Understanding Computer Crime and the Law

A practical guide to how modern laws define, punish, and respond to computer crime in the digital age.

By Medha deb
Created on

Computers, smartphones, and online services are woven into nearly every part of modern life. As technology has expanded, so has the opportunity for crime committed through, or against, computer systems. Computer crime—often called cybercrime—covers a wide range of conduct, from breaking into secure systems to using the internet to commit traditional offenses like fraud and theft.

This article explains what computer crime is, how laws define and regulate it, the kinds of conduct that are commonly prosecuted, and what people should know about potential penalties and defenses. While the focus is on United States law, many of the concepts discussed here appear in similar form across other jurisdictions.

What Counts as Computer Crime?

Broadly, computer crime involves using a computer or network either as the tool to commit an offense or as the target of an offense. It is not limited to sophisticated hacking; even relatively simple misuse of authorized access can fall under computer crime statutes in some situations.

Read More

Navigating Workplace English-Only Rules Legally >

Navigating Workplace English-Only Rules Legally

Key elements usually seen in computer crime laws include:

  • Use of a computer, network, or digital system as part of the conduct.
  • Unauthorized access or misuse of data, accounts, or systems.
  • Intent to cause harm, obtain value, defraud, damage, or otherwise commit an offense.
  • Resulting harm, which may include financial loss, disruption of services, damage to systems, or risk to public safety.

Many jurisdictions treat computer crime as a separate category from traditional offenses, reflecting the unique risks posed by interconnected networks and large-scale data processing.

Types of Computer Crime

The label “computer crime” covers diverse behaviors. Some primarily exploit technology itself, while others use computers as a medium to commit old-fashioned crimes in a new way.

Unauthorized Access and Hacking

One of the best-known forms of computer crime is accessing a computer or network without permission. In U.S. federal law, this is a central focus of the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030. Similar prohibitions exist in state statutes, such as laws on “unlawful use of computer” or “computer trespass.”

Common unauthorized access scenarios include:

  • Breaking into password-protected systems.
  • Using another person’s login credentials without consent.
  • Bypassing technical restrictions to reach restricted files or databases.
  • Installing malware to gain remote control of a device.

Some laws also address situations where a person has legitimate access to a system but goes beyond the scope of what they are allowed to do. Under current U.S. Department of Justice guidance, cases based solely on violating contracts or terms of service are generally not charged as “exceeds authorized access” under the CFAA.

Computer-Related Fraud and Theft

Computers can be used to commit fraud or theft on a large scale, for example by manipulating online transactions or stealing digital assets. Federal law specifically penalizes using unauthorized computer access to defraud and obtain value.

Examples include:

  • Using phishing schemes to capture bank login credentials.
  • Diverting online payments to unauthorized accounts.
  • Manipulating online advertising or affiliate programs to generate false revenue.
  • Stealing or misusing cryptocurrency wallets and tokens.

Damage to Computer Systems and Data

Some computer crimes focus on damaging systems or data rather than stealing information. Federal law criminalizes intentionally causing damage to a “protected computer” through the transmission of harmful code or commands.

Conduct in this category can include:

  • Deploying malware or ransomware that encrypts or destroys data.
  • Launching denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks that overwhelm systems.
  • Deleting or altering key files to disrupt operations.
  • Interfering with systems used for critical services, such as healthcare or public safety.

Content-Related Offenses

Computer crime also covers certain content-related offenses where illegal materials are created, distributed, or accessed through computers. According to legal commentary, this can include copyright infringement, child sexual abuse material, and digital espionage.

Typical examples:

  • Using file-sharing networks to distribute copyrighted content without authorization.
  • Receiving or transmitting child sexual abuse material through email or messaging platforms.
  • Using computers to acquire trade secrets or classified information.

Cyber Harassment, Stalking, and Extortion

Many jurisdictions have expanded traditional harassment and stalking laws to cover online activity. Federal law also penalizes certain forms of extortion involving computers, such as threatening to damage a computer or disclose stolen data to obtain money.

Common behaviors in this category include:

  • Sending repeated threatening or harassing messages via email or social media.
  • Using online platforms to monitor or track a person in a way that causes fear or distress.
  • Threatening to release sensitive data unless paid (data-extortion or ransomware demands).

Legal Framework: Federal and State Regulation

Computer crime in the United States is regulated through both federal and state laws. The interaction between these levels determines what conduct may be prosecuted, and in which courts.

The Computer Fraud and Abuse Act (CFAA)

The CFAA is the primary federal computer crime statute. Enacted in 1986 and amended several times, it targets unauthorized access, damage, fraud, password trafficking, and extortion involving computers. It applies to “protected computers,” a term that includes systems used in or affecting interstate or foreign commerce, as well as government computers.

Major categories of offenses under the CFAA include:

  • Obtaining national security information.
  • Accessing a computer and obtaining information without authorization.
  • Trespassing in government computers.
  • Accessing a computer to defraud and obtain something of value.
  • Intentionally causing damage by transmitting code or commands.
  • Trafficking in passwords or similar access credentials.
  • Extortion that involves threats to computers or data.

Federal prosecutors also consider internal policies on when to bring cases, especially for “exceeds authorized access” charges, to avoid criminalizing mere violations of contracts or user agreements.

State Computer Crime Statutes

Every U.S. state, as well as Puerto Rico and the Virgin Islands, has its own computer crime laws. These statutes often address unauthorized access, computer trespass, disruption of services, computer theft, and unlawful duplication of data.

For example, one state criminal code defines unlawful use of a computer to include:

  • Accessing or exceeding authorized access to alter, damage, or destroy systems or data.
  • Interfering with operation of computers or networks.
  • Publishing or sharing passwords or confidential access information without authorization.

Some states classify these crimes from misdemeanors to felonies depending on the level of unauthorized use, the monetary loss, or the harm caused.

Federal vs. State: How Cases Are Charged

Whether a case is brought under federal or state law depends on several factors, such as the type of system affected, the scale of the conduct, and whether interstate or foreign commerce is involved.

Aspect Federal Computer Crime (e.g., CFAA) State Computer Crime Laws
Scope of systems covered Protected computers affecting interstate/foreign commerce or government systems. Computers, networks, and devices within the state, including personal and business systems.
Typical focus Serious unauthorized access, large-scale damage, national security, multi-state impact. Local unauthorized access, smaller scale fraud, disruption of local services.
Penalties Can include multi-year federal prison sentences and substantial fines. Range from misdemeanors to serious felonies with state prison terms.

Potential Penalties for Computer Crime

Penalties for computer crimes vary widely by jurisdiction and the specific offense. Factors such as the amount of financial loss, the nature of the system targeted, and the defendant’s prior record influence sentencing.

Federal Penalties Under the CFAA

Under federal law, many CFAA offenses carry substantial prison terms, which may increase for repeat violations. For example, statutory maximums range from one year for minor offenses to 10 years or more for serious or repeated violations.

Important considerations include:

  • Loss amount: If the conduct causes at least $5,000 in loss in a year, penalties may increase.
  • Impact on critical systems: Offenses affecting medical care, public safety, or national security are treated more seriously.
  • Repeat offenses: Second convictions can carry enhanced maximum sentences.

State-Level Penalties

State computer crime penalties typically fall within a range from misdemeanors to high-level felonies, depending on the seriousness of the offense. Some states treat minor unauthorized access as a lower-level crime, while significant damage or theft may lead to long prison terms.

Examples of state penalty ranges include:

  • Class B misdemeanors for minor, non-damaging unauthorized use.
  • Felonies for intentional harmful use or major disruption of services.
  • Potential sentences of up to 15 years in state prison for the most serious computer-related felonies.

Key Concepts in Computer Crime Cases

Computer crime prosecutions involve several recurring legal concepts. Understanding these helps explain why some behavior is criminal while similar behavior may not be.

Authorization and Access Boundaries

The distinction between authorized and unauthorized access is central in computer crime law. Federal guidance indicates that prosecutors must prove the defendant accessed areas of a computer to which they were not allowed access, and that they knew their access was not permitted.

Relevant issues include:

  • Whether technical controls (like passwords or access control lists) clearly restricted access.
  • Whether the defendant had permission to access some parts of the system but not others.
  • Whether the case is based on violating written policies, or on bypassing technological barriers.

Protected Computers

Under federal law, many offenses apply only if a “protected computer” is involved. This term encompasses systems used in interstate or foreign commerce and government computers. In practice, this covers most internet-connected devices used for business, as well as federal systems.

Damage, Loss, and Risk

Sentencing and charging decisions are influenced by the harms the conduct caused or could have caused. Federal statutes consider financial loss, physical injury, threats to public health or safety, and damage to systems used for justice or national security.

Defenses and Legal Considerations

Every computer crime case has its own facts, and available defenses depend on the specific conduct and laws involved. However, there are recurring themes in how charges may be challenged.

Challenging Unauthorized Access Allegations

Because computer crime often hinges on whether access was unauthorized, defendants sometimes argue that they had sufficient permission or that the system’s design implied consent.

Potential issues in such arguments include:

  • Ambiguity in internal policies or terms of use.
  • Customary practices in the workplace or system environment.
  • Whether technical measures clearly signaled restricted access.

Intent and Knowledge

Most serious computer crimes require proof that the defendant acted knowingly or intentionally. If the person did not understand they were exceeding permission, or did not intend the resulting harm, those facts might be relevant to defense strategies or to sentencing.

Digital Evidence and Procedure

Computer crime investigations rely heavily on digital evidence: logs, device images, network records, and cloud data. These materials must be collected and handled in a way that respects legal protections and preserves integrity.

Concerns typically include:

  • Proper warrants or legal process for accessing devices and accounts.
  • Chain of custody and documentation of evidence handling.
  • Accuracy and reliability of technical tools used in forensic analysis.

Practical Takeaways for Individuals and Businesses

Given the breadth of computer crime laws, individuals and organizations benefit from understanding basic risk areas and best practices.

  • Know your access rights: Employees and users should be clear about what systems and data they are permitted to access.
  • Respect technical controls: Bypassing passwords or security measures, even for convenience, may have legal implications.
  • Protect sensitive credentials: Sharing passwords or confidential access codes without authorization can itself be a crime in some jurisdictions.
  • Document policies and training: Clear internal policies and security training help reduce inadvertent violations and support compliance efforts.
  • Respond promptly to incidents: If a possible computer crime occurs, early legal and technical response can limit damage and clarify responsibilities.

FAQs About Computer Crime

Is every violation of a website’s terms of service a computer crime?

No. Under current federal charging policy, prosecutors generally do not bring CFAA cases based solely on violations of contracts, terms of service, or employee policies, unless those agreements clearly and completely prohibit access to particular files or accounts. However, state laws may differ, and civil remedies may still apply.

What is a “protected computer” under U.S. federal law?

A “protected computer” includes computers used in or affecting interstate or foreign commerce, as well as those used by or for the U.S. government. Because most internet-connected systems involve interstate communications, this definition covers a broad range of devices.

Can someone be charged for attempting a computer crime?

Yes. Federal law penalizes attempts and conspiracies to commit certain computer crimes, even if the offense is not completed. State laws often include similar provisions for attempt and conspiracy.

Do small incidents of unauthorized access matter legally?

They can. Some jurisdictions treat minor unauthorized access as a misdemeanor, while more harmful or repeated conduct may be charged as a felony. Even lower-level convictions can have lasting consequences, particularly for employment and professional licensing.

Where can I find the text of major computer crime laws?

The full text of the main federal computer crime statute is available in the United States Code at 18 U.S.C. § 1030. Many state legislatures publish their computer crime statutes online as well, often grouped under titles related to crimes and offenses.

References

  1. 18 U.S. Code § 1030 – Fraud and related activity in connection with computers — Legal Information Institute, Cornell Law School. 2023-01-01. https://www.law.cornell.edu/uscode/text/18/1030
  2. Computer Fraud and Abuse Act (CFAA) — National Association of Criminal Defense Lawyers. 2022-05-01. https://www.nacdl.org/Landing/ComputerFraudandAbuseAct
  3. 9-48.000 – Computer Fraud and Abuse Act — U.S. Department of Justice, Justice Manual. 2022-05-19. https://www.justice.gov/jm/jm-9-48000-computer-fraud
  4. Computer Crime Statutes — National Conference of State Legislatures. 2016-01-21. https://www.ncsl.org/technology-and-communication/computer-crime-statutes
  5. Chapter 76 – Computer Offenses — Pennsylvania General Assembly, Title 18 Crimes and Offenses. 2021-12-01. https://legis.state.pa.us/WU01/LI/LI/CT/HTM/18/00.076..HTM
  6. Cybercrime Law — Justia Criminal Law Center. 2023-03-01. https://www.justia.com/criminal/offenses/other-crimes/cybercrimes/
  7. Computer Crimes Law — University of Texas at Austin, Information Security Office. 2022-01-01. https://security.utexas.edu/policies/computercrimes
Medha Deb is an editor with a master's degree in Applied Linguistics from the University of Hyderabad. She believes that her qualification has helped her develop a deep understanding of language and its application in various contexts.

Read full bio of medha deb