Skip to main content
Please enter a legal issue and/or a location
Begin typing to search, use arrow keys to navigate, use enter to select

Hacking Laws and Punishments

Hacking Laws and Punishments

There are several types of computer crimes, but some of the most high-profile examples involve hacking. More and more these days, data breaches have become daily occurrences. As this has become more common, hackers have affected everything from the economical (including numerous retail businesses) to the political. As such, hackers are becoming more and more of a presence in every aspect of everyday life.

However, not every act of hacking rises to the level of a crime. Because of the varying degrees of hacking and its increasing prevalence in modern society, it can be important to understand where the lines between criminal hacking and non-criminal hacking are drawn.

This article contains information about hacking laws and punishments, along with what remedies may apply to victims of electronic intrusions.

Definition of Hacking

Hacking is broadly defined as the act of breaking into a computer system. Hacking is not always a crime, however. In "ethical hacking," for example, a hacker is legally permitted to exploit security networks. In other words, the hacker has the appropriate consent or authorization to do what they are doing. However, hacking crosses the criminal line when a hacker accesses someone else's computer system without such consent or authority.

For example, a hacker can be charged with a crime if they lack consent or any lawful authorization to enter another's computer system. They may have such authorization from a law enforcement agency and/or a court order.

With such authorization, a hacker may legally penetrate a business' firewall to access private servers and cloud storage systems.

However, when a hacker lacks such authorization or consent, they can be charged for having engaged in criminal hacking activities. An example of this is when a hacker uses phishing or social engineering to install malware on computers with the intent to monitor communications and activities.

Federal Hacking Laws

There are several federal laws that address hacking. They include the following:

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation that prohibits unauthorized access to another's computer system.

Although the law was originally meant to protect the computer systems of U.S. government entities and financial institutions, the scope of the Act expanded with amendments to include practically any computer in the country. Examples of such devices are servers, desktops, laptops, cellphones, and tablets.

Criminal Penalties Under the CFAA

The chart below provides select examples of violations of the CFAA and the penalties.


Penalties (Prison Sentence)

Obtaining National Security Information

First conviction: Up to 10 years

Second conviction: Up to 20 years

Accessing a Computer to Defraud and Obtain Value

First conviction: Up to five years

Second conviction: Up to 10 years

Accessing a Computer and Obtaining Information

First conviction: Up to one year

Second conviction: Up to 10 years

Intentionally Damaging by Knowing Transmission

First conviction: Up to 10 years

Second conviction: Up to 20 years

Extortion Involving Computers

First conviction: Up to five years

Second conviction: Up to 10 years

Trafficking in Passwords

First conviction: Up to one year

Second conviction: Up to 10 years

Civil Violations Under the CFAA

Although the CFAA's penalties are mostly punishments for criminal violations, the 1994 amendment expanded the Act to include causes of action for civil suits, in addition to criminal prosecution.

Civil violations include the following:

  • Obtaining information from a computer through unauthorized access
  • Trafficking in a computer password that can be used to access a computer
  • Transmitting spam
  • Damaging computer data

Federal anti-hacking legislation provides civil remedies for hacking victims. Examples of remedies include the following:

  • Injunctive relief
  • Seizure of property
  • Impounding of the stolen information and the electronic devices used to carry out the invasion

Other Federal Hacking Laws

The Stored Communications Act protects stored electronic communications and data or "data at rest" by providing criminal penalties for anyone who:

  1. Intentionally accesses a facility that provides services for electronic communications, and does so without authorization, or
  2. Intentionally exceeds a level of authorization to access such a facility, while also obtaining or altering data in that system or preventing another's authorized access to such data or communications.

Examples of "data at rest" are emails, texts, instant messages, social media accounts, data in cloud computing and storage, and blogs or microblogs.

This statue criminalizes unauthorized access of company emails by employees who exceed their scope of privilege, the use of stolen passwords to access stored data, and similar breaches of stored data. There is a bit of an overlap between this act and the CFAA. As a result, hackers will often be in violation of both statutes.

The EPCA, a counterpart law to the SCA, forbids intentional interception of electronic communications in transit. This type of data is also known as "data in motion." It primarily acts as a restriction on wiretaps and the interception of signals.

Hacking Laws: State Laws

Although much of the focus is on federal laws, states have also enacted hacking laws.

While every state has computer crime laws, some states address hacking more specifically. States do so with laws that prohibit unauthorized access, computer trespass, and the use of viruses and malware.

For example, approximately half of the states in the country have laws that target the use of denial of service (DoS) attacks. In this form of hacking, an intruder floods the system or servers with traffic, denying access to legitimate users. Florida penalizes this more severely, categorizing this crime as a felony in the first degree.

Ransomware is a type of malware surreptitiously installed on a victim's computer. It denies the victim access to their computer unless a ransom is paid. Several states, including California, have laws that specifically criminalize ransomware.

Discuss Hacking Laws and Punishments with an Attorney

Laws at both the federal and state level provide both protections and limitations concerning hacking. If you have been charged with a hacking offense and are concerned about how hacking laws and punishments apply to your situation, you should turn to an attorney who understands the complexity of the law. Contact a skilled criminal defense attorney near you today for help with this serious matter.

Was this helpful?

Thank you. Your response has been sent.

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:

Next Steps

Contact a qualified criminal lawyer to make sure your rights are protected.

Begin typing to search, use arrow keys to navigate, use enter to select

Help Me Find a Do-It-Yourself Solution

Can I Solve This on My Own or Do I Need an Attorney?

  • Complex criminal defense situations usually require a lawyer
  • Defense attorneys can help protect your rights
  • A lawyer can seek to reduce or eliminate criminal penalties

Get tailored advice and ask your legal questions. Many attorneys offer free consultations.


 If you need an attorney, find one right now.

Copied to clipboard

Find a Lawyer

More Options