California Cybercrime Laws: CFAA, CDAFA, and State Penalties

California operates under a dual-layer cybercrime enforcement framework: federal statutes that apply nationwide and a robust set of state-level codes that extend or sharpen liability specifically within California. This page covers the Computer Fraud and Abuse Act (CFAA), California's Comprehensive Computer Data Access and Fraud Act (CDAFA), the penalty structures attached to each, and the jurisdictional lines that determine which law governs a given offense. Understanding where these two frameworks overlap, where they diverge, and how California courts have interpreted both is essential for any organization operating digital infrastructure in the state.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps
• Reference Table or Matrix

Definition and Scope

California cybercrime law governs unauthorized access to computer systems, data theft, malware deployment, and related digital offenses through two principal instruments. At the federal level, the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, criminalizes unauthorized access to "protected computers" — a term the statute defines broadly to include any computer used in or affecting interstate or foreign commerce. At the state level, California's Comprehensive Computer Data Access and Fraud Act (CDAFA), codified at California Penal Code §§ 502–502.01, independently criminalizes a range of computer offenses, and it does not require any interstate nexus to apply. This is a meaningful distinction: CDAFA reaches purely intrastate conduct that the CFAA might not cover.

Scope and geographic limitations: This page addresses California state law and federal law as it applies within California. It does not address cybercrime statutes in other states, treaties governing cross-border cybercrime (such as the Budapest Convention on Cybercrime), or civil remedies under privacy statutes addressed separately on pages covering CCPA cybersecurity implications and related frameworks. Conduct occurring entirely outside California but targeting California residents may invoke CDAFA under California's long-arm principles, but the full extraterritorial analysis is jurisdiction-specific and not addressed here.

For a broader orientation to how California's legal environment shapes cybersecurity practice, the how California cybersecurity works conceptual overview provides structural context.

Core Mechanics or Structure

The CFAA — Federal Framework

The CFAA, originally enacted in 1986 and amended multiple times, establishes seven primary offense categories under 18 U.S.C. § 1030(a):

1. Unauthorized access to obtain national security information
2. Unauthorized access to financial records or government computers
3. Unauthorized access affecting a government computer
4. Access with intent to defraud to obtain value exceeding $5,000 in any one-year period
5. Unauthorized access causing damage (including transmission of malware or ransomware)
6. Trafficking in passwords
7. Threats to damage computers to extort money or other value

The $5,000 threshold in category 4 and 5 offenses is significant in practice: it establishes the floor for federal felony prosecution (18 U.S.C. § 1030(c)). First-offense penalties for basic unauthorized access range from 1 to 10 years imprisonment; offenses involving critical infrastructure or national security can reach 20 years. Civil liability under 18 U.S.C. § 1030(g) allows private parties to sue when they suffer damage or loss exceeding $5,000.

CDAFA — California State Framework

California Penal Code § 502 prohibits eight distinct categories of conduct, including knowingly accessing a computer without permission, disrupting computer services, introducing contaminants (malware), and using computer services without authorization to commit fraud. CDAFA applies to any computer, computer system, or computer network — definitions provided in Penal Code § 502(b) that are intentionally broad. Unlike the CFAA, CDAFA does not require proof of a specific dollar loss to trigger felony charges; the nature of the conduct itself determines the offense level.

Penalties under CDAFA:
- Misdemeanor: imprisonment in county jail for up to 1 year, or a fine up to $1,000, or both — for first-offense violations involving minor unauthorized access (Penal Code § 502(d)(1))
- Felony (wobbler): imprisonment in state prison for 16 months, 2 years, or 3 years — for disruption of services, data destruction, or unauthorized access causing damage
- Civil damages: CDAFA § 502(e) provides a private right of action for compensatory damages, injunctive relief, and attorney's fees

Causal Relationships or Drivers

Cybercrime law in California expanded in direct response to documented threat escalation. Ransomware threats to California organizations represent one of the most significant drivers: California Attorney General reports and FBI Internet Crime Complaint Center (IC3) data consistently identify California as the state with the highest volume of cybercrime complaints in the country. The FBI IC3 2023 Annual Report recorded California victims reporting losses exceeding $2.1 billion in 2023 — the highest of any state.

Legislative expansions of CDAFA have tracked specific threat categories:
- AB 1816 (2014) extended CDAFA to cover unauthorized data exfiltration even where no immediate financial harm is demonstrable
- SB 1001 (2019) addressed bot-related deception, adding a layer to California's digital fraud landscape
- The California Attorney General's office, through its Privacy Enforcement and Protection Unit, drives CDAFA civil enforcement alongside criminal prosecution by county district attorneys

Federal CFAA enforcement in California runs through the U.S. Department of Justice, with major cases prosecuted by the U.S. Attorney's Office for the Northern District (San Francisco) and Central District (Los Angeles) of California.

For deeper context on how regulatory bodies coordinate, see regulatory context for California cybersecurity.

Classification Boundaries

Three axes define whether an offense is prosecuted federally under the CFAA, under CDAFA, or both:

1. Interstate nexus
The CFAA requires the targeted computer to be a "protected computer" — meaning connected to the internet or affecting interstate commerce. Virtually every networked device qualifies, but the requirement matters for isolated, air-gapped systems. CDAFA has no such requirement.

2. Loss threshold
Federal prosecution under the CFAA typically requires demonstrable damage or loss aggregating to $5,000 or more across a 12-month period (18 U.S.C. § 1030(c)(4)(A)(i)(I)). CDAFA criminalizes conduct regardless of quantified loss.

3. Actor type and authorization status
Both statutes hinge on the concept of "authorization." The CFAA uses "exceeds authorized access" — a phrase that courts have interpreted differently in different circuits. CDAFA § 502 uses "without permission" and "knowingly and without permission" — language California courts have applied to insider threats, former employees, and contractors operating outside their granted access scope.

The California cybersecurity terminology and definitions page provides statutory definitions for key terms including "access," "damage," and "computer system" as used across these frameworks.

Tradeoffs and Tensions

The Authorization Ambiguity Problem

The CFAA's "exceeds authorized access" language has generated significant circuit court conflict. The U.S. Supreme Court's 2021 ruling in Van Buren v. United States (594 U.S. 517) narrowed the CFAA's scope, holding that an individual authorized to access a computer system does not violate the CFAA merely by using that access for an unauthorized purpose — only by accessing files or areas they were not permitted to access at all. This ruling limits federal prosecution of insider threats acting within their technical access permissions, even if their purpose is improper.

California courts applying CDAFA have generally taken a broader view: the "without permission" standard under § 502 has been applied to employees who access employer data for competitive or personal purposes, even when technical access controls did not block them. This creates a meaningful gap between federal and state coverage for insider conduct.

Overbreadth Concerns

Civil liberties organizations including the Electronic Frontier Foundation (EFF) have argued that broad CFAA language could criminalize routine security research, password sharing, and terms-of-service violations. Post-Van Buren, some of these concerns are mitigated federally, but CDAFA's independent scope means California-specific prosecution remains possible for conduct that federal law no longer reaches.

Dual Prosecution

Nothing in federal or California law prohibits simultaneous or sequential prosecution under both the CFAA and CDAFA for the same conduct. Double jeopardy protections under the U.S. Constitution's Fifth Amendment do not bar this because federal and state offenses are considered separate sovereigns (Heath v. Alabama, 474 U.S. 82 (1985)).

Common Misconceptions

Misconception 1: "Only hackers from outside an organization are liable under cybercrime law."
Correction: Both the CFAA and CDAFA explicitly cover insider threats. CDAFA § 502(c)(2) criminalizes access by any person "without permission," including current employees who exceed the scope of their role. California cybersecurity executive liability addresses scenarios where officers or directors face personal exposure for decisions that enable unauthorized data access.

Misconception 2: "If no money was stolen, there's no criminal violation."
Correction: CDAFA does not require financial loss for criminal liability. Disrupting service availability, copying data without authorization, or introducing malware are independently criminal acts under § 502(c)(5) and § 502(c)(8) regardless of whether financial harm resulted.

Misconception 3: "The CFAA only applies to federal government computers."
Correction: When originally enacted in 1984 (as the Counterfeit Access Device and Computer Fraud and Control Act), the CFAA did focus on federal systems, but 1994 and 1996 amendments expanded "protected computer" to cover all computers used in interstate commerce — effectively the entire commercial internet. Private sector computers are squarely within CFAA scope.

Misconception 4: "A terms-of-service violation is a federal crime under the CFAA."
Correction: Post-Van Buren v. United States (2021), the Supreme Court explicitly rejected the theory that violating a website's terms of service constitutes unauthorized access under the CFAA. This holding narrowed civil and criminal CFAA exposure for web scraping and similar activities.

Misconception 5: "Small businesses are not prosecution targets."
Correction: CDAFA enforcement is not reserved for large organizations. County district attorneys have prosecuted CDAFA violations involving small business computers. Additionally, CDAFA's private right of action under § 502(e) means any affected business or individual can initiate civil litigation regardless of the defendant's size. See California small business cybersecurity for context on small-business exposure.

Checklist or Steps

The following sequence reflects the analytical steps used by legal practitioners and compliance teams when evaluating whether a cybersecurity incident may involve criminal liability under CFAA or CDAFA. This is a descriptive sequence, not legal advice.

Incident Criminal Liability Assessment Sequence

• [ ] 1. Identify the affected computer system(s): Determine whether the system is networked, internet-connected, or air-gapped. Interstate connectivity triggers potential CFAA coverage; all California-located systems trigger potential CDAFA coverage.
• [ ] 2. Assess authorization status of the actor: Distinguish between external unauthorized actors, former employees whose access was revoked, current employees operating outside defined roles, and authorized contractors.
• [ ] 3. Quantify damage or loss: Calculate direct costs including remediation, downtime, data recovery, and third-party forensics. The $5,000 federal threshold under 18 U.S.C. § 1030(c)(4)(A)(i)(I) determines CFAA felony applicability.
• [ ] 4. Categorize the conduct: Map the conduct against CDAFA § 502(c)(1)–(8) categories and CFAA § 1030(a)(1)–(7) offense types to identify which provisions apply.
• [ ] 5. Identify affected data types: Presence of personal information, health records, financial data, or government data may trigger additional notification obligations under California's data breach notification law (California Civil Code §§ 1798.29, 1798.82) and federal sector-specific rules.
• [ ] 6. Determine reporting obligations: Evaluate mandatory reporting to law enforcement (FBI's IC3, CISA, California Attorney General), sector regulators, and affected individuals.
• [ ] 7. Preserve digital evidence: Forensic preservation must follow chain-of-custody standards consistent with federal and California rules of evidence before any remediation steps modify affected systems.
• [ ] 8. Evaluate civil liability exposure: Assess whether affected parties meet the threshold for a private civil action under CDAFA § 502(e) or CFAA § 1030(g), including injunctive relief claims.
• [ ] 9. Coordinate with counsel: Criminal referral decisions, whether to proactively report to law enforcement, and any regulatory notifications involve legal strategy that intersects with privilege and disclosure obligations.

For a broader overview of incident response frameworks applicable in California, see California cybersecurity incident response planning.

Reference Table or Matrix

CFAA vs. CDAFA: Key Comparative Attributes

References

• National Association of Home Builders (NAHB) — nahb.org
• U.S. Bureau of Labor Statistics, Occupational Outlook Handbook — bls.gov/ooh
• International Code Council (ICC) — iccsafe.org

Related resources on this site:

• California Cybersecurity: What It Is and Why It Matters
• Types of California Cybersecurity
• Process Framework for California Cybersecurity