent to transfer is not prohibited.  Additionally, personal use of any obtained passwords is not a violation of this subsection.  Although, in both scenarios prosecution may be brought under another subsection.  If transferred, the offender need not have the motive to profit from the transaction.

In the context of this provision of the CFAA, a password is broadly defined:

The Committee recognizes that a “password” may actually be comprised of a set of instructions or directions for gaining access to a computer and intends that the word “password” be construed broadly enough to encompass both single words and longer more detailed explanations on how to access others’ computers.  S. Rep. No. 99-432, at 13 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2491.

A violation of (a)(6) is a misdemeanor, while a second or subsequent conviction is a felony punishable by up to 10 years in prison.


18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer

In basic terms, Subsection (a)(7) prohibits extortion threats involving damage to a computer or involving confidential data.  Threats to access and delete or alter computer information, along with threats of DDoS attacks are covered by this subsection.  To prove a violation of (a)(7) the government must prove:

1. With intent to extort money or any other thing of value

2. transmits in interstate or foreign commerce a communication

3. containing a:

threat to damage a protected computer


threat to obtain or reveal con dential information without or in excess of authorization


demand or request for money or value in relation to damage done in connection with the extortion.

Proving intent to extort does not require proof that the money or thing of value for which the threat issued was obtained.  In other words, the government does not have to prove that the offense was completed by actually obtaining the thing demanded, just the intent to dos suffices.  The threat must be sent in interstate or foreign commerce, but does not have to be sent by computer.  The computer portion comes into play if the threats are targeting, “against computers, computer networks, and their data and programs.”  The threat can be sent by, “mail, a telephone call, electronic mail, or through a computerized messaging service.”

Unlawful threats to the business that owns a computer system, such as threats to reveal flaws in the network or to reveal that the network has been hacked, are not threats to damage a protected computer under this subsection. However, a threat to a business, rather than to a protected computer, might be chargeable as a violation of the Hobbs Act.

Under this subsection the government may charge an offender for the use of ransomware.  In that scenario, an intruder may obtain or encrypt information and refuse to repair or cover the information unless certain demands are met.  In this way, information is held for ransom.  Prosecutors could charge such conduct under (a)(7)(C).

A violation of (a)(7) is punishable by a fine and up to five years in prison.  Any second or subsequent offense is punishable by up to 10 years in prison.

18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer

Attempt and Conspiracy

Attempts to violate 18 U.S.C. 1030 are criminal acts that carry the same statutory penalties as the underlying subsection.  However, the sentencing guidelines call for the reduction of three points from the final calculation in the case of attempt.  This results in a lower  guideline range and a potentially lower sentence.  Thus, an argument that a crime was attempted but not completed may provide some relief in sentencing if it becomes necessary to negotiate a favorable outcome.

In 2008, the Identity Theft Enforcement and Restitution Act amended section 1030(b) to create a new conspiracy offense. It says:

Whoever conspires to commit or attempts to commit an o ense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

However, Congress has not included a penalty provisions in subsection (c) to specify what penalties apply to offenders who engage in a conspiracy to violate section 1030. See, e.g., 18 U.S.C. 1030(c)(1)(A) (specifying a penalty of 10 years imprisonment for “an attempt to commit an offense punishable under this subparagraph” but not mentioning the penalty for conspiracy to commit such an offense).

Like in a drug conspiracy, the government need not prove an overt act in order to obtain a conviction for a section 1030 conspiracy.  Additionally, impossibility is not a defense.  In other words, the object of the conspiracy may be impossible to achieve, but the agreement to hack the objective is sufficient.


How Can We Help


Computer Fraud and Abuse Act violations are serious and wide-ranging. In today’s world where almost everyone has a computer and the government and large companies rely heavily of computer systems to operate, the government is pouring enormous resources and manpower into the detection and prosecution of computer crimes. As a result, the number of prosecutions continues to rise in number and complexity.  The computer crime attorneys at The Henry Law Firm PLLC have represented some of the most high profile hacking cases ever brought by the U.S. government. We have significant experience engaging and arguing against the attorneys in the DOJ cybercrime division.  Our attorneys have been cleared in previous cases to deal with classified information. If you have been contacted about or charged with a Computer Fraud and Abuse Act violation, call immediately at 646-820-0224. Early intervention is extremely important. Let the innovative federal criminal defense attorneys at The Henry Law Firm PLLC provide you with the defense you deserve.

What to Do If You Are Facing a Money Laundering Investigation

According to experts, around $5 trillion is money laundered around the world each year, and law enforcement authorities recover only a small fraction of that money. But, in spite of this gap – and quite possibly because of it – U.S. law enforcement authorities take an extremely hard line in pursuing the money laundering investigations that do end up on their radar, and it is often tertiary and unsuspecting individuals and entities that find themselves in the crosshairs of a money laundering investigation. While we might think of large banks and other financial institutions when we think of money laundering, it is common for business partners, service providers, art and antique dealers, auction houses, trustees, directors and board members, and all types of financial service providers to get caught up in a money laundering investigation. It is certainly frightening to get a visit, call, or other inquiry from a federal agent or agency – or even to hear rumors of those close to you being approached – but what you do next can have enormous implications for your future.

Understand That Criminal Liability Can Exist Even If You Were “Ignorant”

Again, federal law enforcement takes a very aggressive approach to policing money laundering, and they do this for a number of reasons. One is that it is often more feasible for law enforcement to collect evidence of financial crimes than the crimes that produced the money being laundered, such as international trafficking. Law enforcement can also approach those who may played a secondary and/or unwitting role in the money laundering and use methods to intimidate them and their businesses that might lead them to the persons committing the crimes from which the money profits flowed.

Unlike with many other criminal laws, prosecutors do not have to show that a person willfully (in other words, intentionally) violated federal laws on money laundering in order to secure a conviction. Using the concept of “willful blindness,” prosecutors can successfully argue that a person is guilty of money laundering when he makes efforts to conceal the profits of criminal activity even if he did not know the money was the product of illegal activity but had strong reason to suspect it was. For example, an art dealer facilitating transactions on behalf of a wealthy drug dealer to conceal profits might be charged with money laundering if it can be shown there was a reason to suspect the nature of the funds.

Furthermore, anyone who merely encourages or assists such a transaction (e.g. service providers) could potentially be liable even if he or she was not a primary party to the transaction.

Do Not Wait to Speak With a Criminal Defense Attorney

Does this mean every person connected with a transaction involving money derived from illegal activity is criminally liable? Absolutely not, but it does mean that prosecutors can find a way to pin criminal liability on persons in ways they may well not have imagined. Thus, it is a mistake to speak with law enforcement – or any other non-attorney for that matter (any conversation you have not protected by a privilege may be used against you) – without an attorney under the impression that you have nothing to worry about.

By speaking with a criminal defense attorney experienced in federal investigations at the first sign of a money laundering investigation, you can take steps to determine what your potential criminal liability might be (which may be none, but better to find that out in a confidential consultation with an attorney who represents only your interests), and work with that attorney in communicating with law enforcement to reach your best possible outcome, which can include a dropped investigation or favorable agreement.

Contact a New York Defense Attorney Today

The Henry Law Firm PLLC provides criminal defense to individuals and businesses throughout New York in all state and federal investigations and prosecutions. If you believe you may be under investigation for money laundering, do not hesitate to contact us today to schedule a confidential consultation regarding your matter.  

FAQ: Tax Fraud Penalties

Can I be charged with a crime if my taxes are done incorrectly?

Yes. Not only can the IRS can hand down civil penalties for improperly doing your taxes, federal prosecutors can charge you with a tax-related crime if you fail to file a tax return, provide false or fraudulent statements to the IRS, or willfully evade paying your full share of taxes.

What are the criminal penalties for failing to file a tax return?

You face up to one year in prison and up to $100,000 in fines (or up to $200,000 in the case of a corporation). These penalties also apply when a taxpayer fails to pay taxes on time or fails to supply information to the IRS.

What are the criminal penalties for making fraudulent or false statements to the IRS?

You face up to three years in prison and up to $250,000 in fines (or up to $500,000 in the case of a corporation). Making fraudulent or false statements can apply to statements made in your tax return or to government officials.

What are the criminal penalties for tax evasion?

You face up to five years in prison and up to $250,000 in fines (or up to $500,000 in the case of a corporation).

What is the difference between tax evasion and tax avoidance?

Tax avoidance is the legal process of taking advantage of strategies allowable by the tax code to reduce your taxes. Tax avoidance is therefore legal. Tax evasion is using strategies not allowed by the tax code to reduce or eliminate the taxes you pay. Tax evasion is illegal.

What are common methods of tax evasion that can result in criminal penalties?

  • Failing to report income from a side job
  • Failing to report income from rentals
  • Failing to report income paid in cash
  • Overstating deductions that do not exist, such as charitable donations not actually made

What if a person makes a mistake on their tax returns?

If you negligently make a mistake, then you still may owe civil penalties, but the government cannot convict you of a crime unless it was willful on your part. The standard of proof in showing willfulness is guilt beyond a reasonable doubt.

Can I be charged with a crime for assisting another person or entity in tax fraud?

Yes, as with most crimes, you can be charged with a tax-related crime as an accomplice if you assisted and/or encouraged another person to commit tax fraud.

Contact a New York Criminal Defense Attorney Today

The Henry Law Firm PLLC provides criminal defense to individuals and businesses throughout New York. Contact us today to schedule a confidential consultation regarding your matter.  

Do I Need My Own Lawyer in an SEC Investigation?

If your employer is being investigated by the SEC, then you likely have some questions about the SEC investigation process but may not feel comfortable asking them of your supervisor or co-workers. This is understandable, as an SEC investigation can mean significant civil penalties such as fines, permanent career and reputational damage, or loss of a job. One of the most common questions employees of a company under SEC investigation ask is whether they need their own lawyer, and they often trip themselves up by asking the wrong people to answer that question.

Your Company’s Attorneys Cannot Tell Whether You Need a Lawyer

When an employee learns that an SEC investigation is occurring, it is common for the employee to ask the HR director, the General Counsel, or even an outside law firm representing the company whether the employee needs his or her own lawyer. First, it is critical to understand that all of those people are there to serve the interests of the company, not you the employee.  Thus, it is not their job to be concerned with whether you would be better off from a legal perspective by having your own attorney.

In addition, they might not have any idea what your role in potential SEC violations were and thus whether it would serve your interests to have your own attorney or not. If company attorneys are speaking with you about events related to a potential SEC investigation (also note that the company attorneys are likely not under any obligation to tell you whether an investigation is indeed occurring or not), there is a good chance they know less than you do about potential violations at that point and are indeed speaking with you to gather that information, thus making them even less likely to be able to answer that question accurately.

The Company Attorneys Represent the Company, Not You

Beyond the issue of presenting the question of whether you need your own attorney to company lawyers, regardless of what they might say to you, the fact of the matter is that those attorneys represent the company and not you. Simply put, their allegiance and duties are directed towards representing the company’s interests, and that will always be their overriding mission.

Does this mean they are out to get you and will ultimately throw you under the proverbial bus in an SEC investigation? Not necessarily, and the company (and by extension, its attorneys) may have a strong interest in defending, so long as your interests are aligned with those of the company.

But, when push comes to shove, it is the case that they are not there to defend your interests and formulate legal strategies to protect your reputation, career, and future. In many cases, companies under SEC or other federal investigation can curry favor with law enforcement by showing that they are taking a hard line against employees in the company who have violated laws, and so penalizing and/or terminating an employee can be an action a company takes on the advice of its attorneys to reach a favorable outcome with the SEC. And this outcome may be reached on the basis of information you as the soon-to-be terminated employee provide to the company and its attorneys under the mistaken impression that doing so would help your interests.

Contact a New York White Collar Defense Attorney Today

Thus, if you have reason to suspect you face negative consequences in an SEC investigation of your employer, it is wise to reach out to your own white collar investigations attorney to discuss your options in a confidential setting. The Henry Law Firm PLLC provides white collar defense in SEC investigations to individuals and businesses throughout New York. Contact us today to schedule a confidential consultation regarding your matter.  

Other Practice Areas

White Collar Defense and Regulatory Enforcement

We defend public officials, executives, board members, securities brokers, traders, law enforcement personnel, and employees facing criminal charges, internal investigations and regulatory enforcement actions.

learn more

Criminal Appeals

Our attorneys have successfully appealed to The United States Supreme Court and other federal appellate courts throughout the country.

learn more

Federal Criminal Defense

We represent individuals who have been charged with or are being investigated for a full range of federal crimes nationwide.

learn more

Contact Us


535 Fifth Avenue

Suite 2520

New York, NY, 10017

social channels

  • twitter-icon
  • in-icon
  • in-icon


The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation. This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship. Prior results do not guarantee future outcomes.