Computer Crime Statutes

Technology

Easily browse the critical components of this report…

All 50 states, Puerto Rico and the Virgin Islands have computer crime laws; most address unauthorized access or computer trespass. Some state laws also directly address other specific types of computer crime, such as spyware, phishing, denial of service attacks, and ransomware, as shown below.

Computer crime laws encompass a variety of actions that destroy or interfere with normal operation of a computer system. Computer trespass, unauthorized access (or access exceeding permission that was granted to a user), or hacking is breaking into computer systems, frequently with intentions to alter, disable or modify existing settings. When malicious in nature, these break-ins may cause damage or disruption to computer systems or networks. Additional state and federal laws may apply to various other types of computer crimes (e.g., unfair and deceptive practices acts, etc.).

Note: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice. NCSL cannot provide assistance with individual cases.

Laws Addressing Hacking, Unauthorized Access, Computer Trespass, Viruses and Malware

"Unauthorized access" entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. These laws relate to these and other actions that interfere with computers, systems, programs or networks.

Malware and viruses (viruses are a type of malware) are a set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer system or network without the permission of the owner. Generally, they are designed to infect other computer programs or computer data, consume resources, modify, destroy, record or transmit data, and disrupt normal operation of a computer system.

Laws Addressing Hacking, Unauthorized Access, Computer Trespass, Viruses or Malware
State	Citation
Alabama	Ala. Code §§ 13A-8-112
Alaska	Alaska Stat. § 11.46.740
Arizona	Ariz. Rev. Stat. §§ 13-2316,13-2316.01,13-2316.02
Arkansas	Ark. Code §§ 5-41-101 et seq.
California	Cal. Penal Code § 502
Colorado	Colo. Rev. Stat. §§ 18-5.5-101 to -102
Connecticut	Conn. Gen. Stat. §§ 53a-250 to 53a-261, 53-451
Delaware	Del. Code tit. 11 §§ 931 to 941
Florida	Fla. Stat. §§ 815.01 to 815.07, 668.801to .805
Georgia	Ga. Code §§ 16-9-90 to 16-9-94, 16-9-150 to 16-9-157
Hawaii	Hawaii Rev. Stat. §§ 708-890 to 708-895.7
Idaho	Idaho Code §§ 18-2201 et seq.
Illinois	720 ILCS §§ 5/17-50 to -55
Indiana	Ind. Code §§ 35-43-1-8, 35-43-2-3
Iowa	Iowa Code §§ 716.6B, 702.1A, 702.14, 714.1(8)
Kansas	Kan. Stat. § 21-5839
Kentucky	Ky. Rev. Stat. §§ 34.840, 434.845, 434.850, 434.851, 434.853, 434.855, 434.860
Louisiana	La. Rev. Stat. §§ 14:73.1 to 14:73.8
Maine	Me. Rev. Stat. tit. 17-A, §§ 431 to 437
Maryland	Md. Stat. Crim. Law § 7-302
Massachusetts	Mass. Gen. Laws ch. 266 § 33A, ch. 266 § 120F
Michigan	Mich. Comp. Laws §§ 752.791 et seq.
Minnesota	Minn. Stat. §§ 609.87, 609.88, 609.89, 609.891, 609.8911, 609.8912, 609.8913
Mississippi	Miss. Code §§ 97-45-1 et seq.
Missouri	Mo. Rev. Stat.§§ 537.525, 569.095, 569.097, 569.099
Montana	Mont. Code Ann. §§ 45-2-101, 45-6-310, 45-6-311
Nebraska	Neb. Rev. Stat. §§ 28-1341 to 28-1348
Nevada	Nev. Rev. Stat. §§ 205.473 to 205.513
New Hampshire	N.H. Rev. Stat. §§ 38:16, 638:17, 638:18, 638:19
New Jersey	N.J. Rev. Stat. §§ 2A:38A-1 to -3, 2C:20-2, 2C:20-23 to 34
New Mexico	N.M. Stat. §§ 30-45-1 to 30-45-7
New York	N.Y. Penal Law §§ 156.00 to .50
North Carolina	N.C. Gen. Stat. §§ 14-453 to 14-458
North Dakota	N.D. Cent. Code § 12.1-06.1-08
Ohio	Ohio Rev. Code §§ 909.01(E-G), 2909.04(B), 2909.07(A)(6), 2913.01 to 2913.04
Oklahoma	Okla. Stat. tit. 21, §§ 1951 to 1959
Oregon	Or. Rev. Stat. § 164.377
Pennsylvania	18 Pa. C.S.A. §§ 7601 et seq.
Rhode Island	R.I. Gen. Laws §§ 11-52-1 et seq.
South Carolina	S.C. Code §§ 16-16-10 to 16-16-40
South Dakota	S.D. Cod. Laws §§ 43-43B-1 et seq.
Tennessee	Tenn. Code §§ 9-14-601, 602, 604, 605
Texas	Tex. Penal Code § 33.01
Utah	Utah Code §§ 76-6-701 et seq.
Vermont	Vt. Stat. tit. 13, §§ 4101 et seq.
Virginia	Va. Code §§ 18.2-152.1 to -152.15,19.2-249.2
Washington	Wash. Rev. Code §§ 9A.90.010 et seq.
West Virginia	W. Va. Code §§ 61-3C-3 to 61-3C-21
Wisconsin	Wis. Stat. § 943.70
Wyoming	Wyo. Stat. §§ 6-3-501 et seq., 40-25-101
Puerto Rico	16 L.P.R.A. § 4808
U.S. Virgin Islands	14 V.I.C. § 459 et seq.

Laws Addressing Denial of Service Attacks

In a denial-of-service attack, an attacker floods the bandwidth or resources of a targeted system or servers with traffic, thereby preventing legitimate users from accessing information or services. In a distributed denial of service attack, the attacker compromises and takes control of multiple computers with security flaws and uses them to launch the denial-of-service attack.

At least 26 states have laws that directly address denial of service attacks.

Laws Addressing Denial of Service Attacks
State	Citation
Alabama	Ala. Code § 13A-8-112(5)
Arizona	Ariz. Rev. Stat. § 13-2316(4)
Arkansas	Ark. Code § 5-41-203(a)
California	Cal. Penal Code § 502
Connecticut	Conn. Gen. Stat. § 53a-251
Delaware	Del. Code tit. 11, § 934
Florida	Fla. Stat. § 815.06(2)(b)
Georgia	Ga. Code § 16-9-93(b)(2)
Indiana	Ind. Code § 35-43-1-8
Louisiana	La. Rev. Stat. Ann. § 14:73-4
Mississippi	Miss. Code § 97-45-5
Missouri	Mo. Rev. Stat. § 569.099
Nevada	Nev. Rev. Stat. § 205.477
New Hampshire	N.H. Rev. Stat. Ann. § 638:17
North Carolina	N.C. Gen. Stat. § 14-456, 14-456.1
Ohio	Ohio Rev. Code § 2909.01
Oklahoma	Okla. Stat. tit. 21 § 1953
Pennsylvania	18 Pa. C.S.A. § 7612
South Carolina	S.C. Code § 16-16-10(3)
Tennessee	Tenn. Code § 39-14-601
Texas	Tex. Penal Code § 33.022
Utah	Utah Code § 76-6-703(10)
Virginia	Va. Code § 18.2-152.4
Washington	Wash. Rev. Code § 9A.90.060
West Virginia	W. Va. Code § 61-3C-8
Wyoming	Wyo. Stat. § 6-3-504

Laws Addressing Ransomware and Computer Extortion

As of July 1, 2022

Ransomware is computer malware that is installed covertly on a victim's computer and preventing access to it, followed by demands for a ransom payment in exchange for returning access or not publishing or exposing data held on the computer.

At least 12 states, listed below, expressly address “ransomware” and/or computer extortion in statute. Most of these states criminalize ransomware and provide for specific penalties. Florida, Indiana, Louisiana and North Dakota require public entities to report ransomware incidents. Texas authorizes the Texas Department of Transportation to purchase insurance coverage for ransomware.

North Carolina prohibits state agencies and local entities from making ransomware payments,

In addition to laws that expressly mention ransomware or computer extortion, additional states, like North Carolina (NCGA § 143B-1379), require reporting of cyber incidents generally (which may include ransomware attacks) or state IT departments may require agencies to report cyber incidents to a CISO or other official. Also, other types of laws (e.g., that prohibit extortion and computer crimes such as malware or computer trespass) could also potentially be used to prosecute ransomware crimes.

Laws Addressing Ransomware and Computer Extortion
State	Citation
California	Calif. Penal Code § 523 Provides that every person who, with intent to extort property or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such property or other consideration were actually obtained by means of the ransomware.
Connecticut	Conn. Gen. Stat. § 53a-262 Provides that a person is guilty of computer extortion by use of ransomware when such person introduces ransomware into any computer, computer system or computer network and demands payment of money or other consideration to remove the ransomware, restore access to the computer, computer system, computer network or data contained on such computer, computer system or computer network, or otherwise remediate the impact of the ransomware.
Florida	2022 HB 7055 Requires state agencies and local governments to report ransomware incidents to certain entities within specified timeframes. Requires an annual ransomware incident report be submitted to the Governor and the Legislature.
Indiana	Ind. Code § 4-13.1-1-1.5, -2-9, -2-10 Requires the office of technology to maintain a repository of cybersecurity incidents, provides that a state agency and a political subdivision shall report any cybersecurity incident, including ransomware, to the office without unreasonable delay and not later than two business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer, allows the office of technology to assist a state agency with certain issues concerning information technology.
Louisiana	La. Rev. Stat. §§ 51:2111 to 51:2116 Creates a registration system for managed service providers and managed security service providers doing business in the state with a public body. Provides access for public bodies to obtain information on managed service providers and managed security service providers. Requires managed service providers and managed security service providers to report to the Louisiana Fusion Center any cyber incidents and the payment of cyber ransom or ransomware. Acts 2020, No. 117, §2, eff. Feb. 1, 2021.
Maryland	Prohibits a person from knowingly possessing certain ransomware with the intent to use the ransomware for purposes of introduction into a computer, network or system of another person, alters and establishes certain penalties, authorizes a victim of a certain offense to bring a civil action for damages against a certain person. Md. Stat. Crim. Law § 7-302(12) (2021 H.B. 425 / 2021 S.B. 623)
Michigan	Mich. Penal Code §§ 750.409b, Section 777.16t Provides penalties for unauthorized possession or use of ransomware.
North Carolina	NCGS § 143-800 (2021 S.B. 105 (art. 84)) Prohibits state agencies or local government entities from submitting payment or otherwise communicating with an entity that us making a ransomware demand.
North Dakota	N.D. Cent. Code § 54.59.1 et seq. Requires an entity to disclose to the department an identified or suspected cybersecurity incident that affects the confidentiality, integrity, or availability of information systems, data, or services. Disclosure must be made in the most expedient time possible and without unreasonable delay. Cybersecurity incidents required to be reported to the department include: 1. Suspected breaches; 2. Malware affecting more than ten thousand dollars worth of devices or services incidents that cause significant damage; 3. Denial of service attacks that affect the availability of services; 4. Demands for ransom related to a cybersecurity incident or unauthorized disclosure of digital records; ...
Oklahoma	Relates to crimes and punishments, relates to the Oklahoma Computer Crimes Act, modifies definition, defines terms, expands the scope of certain prohibited acts to include ransomware and other malicious computer programs, makes certain acts unlawful, provides construing provision, provides an effective date. (2021 H.B. 1759)
Texas	Tex. Penal Code § 33.02 Provides that a person commits an offense if the person intentionally introduced ransomware onto a computer, computer network or computer system through deception and without a legitimate business purpose.
Texas	Tex. Trans. Code § 201.712 Provides that the Department of Transportation may purchase insurance coverage that the department considers necessary to protect against liability, revenue, and property losses that may result from a data breach or cyber attack. Insurance purchased under this section may include coverage for business and dependent business interruption loss, breach response, data recovery, cyber extortion or ransomware response, fiduciary liability, media liability, professional liability, or expenses for general incident management, such as investigation, remediation, and notification.
West Virginia	WV Code §§ 61-3C-3 to 61-3C-4 Creates criminal penalties for introducing ransomware into any computer, computer systems or computer network with the intent to extort money or other consideration. Sets forth the elements of the offense and establishes criminal penalties.
Wyoming	Wyo. Stat. §§ 6-3-506, 6-3-507 Creates the criminal offense of computer extortion. Specifies elements of the offense, provides penalties, and expands the list of computer crimes to be investigated by the division of criminal investigation.

Laws Addressing Phishing

As of May 4, 2022

Phishing is a scam where fraudsters send spam or text messages or create deceptive websites to lure personal or financial information from unsuspecting victims. The messages or websites often appear to be from well-known or seemingly trustworthy entities, but instead collect information for fraudulent purposes. Twenty-three states and Guam have laws specifically aimed at phishing schemes. Other states have laws that address computer crime, fraudulent or deceptive practices or identity theft, which could also apply to phishing crimes.

For practical tips from the federal government and private industry to help guard against Internet fraud, see OnGuardOnline.gov's information about phishing.

Laws Addressing Phishing
State	Citation
Alabama	Ala. Code §13A-8-114
Arkansas	Ark. Code §§ 4-111-102, 4-111-103
Arizona	Ariz. Rev. Stat. §§ 18-541 to-544
California	Cal. Bus & Prof. Code §§ 22948 to 22948.3
Connecticut	Conn. Gen. Stat. § 53-454
Florida	Fla. Stat. §§ 668.701-.705
Georgia	Ga. Code § 16-9-109.1
Illinois	740 ILCS §§ 7/1 - 7/15
Kentucky	Ky. Rev. § Stat. 434.697
Louisiana	La. Rev. Stat. §§ 51:2021 et seq.
Michigan	MCL § 445.67a
Minnesota	Minn. Stat. § 609.527, Subd. 5a
Montana	Mont. Code Ann. §§ 30-14-1712, 33-19-410
New Mexico	N.M. Stat. § 30-16-24.1
New York	N.Y. Gen. Bus. § 390-b
Oklahoma	Okla. Stat. tit. 15, §§ 776.8 - 776.12
Oregon	Ore. Rev. Stat. § 646.A.808
Rhode Island	R.I. Gen. Laws §§ 11-52.1-1 to -5
Tennessee	Tenn. Code §§ 47-18-5201 to 47-18-5205
Texas	Tex. Business and Commerce Code §§ 325.001 - .006
Utah	Utah Code §§ 13-40-201 to -204, -401
Virginia	Virginia Code Ann. § 18.2-152.5:1
Washington	Wash. Rev. Code §§ 19.190.080 -090 -100
Guam	5 GCA §§ 32703, 32704 (h)

Laws Addressing Spyware

As of May 4, 2022

Spyware, also sometimes called adware, is software that can track or collect the online activities or personal information of Web users, change settings on users’ computers, or cause advertising messages to pop up on users' computer screens. Web users are often unaware that spyware has been downloaded to their computers.

Twenty-one states, Guam and Puerto Rico have laws expressly targeting spyware. Other states have laws that address computer crime, fraudulent or deceptive practices or identity theft and that possibly could apply to some practices involving spyware.

Laws Addressing Spyware
State	Citation
Alaska	Alaska Stat. §§ 45.45.792 et seq., 45.50.471(51)
Arizona	Ariz. Rev. Stat. §§ 18.501 et seq.
Arkansas	Ark. Code §§ 4-111-101 to -105, § 19-6-301, § 19-6-804
California	Cal. Bus. & Prof. Code §§ 22947 to 22947.6
Georgia	Ga. Code §§ 16-9-152 et seq.
Hawaii	Hawaii Rev. Stat. § 708.890, 708.891, 708.891.5, 708.891.6
Illinois	720 ILCS 5/17-52, 720 ILCS 5/12-7.5(3)(a-4), ILCS 5/12-7.5(2)(2.2)
Indiana	Ind. Code §§ 24-4.8-1 et seq.
Iowa	Iowa Code §§ 715.1 to 715.8
Louisiana	La. Rev. Stat. §§ 51:2006 to 51:2014
Nevada	Nev. Rev. Stat. § 205.4737
New Hampshire	N.H. Rev. Stat. §§ 359-H:1 to 359-H:6
New York	N.Y. Penal Law § 156.00
Oklahoma	2021 H.B. 1759
Pennsylvania	73 P.S. 2330.1 et seq.
Rhode Island	R.I. Gen. Laws §§ 11-52.2-2, -3, -4, -5, -6, -7
Texas	Tex. Bus. & Comm. Code §§ 324.001 to 324.102
Utah	Utah Code §§ 13-40-301 to -303, 13-40-402
Virginia	Va. Code § 18.2-152.4
Washington	Wash. Rev. Code §§ 19.270.101 to 19.270.900
Wyoming	Wyo. Stat. § 6-3-506
Guam	9 GCA 46.601 to .602
Puerto Rico	10 L.P.R.A. §§ 2181 et seq.

Related Resources

Updated December 14, 2022

NCSL 50-State Searchable Bill Tracking Databases

Find the most comprehensive and complete 50-state information in NCSL's searchable bill tracking databases.

Technology

Database

Updated March 13, 2023

Supreme Court Voices Hesitation in Case Involving Speech Protections for Big Tech

In the case Gonzalez v. Google, plaintiffs argue that social media platforms can be held liable for the speech they publish. But Google claims Section 230 of the Communications Decency Act provide it immunity.

State-Federal Technology

State Legislatures News

Updated February 15, 2023

State 9-1-1 Bill Tracking Database

State 9-1-1 legislation tracking database, including bills related to e9-1-1 and Next Generation 9-1-1

Technology

Database

Contact NCSL
For more information on this topic, use this form to reach NCSL staff.
Email
Full Name
What is your role?
Message
Captcha
Admin Email

Report Computer Crime Statutes

Laws Addressing Hacking, Unauthorized Access, Computer Trespass, Viruses and Malware

Laws Addressing Denial of Service Attacks

Laws Addressing Ransomware and Computer Extortion

Laws Addressing Phishing

Laws Addressing Spyware

Related Resources

NCSL 50-State Searchable Bill Tracking Databases

Supreme Court Voices Hesitation in Case Involving Speech Protections for Big Tech

State 9-1-1 Bill Tracking Database

Contact NCSL

Contact Us

Denver

Washington, D.C.