Hacking Laws and Punishments

The Declaration states that all human beings have rights to life, liberty, and security of their person. It provides for the end of enslavement and torture. Its 30 articles set a foundation for the development of international humanitarian law. It also helped longstanding efforts to secure human rights in the international community.

There are several types of computer crimes. Some of the most high-profile examples involve hacking. As cybercrime has become more common, hackers have affected everything from economics to politics.

But not every act of hacking rises to the level of a crime. Because of the varying degrees of hacking and its increasing prevalence in modern society, it's important to understand when hacking becomes a crime.

This article contains information about hacking laws and punishments. It also discusses remedies for hacking victims.

Definition of Computer Hacking

Hacking is broadly defined as the act of breaking into a computer system. Hacking may lead to criminal charges when a hacker accesses someone else's computer system without consent.

For example, a hacker may use a phishing scam to install malware on a computer network. They may also install computer programs, allowing them to commit identity theft or steal confidential information.

Federal Computer and Hacking Laws

Several federal laws address hacking. Computer hacking laws include the following:

These laws, described below, prohibit hacking into a protected computer. A protected computer refers to the following:

  • A government computer
  • A financial institution's computer
  • Any computer used in interstate commerce or communications
  • Any computer used in foreign commerce or communications

Practically speaking, any computer connected to the internet is a protected computer.

Hacking a protected computer is a federal crime. So, the federal government, through its federal prosecutors, may bring charges against hackers. Depending on the computer hacking charges, it may result in a felony or misdemeanor.

Ethical Hacking

Hacking is not always a crime. In ethical hacking, a hacker is legally permitted to exploit security networks. In other words, the hacker has the appropriate consent or authorization to hack into a system. With such approval, a hacker may legally penetrate a business' firewall to access private servers and cloud storage systems.

They may have such permission from a law enforcement agency or a court order. The government can charge a hacker if they lack consent or any lawful authorization to enter another's computer system.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation. It prohibits unauthorized computer access.

Criminal Penalties Under the CFAA

The chart below provides select examples of violations of the CFAA and its penalties.


Penalties (Prison Sentence)

Obtaining National Security Information

First conviction: Up to 10 years

Second conviction: Up to 20 years

Accessing a Computer to Defraud and Obtain Value

First conviction: Up to five years

Second conviction: Up to 10 years

Accessing a Computer and Obtaining Information

First conviction: Up to one year

Second conviction: Up to 10 years

Intentionally Damaging by Knowing Transmission

First conviction: Up to 10 years

Second conviction: Up to 20 years

Extortion Involving Computers

First conviction: Up to five years

Second conviction: Up to 10 years

Trafficking in Passwords

First conviction: Up to one year

Second conviction: Up to 10 years

Civil Violations Under the CFAA

The CFAA's penalties are mostly punishments for criminal violations. The 1994 amendment, however, expanded the Act. It now includes causes of action for civil suits and criminal prosecutions.

Civil violations include the following:

  • Obtaining information from a computer through unauthorized access
  • Trafficking a computer password that one can use to access a computer
  • Transmitting spam
  • Damaging computer data

Civil cases do not result in prison time. Instead, examples of civil remedies include the following:

  • Injunctive relief
  • Seizure of property
  • Impounding stolen information and the electronic devices used to carry out the invasion

Read FindLaw's article, The Differences Between a Criminal and Civil Case, for more information about remedies.

Other Federal Hacking Laws

The CFAA is not the only federal law protecting your digital information. This section describes other important federal laws regarding hacking and digital privacy.

The Electronic Communications Privacy Act

The ECPA forbids intentional interception of electronic communications in transit. It primarily acts as a restriction on wiretaps and the interception of signals. This type of data is also known as "data-in-transit." It refers to data while it is in transit to its destination.

Examples of data in motion include the following:

  • Emails
  • Text messages
  • Phone calls
  • Data while it's being uploaded from a cell phone to cloud storage
  • Data transfers between a hard drive and a computer

The ECPA has three titles:

  • Title I prohibits wiretaps (with some exceptions). It also prohibits the government from introducing illegally obtained communications as evidence in a criminal case.
  • Title II is known as the Stored Communications Act, described below.
  • Title III requires the government to obtain authorization to install certain surveillance technology, such as trap and trace devices and pen registers.

For more information about government surveillance, read FindLaw's article on wiretapping.

The Stored Communications Act

The SCA protects stored electronic communications and data or "data-at-rest."

The SCA has roots in the Fourth Amendment to the U.S. Constitution. The Fourth Amendment protects people from unreasonable governmental searches and seizures. If someone has a reasonable expectation of privacy in their property, the government typically must obtain a warrant to search it.

One exception to the Fourth Amendment is the third-party doctrine. Under this doctrine, if someone shares private information with a third party, Fourth Amendment protection ends. So, the government typically does not need a search warrant.

Congress passed the SCA in response to advancing technology that the Fourth Amendment did not foresee. For example, suppose you send someone a text message. Generally, a service provider stores the text message in a database. This service provider is a third party; the text is shared with them even though they didn't send or receive it. So, per the third-party doctrine, you don't have a reasonable expectation in the message.

The SCA applies to service providers that store data and electronic information. It relates to both government and private access to such information. It also generally prevents service providers from releasing such information.

The SCA provides criminal penalties for anyone who commits the following acts:

  1. Intentionally accesses a facility that provides services for electronic communications without authorization; or
  2. Intentionally exceeds a level of authorization to access such a facility and obtains or alters data or prevents another's authorized access to such data or communications

Examples of "data-at-rest" include the following:

  • Emails stored in a database
  • Text messages stored in a database
  • Instant messages stored in a database
  • Data in cloud storage
  • Data on a hard drive

This statute criminalizes the following acts, among others:

  • Unauthorized access to stored company emails by employees who exceed the scope of their privilege
  • The use of stolen passwords to access stored data
  • Similar breaches of stored data

There is some overlap between the SCA and the CFAA. So, the government may sometimes charge hackers under both statutes.

Hacking Laws: State Laws

Although much focus is on federal laws, states have also enacted hacking laws.

While every state has computer crime laws, some states address hacking more specifically. States do so with laws prohibiting unauthorized access, computer trespass, and the use of viruses and malware.

For example, approximately half of the states in the country have laws that target the use of denial of service (DoS) attacks. In this form of hacking, an intruder floods the system or servers with traffic, denying access to legitimate users.

Ransomware is a type of malware secretly installed on a victim's computer. It denies the victim access to their computer unless they pay a ransom. Several states, including California, have laws that specifically criminalize ransomware.

Contact a Criminal Defense Lawyer

Laws at both the federal and state levels provide protections concerning hacking crimes. Contact a criminal defense attorney if the government has charged you with a hacking offense. An experienced criminal lawyer can provide you with information about the following:

Contact a skilled criminal defense attorney today for help.

Was this helpful?

Can I Solve This on My Own or Do I Need an Attorney?

  • Complex criminal defense situations usually require a lawyer
  • Defense attorneys can help protect your rights
  • A lawyer can seek to reduce or eliminate criminal penalties

Get tailored advice and ask your legal questions. Many attorneys offer free consultations.


If you need an attorney, find one right now.