Computer Crimes and Hacking Charges

Computer crime charges — often called "hacking" charges — cover a wide range of conduct, from breaking into a company's network to something as simple as logging into an account or system you weren't authorized to use, or using access you did have for a purpose your employer or the system's owner never approved. The core federal law is the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and nearly every state has its own computer-crime statute that can apply on top of, or instead of, federal law. In almost every version of these charges, the single biggest legal question is "authorization" — did you have permission to access the system, and if you had some permission, did you go beyond what it covered?

What counts as a "computer crime"

These charges are broader than the popular image of a stranger breaking through a firewall. Depending on the state and the federal statute involved, "computer crime" can include:

  • Unauthorized access or "computer trespass" — logging into a network, account, device, or database without permission, or after permission has been revoked (for example, using an ex-employer's system after being fired, or accessing an ex-partner's email or social media account).
  • Exceeding authorized access — having legitimate access to a system for one purpose but using it for another (for example, an employee with a valid login pulling records outside their job duties).
  • Computer fraud — using a computer to obtain money, property, or services through deception, or to further a scheme to defraud.
  • Data theft or theft of trade secrets — copying, transmitting, or taking confidential business information, personal data, or intellectual property.
  • Damaging data or systems — introducing malware, ransomware, or code that impairs a computer, network, or the data on it.
  • Identity-related offenses — using stolen credentials, credit card numbers, or personal information obtained through a computer.

These charges can be filed as state crimes, federal crimes, or both, and the same underlying conduct can also lead to a civil lawsuit from the company or person affected, separate from any criminal case.

The federal law: the Computer Fraud and Abuse Act

The CFAA, codified at 18 U.S.C. § 1030, is the main federal computer-crime statute. In general terms, it makes it a crime to intentionally access a "protected computer" without authorization, or in a way that exceeds authorized access, and in doing so obtain information, cause damage, commit fraud, or further extortion. "Protected computer" is defined broadly and, as a practical matter, covers almost any computer connected to the internet, including ordinary personal computers, servers, and phones, not just government or financial-institution systems.

The CFAA has both a criminal side (prosecuted by federal authorities) and a civil side that lets a private company or individual sue for damages. It's common for a business to pursue both a criminal referral and its own civil case arising from the same incident, such as a departing employee taking client files or a hacked email account used to redirect payments.

Whether specific conduct is charged as a federal felony, a federal misdemeanor, or not charged federally at all often depends on things like the type of system involved, whether the activity crossed state lines, the value of what was taken or the extent of damage caused, and whether the government's own computers, financial institutions, or interstate commerce were affected. These jurisdictional and severity factors are genuinely complicated and change based on the specific facts — this is not something to try to size up yourself from a description online.

State computer-crime laws

Most states have their own computer-crime or "computer trespass" statutes that overlap with the CFAA and are used more often in ordinary, local cases — an employee dispute, an ex-partner's account, a local business's stolen customer list. State laws differ significantly in how they define unauthorized access, what counts as a protected system, and how offenses are graded (as a low-level misdemeanor versus a felony), and the penalty ranges and dollar-loss thresholds used to set the severity of a charge vary from state to state. Because of that variation, don't rely on a number you saw online or in another state's news story — ask a lawyer licensed in the state where you're charged, or check that state's statute directly, for the actual classification and range that applies to your case.

Why "authorization" is the key issue

Almost every real dispute in these cases comes down to one question: was the access authorized, and if so, how far did that authorization go? Common fact patterns include:

  • Former employees or account holders. Access that was permitted while employed or in a relationship can become "unauthorized" the moment it ends — but exactly when authorization ends, and whether it was clearly communicated, is often disputed.
  • Shared credentials. Using a login someone gave you voluntarily is a very different legal situation from guessing, stealing, or "cracking" a password — but prosecutors and companies don't always draw that line the way you would.
  • Employees using work access for personal reasons. Whether looking at data outside your job duties turns routine access into a crime is one of the most litigated questions under the CFAA, and courts have taken different views over the years.
  • Security research or "white hat" testing. Probing a system's vulnerabilities without an explicit agreement authorizing the testing can expose even well-intentioned researchers to charges.

Because authorization is often a matter of degree, contracts, workplace policies, terms-of-service language, and how permission was communicated (or revoked) can all become central evidence in the case.

Common defenses

Every case is fact-specific, but defenses that come up often in computer-crime cases include:

  • You were authorized. You had permission — express or reasonably implied — to access the system or data in question.
  • No intent. Most of these statutes require the prosecution to prove you acted knowingly or intentionally, not accidentally or through simple carelessness.
  • Mistaken attribution. Digital evidence tying an act to a specific person (an IP address, a device, or an account) can be wrong, shared, spoofed, or compromised by someone else.
  • No damage or loss, or below the threshold required for the charge. Some provisions require a minimum showing of harm or value to support a particular charge level.
  • Problems with how evidence was obtained. If investigators searched a device, email account, or cloud storage without a valid warrant or a recognized exception, that evidence may be challenged and potentially excluded.

Your constitutional rights in a computer-crime investigation

The core rules of criminal procedure apply the same way in a computer-crime case as in any other: you are presumed innocent, and the prosecution must prove every element of the charge beyond a reasonable doubt. Several settled constitutional protections are especially relevant here:

  • The right to remain silent. If you are in custody and questioned by police, they must inform you of your right to remain silent and to an attorney before any interrogation, under Miranda v. Arizona (1966). You do not have to explain your side of the story, your passwords, or your online activity to investigators.
  • The right to counsel. If you cannot afford a lawyer, one must be appointed to represent you in a criminal case, under Gideon v. Wainwright (1963). You also have the right to represent yourself if you clearly and knowingly choose to, under Faretta v. California (1975) — though in a case involving forensic and technical evidence, that is rarely a good idea.
  • Protection against unreasonable searches. The Fourth Amendment generally requires a warrant to search your devices, accounts, or cloud data, and evidence obtained through an illegal search can be suppressed under the exclusionary rule, which the Supreme Court applied to state prosecutions in Mapp v. Ohio (1961).
  • The right to a speedy trial. Under Barker v. Wingo (1972), unreasonable delay in bringing a case to trial can itself become a constitutional issue, though courts weigh several factors in deciding whether a delay crossed the line.
  • The right to see favorable evidence. The prosecution must turn over evidence favorable to the defense, including anything that undermines the reliability of forensic or digital evidence, under Brady v. Maryland (1963).
  • The right to effective counsel. If your lawyer's performance was seriously deficient and it affected the outcome, that can be grounds for challenging a conviction under Strickland v. Washington (1984) — all the more reason to hire counsel experienced with digital-evidence cases from the start.

Time-sensitive issues to watch for

  • Preservation letters and subpoenas. If you receive a letter demanding you preserve devices, accounts, or data, do not delete, alter, or dispose of anything — doing so can itself become a separate crime (obstruction or evidence tampering), regardless of how the underlying case turns out.
  • Arraignment and bail deadlines. Once charged, court dates and bail conditions come with hard deadlines; missing them can lead to an arrest warrant.
  • Statute of limitations. Federal crimes generally must be charged within five years of the offense unless a specific statute says otherwise (18 U.S.C. § 3282), but this can pause or extend under certain circumstances. State time limits differ — confirm the applicable deadline with a lawyer rather than assuming.

What to do if you're being investigated or charged

  1. Stop talking to investigators, employers' internal investigators, or the other side without a lawyer present. Anything you say — including an explanation meant to clear things up — can be used against you.
  2. Do not delete, wipe, or alter any device, account, or data once you know you're under investigation or facing a claim, even data you believe is unrelated or personal.
  3. Preserve your own records that might support your defense: employment agreements, permission emails, shared-credential messages, or documentation of your job duties.
  4. Contact a criminal defense lawyer as soon as possible, ideally one with experience in cases involving digital or forensic evidence — these cases often turn on technical details that a general practitioner may not be equipped to challenge.
  5. Do not engage in "self-help." Don't try to access the same system again, delete traces, or contact witnesses or alleged victims to sort things out yourself.
  6. Ask about both the criminal and civil exposure. Because CFAA and many state laws allow civil suits, you may be facing a lawsuit in addition to a criminal case, and your lawyer needs to account for both.

Takeaways

Computer-crime statutes are written broadly, and "hacking" charges often arise from disputes over authorization rather than dramatic break-ins. If you're facing one of these charges, the facts about what access you had, what you were told, and what you actually did will matter enormously — and those facts are best worked through with a lawyer, not sorted out on your own with investigators or the other side.

This article is general legal information, not legal advice, and reading it does not create an attorney-client relationship. If you are under investigation or have been charged with a computer crime, talk to a licensed criminal defense attorney in your state as soon as possible.

Frequently asked questions

Can I be charged with a crime for using someone else's password, even if they gave it to me?

It depends. If the person voluntarily shared their password and you stayed within what they authorized, that's very different from guessing, stealing, or using credentials after permission was withdrawn. But because authorization disputes are so fact-specific and vary by state, this is exactly the kind of question to bring to a lawyer rather than assume an answer.

Is it a crime to look at files or data at work that aren't part of my job?

It can be, depending on federal and state law and your employer's policies. Using legitimate system access for a purpose outside what you were authorized to do is one of the most commonly disputed issues in computer-crime cases, and courts have not always agreed on where the line falls.

Can I be sued and criminally charged for the same computer incident?

Yes. The federal CFAA and many state computer-crime laws allow both criminal prosecution and a private civil lawsuit for damages arising from the same conduct, and a company that discovers unauthorized access or data theft may pursue both at once.

Do I have to answer questions from my company's IT or HR investigators about computer activity?

You generally are not required to incriminate yourself, and anything you say to an employer's internal investigators can potentially be shared with law enforcement or used in a related lawsuit. If you're concerned about criminal or civil exposure, talk to a lawyer before answering questions from anyone, including your own employer.

What should I do if I get a letter asking me to preserve my devices or accounts?

Do not delete, wipe, reset, or dispose of the device, account, or data described in the letter. Destroying potential evidence, even data you think is unrelated, can lead to separate criminal exposure for obstruction or tampering. Contact a lawyer promptly to understand your obligations.

This article is general legal information, not legal advice, and may not reflect the most current law or the law in your jurisdiction. Laws vary by state and change over time. For advice about your specific situation, consult a licensed attorney.

Knowing your rights is the first step

Join thousands committing to calmly and consistently exercise their constitutional rights.

Take the Pledge