Hacking Laws and Punishments

Hacking Laws and Punishments

Created by FindLaw's team of attorney writers and editors.

There are several types of computer crimes, but some of the most high-profile examples involve hacking. With data breaches increasingly becoming daily occurrences, hackers have affected everything from the economical (including numerous retail businesses) to the political by invading every aspect of our lives.

However, hacking doesn't always rise to the level of a crime. Because of the varying degrees of hacking and it's increasing prevalence in our society, it's important to understand where the lines are drawn. Read on to learn more about hacking laws and punishments and what remedies may apply to victims of electronic intrusions.

Definition of Hacking

Hacking is broadly defined as the act of breaking into a computer system. Hacking isn't always a crime as "ethical hacking" occurs when a hacker is legally permitted to exploit security networks. In other words, it's when a hacker has the appropriate consent or authorization. However, hacking crosses the criminal line when a hacker accesses someone's computer system without such consent or authority.

For instance, if an individual acts without consent or any lawful authorization (i.e. from law enforcement agency and/or a court order) and penetrates a business' firewall to access private servers and cloud storage systems or uses phishing to install malware to desktop and laptop computers with the intent to monitor communications and activities, they can be charged with a crime.

Federal Hacking Laws

There are several federal laws that address hacking, including:

  • The Computer Fraud and Abuse Act (CFAA);
  • The Stored Communications Act (SCA);
  • The Electronic Communications Privacy Act (ECPA); and
  • The Defend Trade Secrets Act (DTSA).

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation that prohibits unauthorized access to another's computer system. Although the law was originally meant to protect the computer systems of U.S. government entities and financial institutions, the scope of the Act expanded with amendments to include practically any computer in the country (including devices such as servers, desktops, laptops, cellphones, and tablets).

Criminal Penalties Under the CFAA

The chart below provides select examples of violations of the CFAA and the penalties.

Offense

Penalties (Prison Sentence)

Obtaining National Security Information

10 years; 20 years maximum for a second conviction.

Accessing a Computer to Defraud and Obtain Value

5 years; 10 years maximum for a second conviction.

Accessing a Computer and Obtaining Information

1-5 years; 10 years maximum for a second conviction.1-10 years; 20 years maximum for a second conviction.

Intentionally Damaging by Knowing Transmission

1-10 years; 20 years maximum for a second conviction.

Extortion Involving Computers

5 years; 10 years maximum for a second conviction.

Trafficking in Passwords

1 year; 10 years maximum for a second conviction.

Civil Violations Under the CFAA

Although the CFAA's penalties are mostly for criminal violations, the 1994 amendment expanded the Act to include causes of action for civil suits, in addition to criminal prosecution.

Civil violations include the following:

  • Obtaining information from a computer through unauthorized access;
  • Trafficking in a computer password that can be used to access a computer;
  • Transmitting spam; and
  • Damaging computer data.

Federal anti-hacking legislation provides civil remedies for hacking victims, including the following:

  • Injunctive relief;
  • Seizure of property; and
  • Impounding of the stolen information and the electronic devices used to carry out the invasion.

Other Federal Hacking Laws

The Stored Communications Act mirrors the prohibitions of the CFAA and protects stored electronic communications and data or data at rest (including email, texts, instant messages, social media accounts, cloud computing and storage, and blogs/microblogs). There is a lot of overlap with the CFAA and often hackers will be in violation of both statutes.

The EPCA, a counterpart law to the SCA forbids intentional interception of electronic communications in transit or "data in motion," rather than "data at rest."

Hacking Laws: State Laws

Although much of the focus is on federal laws, states have enacted hacking laws as well. While every state has computer crime laws, some states address hacking more specifically with laws that prohibit unauthorized access, computer trespass, and the use of viruses and malware.

For example, approximately half of the states in the country have laws that target the use of denial of service (DoS) attacks. In this form of hacking, an intruder floods the system or servers with traffic, denying access to legitimate users. Florida penalizes this more severely, categorizing this crime as a felony in the first degree.

Ransomware occurs when malware is installed on someone's computer, denying access to the computer unless a ransom is paid. Several states, including California, have laws that specifically criminalize ransomware.

Discuss Hacking Laws and Punishments with an Attorney

Laws at both the federal and state level provide both protections and limitations concerning hacking. If you're charged with a hacking offense and are concerned about how hacking laws and punishments apply to your situation, you should turn to an attorney who understands the complexity of the law. Contact a skilled criminal defense attorney near you today for help with this serious matter.

Next Steps

Contact a qualified criminal lawyer to make sure your rights are protected.

Help Me Find a Do-It-Yourself Solution