Hacking Laws and Punishments
By Samuel Strom, J.D. | Legally reviewed by Samuel Strom, J.D. | Last reviewed December 02, 2023
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
The Declaration states that all human beings have rights to life, liberty, and security of their person. It provides for the end of enslavement and torture. Its 30 articles set a foundation for the development of international humanitarian law. It also helped longstanding efforts to secure human rights in the international community.
There are several types of computer crimes. Some of the most high-profile examples involve hacking. As cybercrime has become more common, hackers have affected everything from economics to politics.
But not every act of hacking rises to the level of a crime. Because of the varying degrees of hacking and its increasing prevalence in modern society, it's important to understand when hacking becomes a crime.
This article contains information about hacking laws and punishments. It also discusses remedies for hacking victims.
Definition of Computer Hacking
Hacking is broadly defined as the act of breaking into a computer system. Hacking may lead to criminal charges when a hacker accesses someone else's computer system without consent.
For example, a hacker may use a phishing scam to install malware on a computer network. They may also install computer programs, allowing them to commit identity theft or steal confidential information.
Federal Computer and Hacking Laws
Several federal laws address hacking. Computer hacking laws include the following:
- The Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030)
- The Stored Communications Act (SCA)
- The Electronic Communications Privacy Act (ECPA)
These laws, described below, prohibit hacking into a protected computer. A protected computer refers to the following:
- A government computer
- A financial institution's computer
- Any computer used in interstate commerce or communications
- Any computer used in foreign commerce or communications
Practically speaking, any computer connected to the internet is a protected computer.
Hacking a protected computer is a federal crime. So, the federal government, through its federal prosecutors, may bring charges against hackers. Depending on the computer hacking charges, it may result in a felony or misdemeanor.
Ethical Hacking
Hacking is not always a crime. In ethical hacking, a hacker is legally permitted to exploit security networks. In other words, the hacker has the appropriate consent or authorization to hack into a system. With such approval, a hacker may legally penetrate a business' firewall to access private servers and cloud storage systems.
They may have such permission from a law enforcement agency or a court order. The government can charge a hacker if they lack consent or any lawful authorization to enter another's computer system.
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation. It prohibits unauthorized computer access.
Criminal Penalties Under the CFAA
The chart below provides select examples of violations of the CFAA and its penalties.
Offense |
Penalties (Prison Sentence) |
---|---|
Obtaining National Security Information |
First conviction: Up to 10 years Second conviction: Up to 20 years |
Accessing a Computer to Defraud and Obtain Value |
First conviction: Up to five years Second conviction: Up to 10 years |
Accessing a Computer and Obtaining Information |
First conviction: Up to one year Second conviction: Up to 10 years |
Intentionally Damaging by Knowing Transmission |
First conviction: Up to 10 years Second conviction: Up to 20 years |
Extortion Involving Computers |
First conviction: Up to five years Second conviction: Up to 10 years |
Trafficking in Passwords |
First conviction: Up to one year Second conviction: Up to 10 years |
Civil Violations Under the CFAA
The CFAA's penalties are mostly punishments for criminal violations. The 1994 amendment, however, expanded the Act. It now includes causes of action for civil suits and criminal prosecutions.
Civil violations include the following:
- Obtaining information from a computer through unauthorized access
- Trafficking a computer password that one can use to access a computer
- Transmitting spam
- Damaging computer data
Civil cases do not result in prison time. Instead, examples of civil remedies include the following:
- Injunctive relief
- Seizure of property
- Impounding stolen information and the electronic devices used to carry out the invasion
Read FindLaw's article, The Differences Between a Criminal and Civil Case, for more information about remedies.
Other Federal Hacking Laws
The CFAA is not the only federal law protecting your digital information. This section describes other important federal laws regarding hacking and digital privacy.
The Electronic Communications Privacy Act
The ECPA forbids intentional interception of electronic communications in transit. It primarily acts as a restriction on wiretaps and the interception of signals. This type of data is also known as "data-in-transit." It refers to data while it is in transit to its destination.
Examples of data in motion include the following:
- Emails
- Text messages
- Phone calls
- Data while it's being uploaded from a cell phone to cloud storage
- Data transfers between a hard drive and a computer
The ECPA has three titles:
- Title I prohibits wiretaps (with some exceptions). It also prohibits the government from introducing illegally obtained communications as evidence in a criminal case.
- Title II is known as the Stored Communications Act, described below.
- Title III requires the government to obtain authorization to install certain surveillance technology, such as trap and trace devices and pen registers.
For more information about government surveillance, read FindLaw's article on wiretapping.
The Stored Communications Act
The SCA protects stored electronic communications and data or "data-at-rest."
The SCA has roots in the Fourth Amendment to the U.S. Constitution. The Fourth Amendment protects people from unreasonable governmental searches and seizures. If someone has a reasonable expectation of privacy in their property, the government typically must obtain a warrant to search it.
One exception to the Fourth Amendment is the third-party doctrine. Under this doctrine, if someone shares private information with a third party, Fourth Amendment protection ends. So, the government typically does not need a search warrant.
Congress passed the SCA in response to advancing technology that the Fourth Amendment did not foresee. For example, suppose you send someone a text message. Generally, a service provider stores the text message in a database. This service provider is a third party; the text is shared with them even though they didn't send or receive it. So, per the third-party doctrine, you don't have a reasonable expectation in the message.
The SCA applies to service providers that store data and electronic information. It relates to both government and private access to such information. It also generally prevents service providers from releasing such information.
The SCA provides criminal penalties for anyone who commits the following acts:
- Intentionally accesses a facility that provides services for electronic communications without authorization; or
- Intentionally exceeds a level of authorization to access such a facility and obtains or alters data or prevents another's authorized access to such data or communications
Examples of "data-at-rest" include the following:
- Emails stored in a database
- Text messages stored in a database
- Instant messages stored in a database
- Data in cloud storage
- Data on a hard drive
This statute criminalizes the following acts, among others:
- Unauthorized access to stored company emails by employees who exceed the scope of their privilege
- The use of stolen passwords to access stored data
- Similar breaches of stored data
There is some overlap between the SCA and the CFAA. So, the government may sometimes charge hackers under both statutes.
Hacking Laws: State Laws
Although much focus is on federal laws, states have also enacted hacking laws.
While every state has computer crime laws, some states address hacking more specifically. States do so with laws prohibiting unauthorized access, computer trespass, and the use of viruses and malware.
For example, approximately half of the states in the country have laws that target the use of denial of service (DoS) attacks. In this form of hacking, an intruder floods the system or servers with traffic, denying access to legitimate users.
Ransomware is a type of malware secretly installed on a victim's computer. It denies the victim access to their computer unless they pay a ransom. Several states, including California, have laws that specifically criminalize ransomware.
Contact a Criminal Defense Lawyer
Laws at both the federal and state levels provide protections concerning hacking crimes. Contact a criminal defense attorney if the government has charged you with a hacking offense. An experienced criminal lawyer can provide you with information about the following:
- Your state's laws regarding hacking crimes
- Crimes related to hacking, such as wire fraud, credit card fraud, and related crimes
- General information about criminal law and sentencing guidelines
- Specific legal strategies regarding pending hacking cases
Contact a skilled criminal defense attorney today for help.
Can I Solve This on My Own or Do I Need an Attorney?
- Complex criminal defense situations usually require a lawyer
- Defense attorneys can help protect your rights
- A lawyer can seek to reduce or eliminate criminal penalties
Get tailored advice and ask your legal questions. Many attorneys offer free consultations.
Stay up-to-date with how the law affects your life

Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.