Hacking is using various technological means to obtain access and data from someone else’s computer or server without permission or, at times, even knowledge of the owner. It is equivalent to breaking and entering into someone’s property and, like burglary, breaking into someone else’s computer without their permission is illegal in California.
Hacking (or, more formally, “unauthorized computer access”) is defined in California law as knowingly accessing any computer, computer system or network without permission. It is often a misdemeanor, punishable by up to a year in county jail. However, the punishments for computer hacking can become a felony depending on the use made of the entry.
It also allows civil relief to the injured party.
This article shall discuss the basic criminal law that applies to such conduct in California.
The Basic Criminal Law:
Elements of the Crime:
The criminal aspect of prohibition against hacking is drafted broadly. The relevant section is California Penal Code 502(c) and it provides that in order to convict you, a prosecutor simply must prove that you:
- Knowingly accessed a computer, system or network
- Without permission.
The breadth of the provision includes all types of conduct from a spouse seeking to obtain information by invading the other spouse’s laptop to an employee seeking restricted information at work to offshore criminals seeking to obtain your personal information. Note that one can also be convicted of unauthorized computer access by providing someone else access to a computer they should not be allowed to access. If I give you my work computer so you may obtain access to trade secrets, I am guilty of hacking under this law.
The penalty for computer hacking is based on the actual damage caused the victim.
If there was no “injury” to anyone and this was a first-time offense, this is an infraction under California law, punishable by a fine of up to $1,000. But on the second offense, prosecutors can seek: misdemeanor probation, up to one year in county jail; and/or fines of up to $5,000.
As the damage to the victim increases, so do the penalties imposed upon the culprit.
- Emplacing Malware:
If a person introduces software, viruses, worms or scripts without permission onto someone else’s computer, and that “computer contaminant” modifies, damages, records or transmits information without the owner’s consent, it is a violation of this law. This also applies to self-replicating malware, which may spread from user to user.
If there is no “injury” and this was a first-time offense, the penalty is the same as a simple unauthorized access above. On a second offense or one in which the victim suffered damage, this becomes a “wobbler” — either a misdemeanor or felony, depending on the facts of the case and the severity of the crime.
In that case, this is punishable by:
- 16 months, two years or three years in county jail, and/or
- A fine of up to $10,000.
- Using A Computer or Internet Service Without Permission.
These types of crime involve hacking to achieve free access to various services such as internet access, entertainment access, sports access, video conferencing access, etc. Essentially, someone is seeking to use a service paid for by someone else…for free. It is illegal to, knowingly and without permission, use someone else’s internet services, e-mail, data processing, storage, internet or computer time.
This is treated as a misdemeanor if it is:
- A first-time offense;
- With no “injury”; and
- The total value of computer services being used is less than $950.
It becomes a wobbler (treated as either a misdemeanor or felon at discretion of court) if:
- It is not a first-time offense;
- The value of the services used is more than $950; or
- This resulted in an injury or an expenditure by the victim greater than $5,000.
The penalties for the wobbler version are the same as the penalties for malware above.
- Hacking into Government or Public Safety Services
Breaking into a government computer service or public safety infrastructure computer system without permission is another form of unauthorized computer access and is illegal, as is assisting someone else to perform that task.
These types of action are often to alter billing records or to alter the person responsible for billings. It could also be an effort to alter apparent responsibility for third party liability for damage caused by fire or flood. The penalties for hacking into government or public safety are the same as the previous two examples. If this is a first-time offense with no real injury, it is treated as a misdemeanor and if the unauthorized activity caused substantial damages, it could then become a wobbler.
- Denial of Service Attacks
This type of malicious hacking is done to cause damage to a website or webservice and is an increasing problem for many businesses. The hacker uses a distributed denial of service attack (“DDoS”) to overload that website’s hosting and knock it offline, causing it to lose sales and ad revenue during the downtime. This is illegal and actionable. California’s hacking law makes it illegal to “knowingly and without permission” disrupt or deny access to computer services.
Due to the serious nature of this type of attack, this type of unauthorized computer access usually causes injury, and is usually treated as a wobbler, punishable by up to a year in county jail as a misdemeanor or up to three years in county jail as a felony.
- Altering, Deleting or Taking Data
This is a common employee or contractor generated crime. The employee or contractor, terminated, seeks to alter content on his or her computer or seeks to maliciously punish an employer by deleting files, altering files or taking data for use in his or her next job. Equally common, before the employee leves, he or she covertly downloads the company’s database of trade secrets or customers.
This would constitute “knowingly and without permission” taking, copying or making use of data from a computer system or network. The law also forbids altering, damaging, deleting or destroying data. Since these actions by definition also involve “injury,” a violation is usually treated as a wobbler. Depending on the facts of the case, penalties can range from a year in county jail as a misdemeanor to three years in jail as a felony.
- The “knowing” element
While one can be found civilly liable for hacking without intentionally doing it, the criminal law normally requires “scientor,” that is the knowing violation of the law. Ignorance can be an excuse for the criminal aspect of the act. As an example, if by error I delete my employer’s data base by simply entering the wrong keystrokes, that is not a crime. Proof of intent is one of the elements that the district attorney must demonstrate to the trier of fact.
Defenses Against Computer Hacking Charges:
- As stated above, knowingly committing the act is required for criminal prosecution. Negligence or inadvertence will not create a criminal act, though civil liability may lie.
- Further, demonstrating that one was the guilty culprit can be a challenge for any prosecutor. Sophisticated hackers often seek to use other person’s computers for invasion of a third party’s computer system. If one is on line, one’s computer can be “seized” by a hacker and that system used to invade another system. Indeed, most denial of service attacks utilize thousands of other computers.
This type of attack often occurs without the owner of the computer or server even knowing that his or her computer was so utilized, and that owner first learns of the fact when the third party or government contacts them to accuse them of participating in the crime. Luckily for the accused, if one can demonstrate that many other computers were hacked by a third party, then the knowing element is easily eliminated.
The International Aspect:
One aspect of the crime is the international nature of much of the hacking. The writer was recently advised by an expert in the field that the average large company was hacked (or attempts made to hack) at least twenty times a month by sophisticated, often government sponsored criminals. Most such hacks originate from Russia, the Ukraine, China, and Iran. The odds of the culprit being located in your particular jurisdiction are small, if you are a victim. And that means that relief may be hard to obtain for both the authorities and for you should you seek civil relief.
It is sad but true that such international hacking is almost impossible to prosecute. While an employee hacking an employer’s computer or a local criminal gang seeking your credit card information can be effectively prosecuted in the local courts, a judgment obtained in California is nearly impossible to enforce in China or Russia and simply impossible in Iran.
Note that one may commence civil action against parties who have hacked into your computer. The causes of action can be numerous and range from conversion (theft of property) to embezzlement, interference with a business relationship, invasion of privacy, etc. etc. These are independent of any criminal liability that may apply, though a criminal conviction could be used as evidence in the civil suit. A key aspect of the civil suit will be proving damages caused by the hacker.
It is also sometimes true that the criminal authorities are not always interested in pursuing convictions for hacking crimes. With violent crime a greater concern to most district attorneys and federal prosecutors, your claims of violation of your privacy may strike the district attorney as not worth spending hundreds of hours protecting in a criminal trial. Expect to hear that you should seek civil relief.
That said, many jurisdictions have allocated resources and personnel to prosecute hacking crimes, seeing them, rightfully, as a dire threat to our well-being and economic prosperity and the victim should seek relief if the hack was serious.