Computer crime charges sound like something out of a movie, but they apply to a much wider range of conduct than most people realize. Logging into an ex-partner’s email. Using a coworker’s password to pull up a file. Sharing a streaming service login that violates the terms of service. Running a vulnerability scan on a website without permission. Sending a phishing-style message as a “prank.” In 2026, all of these can trigger criminal charges under either California law, federal law, or both.
The stakes are high. A federal Computer Fraud and Abuse Act (CFAA) conviction can carry up to 10 years for a first offense and 20 years for repeat or aggravated conduct. A California Penal Code § 502 conviction can mean up to 3 years in state prison plus civil liability to the victim. Both laws are written broadly enough that prosecutors can charge conduct most people wouldn’t think twice about.
If you’ve been contacted by the FBI, the U.S. Secret Service, a state agency, or local law enforcement about a computer or internet-related matter, talk to a Los Angeles criminal defense attorney before saying a word. Computer crime cases are evidence-heavy and timeline-sensitive, and early intervention can change the outcome significantly.
The Federal Law: The Computer Fraud and Abuse Act (CFAA)
The primary federal computer crime law is 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act). Originally passed in 1986 to address hacking of government and bank computers, the CFAA has been amended repeatedly and now reaches essentially any computer connected to the internet.
The CFAA prohibits seven main categories of conduct involving “protected computers” (a term that, in practice, covers almost any computer connected to the internet):
1. Obtaining national security information (§ 1030(a)(1)) Knowingly accessing a computer without authorization and obtaining national defense or foreign relations information. Up to 10 years for a first offense.
2. Accessing a computer to obtain information (§ 1030(a)(2)) Intentionally accessing a computer without authorization or exceeding authorized access to obtain information. This is the most common charge and the broadest. Up to 1 year (misdemeanor), or up to 5 years (felony) if done for commercial advantage, financial gain, or with damages over $5,000.
3. Trespassing on a government computer (§ 1030(a)(3)) Up to 1 year for a first offense.
4. Accessing a computer to commit fraud (§ 1030(a)(4)) Knowingly accessing a protected computer with intent to defraud, where the conduct furthers the fraud and yields anything of value over $5,000. Up to 5 years for a first offense.
5. Damaging a computer (§ 1030(a)(5)) Knowingly causing damage, including transmitting code, programs, or commands. This is how ransomware and malware cases are typically charged. Up to 10 years for a first offense, with enhancements up to 20 years for repeat offenders or aggravated harm.
6. Trafficking in passwords (§ 1030(a)(6)) Up to 1 year for a first offense.
7. Threatening to damage a computer (§ 1030(a)(7)) Extortion-type threats involving computers. Up to 5 years.
Van Buren v. United States: A Critical Defense
In Van Buren v. United States (2021), the U.S. Supreme Court significantly narrowed the CFAA. A police officer named Nathan Van Buren had accepted money to look up a license plate in a law enforcement database he was authorized to use. He was charged under § 1030(a)(2) for “exceeding authorized access.”
The Supreme Court reversed the conviction and held that a person does not “exceed authorized access” merely by using legitimately accessible data for an improper purpose. The CFAA now reaches only conduct where someone accesses files, folders, databases, or areas of a system that are off-limits to them.
This is a major defense in many CFAA cases. If you had legitimate credentials and accessed data you were allowed to see, even if you misused it, the CFAA generally doesn’t apply. Other laws (such as state computer crime statutes, wire fraud, or breach of contract) may still apply, but the federal hammer is much weaker than it used to be.
DOJ’s 2022 Good-Faith Security Research Policy
In May 2022, the U.S. Department of Justice issued a charging policy that protects good-faith security research from CFAA prosecution. Good-faith research means accessing a computer solely to test, investigate, or fix a security flaw, in a manner designed to avoid harm, with findings used to improve security.
This policy doesn’t change the statute, but it provides important guidance for security researchers and penetration testers who previously faced uncertainty under the broad CFAA language.
California Penal Code § 502: The State Computer Crime Law
California has its own computer crime statute, the Comprehensive Computer Data Access and Fraud Act, codified at California Penal Code § 502. It’s one of the broadest state cybercrime laws in the country and overlaps substantially with the federal CFAA.
PC § 502(c) prohibits 14 different categories of conduct, including:
- Knowingly accessing and altering, damaging, or destroying data on a computer without permission
- Knowingly accessing a computer to wrongfully obtain money, property, or data
- Knowingly accessing a computer without permission (even without causing damage)
- Disrupting or causing the disruption of computer services
- Introducing a virus, worm, or other contaminant
- Knowingly providing the means of accessing a computer in violation of the statute
- Using internet domains in a manner that violates the statute
- Trafficking in another person’s electronic account or credentials
Penalties under PC § 502 vary based on the subsection and the amount of damage:
- Infraction: First offenses with no injury and minimal access can be charged as an infraction with a fine up to $1,000.
- Misdemeanor: Up to 1 year in county jail and a fine up to $5,000 (most subsections).
- Felony (wobbler): When damages exceed $5,000 or for certain aggravated conduct, the offense can be filed as a felony, punishable by 16 months, 2 years, or 3 years in county jail and a fine up to $10,000.
PC § 502 also creates civil liability. The victim can sue you separately for compensatory damages, attorney’s fees, and in some cases punitive damages. This is significant: even if your criminal case resolves favorably, you can still face a civil lawsuit over the same conduct.
Related Charges Commonly Stacked With Computer Crimes
Computer crime charges rarely come alone. Prosecutors typically file multiple counts under different statutes covering the same conduct.
Wire fraud (18 U.S.C. § 1343) is the federal go-to charge for any fraudulent scheme using electronic communications, including email, websites, and phone systems. The penalty is up to 20 years in federal prison for each count (up to 30 years if a financial institution is involved).
Identity theft (18 U.S.C. § 1028 and California PC § 530.5). Using someone else’s identifying information for fraud is a separate crime. Federal aggravated identity theft (18 U.S.C. § 1028A) carries a mandatory 2-year consecutive sentence on top of the underlying fraud conviction.
Mail fraud (18 U.S.C. § 1341). The original federal fraud statute, often charged alongside wire fraud when the conduct involves both electronic and physical mail.
Access device fraud (18 U.S.C. § 1029). Trafficking in stolen credit card numbers, account credentials, or similar “access devices.” Up to 15 years for first offenses.
California identity theft (PC § 530.5). A wobbler punishable by up to 1 year in county jail (misdemeanor) or up to 3 years in state prison (felony).
Phishing (no single statute). Phishing is typically charged as a combination of wire fraud, identity theft, and CFAA violations, depending on the specifics.
Ransomware. Charged under CFAA § 1030(a)(5), often combined with wire fraud and extortion (18 U.S.C. § 1951).
A single set of facts can easily produce 5 to 15 felony counts across federal and state law. Plea negotiation typically focuses on which counts the government will dismiss in exchange for a guilty plea on others.
Conduct That Has Resulted in Federal or California Charges
People are often surprised at how broadly these laws are applied. Real examples of conduct that has led to prosecution:
- Using a former employee’s still-active credentials to access a company database
- Logging into an ex-partner’s email or social media accounts to monitor them
- Sharing or trafficking streaming service or software credentials at scale
- Sending phishing emails or fake invoices
- Building a website that impersonates a legitimate business
- Running a credential-stuffing attack against a website
- Selling access to unauthorized streaming services
- Modifying school grades through unauthorized access to a school system
- Conducting “penetration testing” on a system without explicit authorization
- Operating cryptocurrency or NFT-related scams
- Using AI tools to generate fraudulent documents or impersonate identities
- Engaging in business email compromise (BEC) schemes
- Running romance scams from dating apps
- Scraping data from websites in ways that violate technical access barriers
The line between aggressive but legal conduct and a federal felony often comes down to whether you had authorization to access the system, what you did with the access, and the amount of harm caused.
Defenses in Computer Crime Cases
Computer crime cases are technical, evidence-heavy, and full of defenses that don’t exist in other criminal cases.
You had authorization. Permission can be express or implied. If you reasonably believed you had authority to access the system, that defense can defeat the intent element. Van Buren made this defense more powerful by holding that misusing legitimately accessible data isn’t a CFAA violation.
Lack of intent. Both the CFAA and PC § 502 require knowing or intentional conduct. Accidental access, automated system errors, and confusion about credentials can all defeat the intent element.
Mistaken identity or spoofing. Computer crime evidence often relies on IP addresses, device fingerprints, and account access logs, all of which can be spoofed, shared, or compromised. If your IP was used by someone else (compromised router, VPN exit node, shared Wi-Fi, malware), the case may not be provable.
Constitutional violations. Many computer crime investigations involve searches of phones, computers, cloud accounts, or email. If law enforcement obtained that evidence without a proper warrant or in violation of the Fourth Amendment, your attorney can move to suppress. See our guide on when police can search your phone for more.
Good-faith security research. Under the DOJ’s 2022 policy, security researchers acting in good faith are generally protected from federal CFAA prosecution.
No protected computer. The CFAA only reaches “protected computers.” While the definition is broad, certain isolated systems may not qualify.
No actual damages. Many CFAA and PC § 502 enhancements require a specific dollar threshold of damages. Challenging the prosecution’s damage calculation can knock charges down to misdemeanors or infractions.
What to Do If You’re Being Investigated
Computer crime investigations are typically lengthy. By the time you learn you’re a target, the government often has substantial digital evidence already. The key actions:
- Do not talk to investigators. FBI, Secret Service, and IRS agents are not on your side. Politely decline to be interviewed. “I want to speak with my attorney first.”
- Do not delete anything. Spoliation of evidence is a separate federal crime under 18 U.S.C. § 1519 (up to 20 years). Preserve all data.
- Do not log into the accounts in question. Continuing to access systems you’re already accused of accessing improperly can add new charges.
- Hire a defense attorney immediately. Computer crime cases require specialized knowledge. Early counsel can sometimes prevent charges from being filed.
- Preserve exculpatory evidence. Document any authorization you had, any communications about access, and any context that supports your version of events.
- Do not contact alleged victims. Especially in cases involving an ex-partner, former employer, or business dispute. Contact can lead to additional charges.
If you’ve already been arrested or charged, the same principles apply, only more urgently. For a complete walkthrough of related online offenses, see our guide to California cyberstalking and online harassment laws, which covers many of the same procedural issues.
Frequently Asked Questions
Is it a federal or California crime to access someone else’s email without permission?
Both. Under federal law, it can be charged under the Computer Fraud and Abuse Act (18 U.S.C. § 1030(a)(2)) for accessing protected computer data without authorization, and possibly the Stored Communications Act (18 U.S.C. § 2701) for accessing electronic communications in storage. Under California law, it can be charged under Penal Code § 502(c). Prosecutors choose which jurisdiction takes the lead based on the facts and the strength of the evidence.
What is “exceeding authorized access” under the CFAA?
Since the Supreme Court’s decision in Van Buren v. United States (2021), “exceeding authorized access” means accessing files, folders, or areas of a computer system that you weren’t permitted to enter. It does not mean using legitimately accessible information for an improper purpose. This is one of the most significant CFAA defenses available today, and it has narrowed the reach of federal computer crime prosecutions considerably.
What are the penalties for federal computer fraud?
Penalties vary by subsection. Most CFAA offenses carry up to 1 year for a misdemeanor or 5 to 10 years for a felony first offense. Repeat offenders, damage offenses, and aggravated conduct can carry up to 20 years. Federal sentencing guidelines also factor in the amount of loss, the sophistication of the conduct, and the number of victims. State penalties under California PC § 502 range from a $1,000 infraction fine to 3 years in state prison for serious felony cases.
Can I be charged in both federal and California court for the same computer crime?
Yes. The federal and state systems are separate sovereigns, and double jeopardy generally doesn’t prevent both from prosecuting. In practice, prosecutors usually coordinate so one jurisdiction takes the lead, but parallel prosecutions do happen, especially when the conduct crosses state lines or involves federally regulated systems like banks or government agencies.
What should I do if the FBI contacts me about a computer crime investigation?
Do not talk to them, even casually. Politely say: “I want to speak with my attorney before answering any questions.” Federal investigators are trained to elicit incriminating statements during seemingly friendly conversations. Anything you say can and will be used to build the case against you. Call a criminal defense attorney immediately, ideally one with federal court experience, before any further contact.
Talk to a Los Angeles Criminal Defense Attorney Today
Computer crime and internet fraud cases are among the most complex prosecutions in the criminal justice system. They involve digital forensics, parallel state and federal jurisdiction, technical statutory language, evolving Supreme Court precedent, and victims who may also be pursuing civil litigation. The right defense strategy depends on the specific facts, the statutes charged, and how the evidence was collected.
The criminal defense attorneys at Manshoory Law Group handle both state and federal criminal cases throughout California, including computer crimes, identity theft, fraud, and related cybercrime charges. We know how prosecutors build these cases, where the digital evidence tends to be weakest, and how to push back at every stage from pre-filing through trial.
The FBI’s Internet Crime Complaint Center (IC3) reports record numbers of internet crime complaints year over year, and federal prosecutors are responding with more aggressive charging decisions than ever before. Early defense intervention matters.
Consultations are free, and we’re available 24/7. Flexible payment plans are available.
Call 877-977-7750 today or contact us online to speak with an attorney.