Cybercrime Laws and Prosecutions in the U.S.

Federal and state statutes criminalize a broad range of computer-based offenses, from unauthorized system access to large-scale identity fraud and ransomware deployment. Cybercrime prosecutions in the United States sit at the intersection of traditional criminal procedure and specialized digital evidence law, drawing on statutes enacted decades apart and enforcement by agencies with distinct jurisdictional mandates. Understanding the statutory framework, classification of offenses, and procedural mechanics matters because penalties under federal law can reach 20 years of imprisonment per count for aggravated offenses under the primary governing statute.

Definition and Scope

Cybercrime in the U.S. legal system encompasses criminal conduct in which a computer network, digital device, or electronic communications infrastructure is either the instrument of the offense, the target of the offense, or both. The principal federal statute is the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030. Enacted in 1986 and amended repeatedly — including substantive expansions in 1996, 2001, and 2008 — the CFAA prohibits unauthorized access to "protected computers," a term the statute defines broadly to include any computer used in or affecting interstate or foreign commerce, which in practice covers virtually every internet-connected device.

Parallel federal statutes address overlapping conduct:

State legislatures have enacted their own cybercrime codes. All 50 states maintain statutes criminalizing unauthorized computer access, though penalty tiers, definitions of "access," and ancillary offense categories vary by jurisdiction. The relationship between federal and state prosecutorial authority is governed by the same concurrent-jurisdiction principles that apply across federal vs. state criminal jurisdiction.

How It Works

Federal cybercrime prosecutions are typically initiated by the Federal Bureau of Investigation (FBI), the U.S. Secret Service (USSS), or the Department of Homeland Security's Cyber Division. The prosecuting authority is a U.S. Attorney's Office under the supervision of the Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS). CCIPS publishes prosecutorial guidance and maintains the primary federal framework for charging decisions.

A standard federal cybercrime prosecution follows a discrete sequence:

  1. Investigation — Agents obtain electronic evidence through subpoenas, court-ordered access under the SCA (18 U.S.C. § 2703), or search warrants governed by Fourth Amendment search and seizure doctrine. Digital forensic analysis of seized devices or network logs occurs at this stage.
  2. Charging decision — Prosecutors evaluate which CFAA subsections apply. Section 1030(a)(2) addresses unauthorized access to obtain information; § 1030(a)(5) addresses intentional damage to protected computers. Aggravated offenses that cause damage exceeding $5,000, involve critical infrastructure, or affect national security carry elevated maximum sentences (18 U.S.C. § 1030(c)).
  3. Grand jury or information — Federal felony charges require grand jury indictment or a waived information. The grand jury process evaluates probable cause based on digital and testimonial evidence.
  4. Arraignment and pretrial — The defendant is formally charged at arraignment, and pretrial motions may challenge evidence obtained through digital surveillance.
  5. Trial or disposition — The majority of federal cybercrime cases resolve through plea bargaining. When cases proceed to trial, digital forensic evidence plays a central role, assessed under Federal Rules of Evidence including authentication requirements under FRE 901.
  6. Sentencing — The U.S. Sentencing Guidelines (Chapter 2B, §2B1.1 for fraud-based offenses; §2B2.3 for trespass offenses) apply specific enhancements for loss amounts, number of victims, and use of sophisticated means. Sentences can include imprisonment, supervised release, restitution, and forfeiture of criminal proceeds.

Common Scenarios

Cybercrime offenses cluster into identifiable categories based on the nature of the conduct and the applicable statutory subsection.

Unauthorized access (hacking) — Prosecuted under 18 U.S.C. § 1030(a)(2) or § 1030(a)(4), these cases involve intrusion into computer systems without authorization or in excess of authorized access. The "exceeds authorized access" language has generated substantial circuit-level litigation regarding the scope of insider-threat prosecutions.

Ransomware and malware deployment — Charged under § 1030(a)(5) for intentional damage, these cases often overlap with RICO Act and wire fraud charges when organized criminal networks are involved. The FBI's Internet Crime Complaint Center (IC3) reported $4.2 billion in losses attributed to cybercrime in 2020 (FBI IC3 2020 Annual Report).

Identity theft — Aggravated identity theft under 18 U.S.C. § 1028A carries a mandatory 2-year consecutive sentence, distinct from the predicate offense sentence. This intersects with white-collar crime federal prosecution frameworks when the conduct involves financial fraud.

Phishing and wire fraud — Schemes using fraudulent electronic communications to obtain credentials or funds are charged under the Wire Fraud statute (18 U.S.C. § 1343), which carries a maximum sentence of 20 years per count, or 30 years if the fraud affected a financial institution.

Child exploitation offenses — Federal statutes at 18 U.S.C. §§ 2252–2260 address production, distribution, and possession of child sexual abuse material (CSAM) through digital networks. These offenses carry mandatory minimum sentences and mandatory sex offender registry requirements upon conviction.

Decision Boundaries

Several analytical distinctions determine whether a given cybercrime scenario triggers federal versus state jurisdiction, and which specific statutory provisions apply.

Federal vs. state prosecution thresholds — Federal jurisdiction under the CFAA attaches when the targeted computer is a "protected computer" used in interstate commerce. State statutes may reach purely intrastate conduct or offenses below federal damage thresholds. When both federal and state charges are possible, prosecutorial decisions typically favor the jurisdiction with superior investigative resources and higher sentencing exposure.

Authorization vs. exceeds-authorization — The CFAA distinguishes between persons with no authorization at all and those who had authorization but exceeded its scope. The U.S. Supreme Court addressed this boundary in Van Buren v. United States, 593 U.S. ___ (2021), narrowing the "exceeds authorized access" theory to cases where a person accesses files or data areas that are otherwise off-limits, not merely cases where access was used for an improper purpose.

Civil vs. criminal CFAA actions — Section 1030(g) creates a private civil cause of action for victims of CFAA violations, subject to a $5,000 damage threshold. Criminal prosecutions and civil litigation can proceed independently, raising separate evidentiary and procedural standards. The burden of proof in criminal proceedings requires proof beyond a reasonable doubt, while civil CFAA plaintiffs proceed under a preponderance standard.

Stored vs. intercepted communications — The Wiretap Act (18 U.S.C. § 2511) and the SCA (18 U.S.C. § 2701) carry different enforcement thresholds and remedies. Interception of communications in real-time invokes the Wiretap Act's more stringent requirements; access to stored communications is governed by the SCA and requires different court order processes under 18 U.S.C. § 2703.

International dimensions — Transnational cybercrime cases may involve mutual legal assistance treaties (MLATs) for evidence collection abroad and extradition requests through the DOJ's Office of International Affairs. The Budapest Convention on Cybercrime, to which the United States is a signatory, provides a framework for international cooperation in cybercrime investigations.

References

📜 15 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Attorney Fee Estimator