Breach of computer security is Texas’s core hacking offense. Under Penal Code § 33.02, knowingly accessing a computer, network, or system without the owner’s effective consent is a Class B misdemeanor — and access with intent to defraud or harm climbs a loss-based ladder that tops out at a first-degree felony. Below: the statute, the full penalty table, verified case law, defenses, and how these cases actually move through Collin, Dallas, Denton, and Tarrant County courts.
Free, Confidential Case Review
Tell us what happened. A defense attorney reviews every submission — usually within the hour during business hours.
Published 2026-06-11 · Reviewed by Reggie London and Njeri London, Co-Founding Partners · Last reviewed: 2026-06-11
Peer Recognition
Martindale-Hubbell® 2026 Honors
Independent peer-review ratings recognizing legal ability and ethical standards.
Awards reflect peer-reviewed ratings only. Past results do not guarantee future outcomes.
Controlling statute:Texas Penal Code § 33.02 Classification: Class B misdemeanor (simple unauthorized access); Class C misdemeanor through first-degree felony when committed with intent to defraud or harm (§ 33.02(b-1), (b-2)) Punishment range: Up to 180 days in jail and a $2,000 fine for the base offense; state jail felony (180 days–2 years + $10,000) for government or critical-infrastructure systems or repeat Chapter 33 offenders; fraud-intent cases climb by aggregate loss to a first-degree felony (5–99 years or life)
What Is Breach of Computer Security Under Texas Law?
Breach of computer security is the Texas Penal Code’s general computer-intrusion offense. Under § 33.02(a), a person commits a crime if the person “knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.” The statute sits in Chapter 33 — the computer-crimes chapter the Legislature created in 1985 — alongside online impersonation, online solicitation of a minor, electronic data tampering, and unlawful decryption. It has been amended repeatedly since, most recently effective September 1, 2015.
Two features make § 33.02 broader than most people expect. First, “access” is defined expansively in § 33.01(1): to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system. Opening a folder, running a query, or reading someone’s email all qualify — no technical “hacking” is required. Second, the offense has two distinct pathways: simple unauthorized access under subsection (a), and the far more serious subsection (b-1), which targets access committed with intent to defraud or harm another or to alter, damage, or delete property.
Subsection (b-1) itself splits in two. The first branch mirrors subsection (a) — access without effective consent — with the added fraud-or-harm intent. The second branch, § 33.02(b-1)(2), is the one that surprises defendants: it reaches access to a government or business computer in violation of a clear and conspicuous prohibition or a contractual agreement the person expressly agreed to, when paired with intent to obtain or use files, data, or proprietary information to defraud or harm another. An employee or contractor who is allowed on the system can still commit this offense by violating written policy with the required intent.
Elements the State Must Prove
For the base offense under § 33.02(a), the State must prove every element beyond a reasonable doubt:
1. Knowing access
The defendant knowingly accessed — approached, instructed, communicated with, stored data in, retrieved or intercepted data from, altered, or otherwise made use of — a computer resource. Accidental clicks, automated background processes, and unknowing contact are not knowing access.
2. A computer, computer network, or computer system
The thing accessed must meet the § 33.01 definitions, which sweep in servers, workstations, phones, email and cloud accounts, point-of-sale systems, and connected devices.
3. Without the owner’s effective consent
No one with authority over the system gave valid permission — or the permission that existed fails one of the five tests in § 33.01(12): induced by deception or coercion; given by someone the actor knows lacked authority; given by someone unable to make reasonable decisions; given solely to detect the commission of an offense; or used for a purpose other than the one for which it was given.
4. Knowledge that consent was absent
The knowing mental state reaches the consent element, not just the act of access. In Muhammed v. State, 331 S.W.3d 187 (Tex. App. 2011), the court held that the State must prove the defendant knowingly accessed the computer knowing that the access was without the owner’s effective consent. A genuine belief that permission existed defeats the charge.
A felony case under § 33.02(b-1) adds more: the specific intent to defraud or harm another, or to alter, damage, or delete property — and, on the (b-1)(2) policy-violation branch, proof of a clear and conspicuous prohibition or an express contractual agreement plus intent to obtain or use data to accomplish the fraud or harm. Each added element is another point the defense can attack.
What Are the Penalties for Breach of Computer Security?
Section 33.02 runs on two separate grading tracks. Simple access under subsection (a) starts as a Class B misdemeanor with two built-in state-jail-felony bumps. Fraud-or-harm cases under subsection (b-1) are graded by “aggregate amount” — the total dollar value involved — using the same value bands as Texas theft law:
Conduct
Classification
Confinement
Max fine
Knowing access without effective consent — § 33.02(a)
Class B misdemeanor
Up to 180 days, county jail
$2,000
Subsection (a) access + two or more prior Chapter 33 convictions, or a government / critical-infrastructure computer — § 33.02(b)
State jail felony
180 days–2 years, state jail
$10,000
Fraud/harm intent, aggregate amount under $100 — § 33.02(b-2)(1)
Class C misdemeanor
None (fine only)
$500
$100 to under $750 — § 33.02(b-2)(2)
Class B misdemeanor
Up to 180 days, county jail
$2,000
$750 to under $2,500 — § 33.02(b-2)(3)
Class A misdemeanor
Up to 1 year, county jail
$4,000
$2,500 to under $30,000 — § 33.02(b-2)(4)
State jail felony
180 days–2 years, state jail
$10,000
$30,000 to under $150,000 — § 33.02(b-2)(5)
Third-degree felony
2–10 years, TDCJ
$10,000
$150,000 to under $300,000; any amount against a government or critical-infrastructure system; or identifying information obtained from one computer — § 33.02(b-2)(6)
Second-degree felony
2–20 years, TDCJ
$10,000
$300,000 or more; or identifying information obtained from more than one computer — § 33.02(b-2)(7)
First-degree felony
5–99 years or life, TDCJ
$10,000
Last reviewed
2026-06-11
Two grading traps deserve emphasis. The identity-information bumps: under § 33.02(b-2)(6)(C) and (7)(B), obtaining another person’s identifying information makes the offense a second-degree felony if one computer was accessed and a first-degree felony if more than one was — regardless of dollar amount. A zero-loss intrusion that touches identity data across two systems can be indicted at the same grade as a $300,000 fraud. The ownership bumps: any (b-1) offense against a government or critical-infrastructure computer is at least a second-degree felony under (b-2)(6)(B) whenever the amount falls under $300,000, and even simple no-fraud access to those systems is a state jail felony under (b)(2).
State-jail-felony cases carry one practical safety valve: under Penal Code § 12.44(a), a judge can punish a state jail felony as a Class A misdemeanor in appropriate cases — often the negotiated landing spot for first-time defendants whose alleged loss sits in the $2,500–$30,000 band.
How Do Prosecutors Prove Breach of Computer Security?
These are records cases. The State typically builds them on authentication and server logs, IP-address attribution, device forensics, subscriber records obtained by warrant or subpoena, and — in workplace cases — an affidavit from the employer’s IT staff or an outside incident-response firm. The forensic image of a seized phone or laptop frequently becomes the centerpiece, which is why the search warrant that produced it gets heavy defense scrutiny.
Knowledge is almost always proved circumstantially. Muhammed confirms that a jury may infer knowledge or intent from the acts, conduct, and remarks of the accused and from the surrounding circumstances — in that case, a defendant browsing another student’s university email account in a campus computer lab. Prosecutors lean on context: deleted logs, masked IP addresses, odd login hours, or statements acknowledging the lockout.
On the felony track, the State must also prove the “aggregate amount.” Under § 33.01(2), that figure includes not only direct loss but the victim’s expenditures to investigate whether data was altered or acquired and to restore, recover, or replace it. In practice the number often comes from the complainant company’s own forensic-response invoices — a figure the defense can and should audit line by line, because the invoice total frequently drives the felony grade more than any stolen value does.
A hypothetical illustrates the charging pattern. An IT administrator is terminated on a Friday; her VPN credentials are not deactivated until Monday. Over the weekend she logs in and downloads the vendor pricing sheet she built. Access plainly happened and data was taken — but was consent actually revoked, and did she know it was? The termination letter said nothing about system access, and the company’s own deprovisioning failure left the gate open. Those facts aim straight at the knowledge element the State must prove under Muhammed, and they often mark the difference between a felony indictment and a declined case.
What Defenses Work Against a § 33.02 Charge?
L and L Law Group builds § 33.02 defenses around the statute’s own pressure points:
No knowledge that consent was absent. The State must prove the defendant knew the access was unauthorized — the Muhammed rule. Shared passwords, never-revoked credentials, family accounts, and vague workplace policies all generate reasonable doubt on this element.
Effective consent existed. Permission from anyone legally authorized to act for the owner defeats the charge. Scope disputes — what exactly was authorized, by whom, and for how long — are fought on documents, not assumptions.
The security-assessment defense. § 33.02(f) protects penetration testers and security contractors whose conduct consisted solely of action taken under a contract with the owner to assess or secure the system. The written scope of work is the defense exhibit.
The law-enforcement defense. § 33.02(e) covers persons acting to facilitate a lawful seizure, search, or access for a legitimate law-enforcement purpose.
Attribution failure. An IP address identifies a connection, not a person. Shared terminals, open networks, spoofed credentials, and compromised accounts can all break the link between the login and the defendant.
Suppression. Digital searches must comply with the Fourth Amendment and Texas’s statutory exclusionary rule, CCP art. 38.23. An overbroad device warrant or a warrantless account search can take the forensic centerpiece out of the case. See our guide to the motion to suppress.
Civil dispute dressed as a crime. Many (b-1)(2) cases are business divorces — departing employees, feuding partners, contractor disputes — where the real fight belongs in civil court. Framing the case that way supports declination, reduction, or restitution-driven resolutions.
Loss-amount attacks. Because grade follows the aggregate amount, contesting inflated investigation and restoration figures can knock a third-degree felony down to a state jail felony or a misdemeanor.
A second hypothetical, because it is the most common fact pattern we see: during a separation, one spouse logs into the other’s email using a password shared years earlier and forwards messages to a divorce lawyer. The password was given for paying bills — not litigation surveillance — so § 33.01(12)(E)’s purpose limitation defeats the consent that once existed. The defense, in turn, targets knowledge: a spouse who used a password the couple always treated as joint may not have known the consent had ended. These cases routinely turn on text messages about who was allowed to use what, and when.
Can a Breach of Computer Security Charge Be Dismissed or Expunged?
Yes — and the endgame matters as much as the verdict. Weak knowledge evidence, consent ambiguity, or suppression exposure supports outright dismissal or declination. First-time defendants in DFW counties are frequently candidates for pretrial-intervention programs or deferred adjudication under CCP Chapter 42A, and § 12.44(a) misdemeanor-range punishment is a recurring negotiated outcome in low-loss state-jail cases.
Record relief tracks the result. A dismissal or acquittal generally supports expunction under CCP Chapter 55A. Successfully completed deferred adjudication usually supports an order of nondisclosure under Government Code Chapter 411, Subchapter E-1. A final conviction — even Class B — generally stays on the record forever, which is why charge posture early in the case drives everything later.
How Does § 33.02 Differ From the Federal CFAA?
The federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, covers similar conduct — but the two statutes split sharply on misuse of authorized access. In Van Buren v. United States, 593 U.S. 374 (2021), the Supreme Court adopted a “gates-up-or-down” reading of the CFAA: a person “exceeds authorized access” only by entering areas of a computer — files, folders, databases — that are off-limits to him, and the statute “does not cover those who … have improper motives for obtaining information that is otherwise available to them.”
Texas law is built differently. Section 33.01(12)(E) strips consent that is “used for a purpose other than that for which the consent was given,” and § 33.02(b-1)(2) expressly criminalizes access in violation of a written prohibition or contract when paired with fraud-or-harm intent. The police-database lookup that no longer violates the CFAA after Van Buren can still be charged under § 33.02 in a Texas courthouse — a divergence we analyze in depth in our Van Buren explainer and the CFAA impact brief.
Forum matters too. Intrusions touching interstate systems, financial institutions, or federal agencies can draw a federal indictment in the Northern or Eastern District of Texas, where loss calculations under the sentencing guidelines — not the § 33.02(b-2) bands — control exposure. The same conduct can be prosecuted in both systems, and § 33.02(d) separately allows Texas prosecutors to stack § 33.02 with any other Penal Code section the conduct violates.
Where Are § 33.02 Cases Heard in North Texas?
Collin County. Misdemeanor § 33.02(a) cases are filed in the county courts at law and felonies in the district courts, all sitting at the Collin County Courthouse, 2100 Bloomdale Road in McKinney. The county’s corporate corridor — Frisco, Plano, Allen, McKinney — makes employer-referral cases common: a company’s IT department documents the intrusion, an incident-response firm quantifies it, and the file lands with prosecutors already packaged.
Dallas County. Felony computer-crime cases are heard in the district courts at the Frank Crowley Courts Building, where they typically move alongside the white-collar docket. Misdemeanors run through the county criminal courts. Cases referred by larger institutions — banks, hospital systems, universities — tend to arrive with extensive civil-side forensic work already done.
Denton County. Cases are heard at the Denton County Courts Building in Denton. Family-dispute and small-business fact patterns are the recurring theme, and outcomes often track how cleanly the consent story can be told on paper.
Tarrant County. Filings run through the Tim Curry Criminal Justice Center in Fort Worth, misdemeanors in the county criminal courts and felonies in the district courts. As elsewhere, early defense contact with the assigned prosecutor — before grand-jury presentment on felony tracks — is frequently the highest-leverage window.
L and L Law Group defends § 33.02 cases across all four counties from our Frisco office.
What Happens After a Breach of Computer Security Arrest?
Most § 33.02 cases are investigation-first: by the time an arrest happens, a detective has usually had the forensic report, the IT affidavit, and a search-warrant return for weeks. Some defendants first learn about the case when officers arrive with a device warrant; others get a phone call inviting them “to give their side.” Decline that interview until counsel is present — statements about passwords, permissions, and purposes are exactly what the knowledge element gets built from.
Arrest and magistration. Within roughly 48 hours, a magistrate sets bond and reads the charge under CCP art. 15.17.
Bond conditions. Expect no-contact orders covering the complainant (often a former employer) and sometimes computer- or internet-use restrictions. Conditions can be negotiated and modified — critical for defendants who work in IT.
Charging. Misdemeanors proceed by information; felony grades require a grand-jury indictment. The pre-indictment window is where reductions and declinations are won.
Discovery. Under the Michael Morton Act, CCP art. 39.14, the defense obtains the State’s file — including forensic images and examiner notes, which an independent expert should re-examine rather than accept.
Pretrial litigation. Suppression motions on device and account searches, loss-amount challenges, and consent-scope disputes shape the plea posture.
Resolution. Dismissal, pretrial diversion, deferred adjudication, a § 12.44(a) misdemeanor-range plea, trial — the right endpoint depends on the knowledge evidence and the record-relief consequences of each path.
Enhancements & Collateral Consequences
Beyond the grading bumps above, two prior Chapter 33 convictions make even simple access a state jail felony, and § 33.02(d) lets the State prosecute the same conduct under § 33.02 and any other applicable section — theft, fraudulent use of identifying information, or tampering with a governmental record among them. Victims also hold a parallel civil claim: Civil Practice and Remedies Code Chapter 143 authorizes damages suits for harmful access by computer, so a criminal file is often shadowed by a civil one.
Collateral fallout is heavy for a charge that often starts as workplace drama. A felony conviction forfeits firearm rights under Penal Code § 46.04 and 18 U.S.C. § 922(g). Any conviction involving fraud-type intent invites professional-license scrutiny and is poison for careers in IT, security, finance, and healthcare — fields where background checks specifically flag computer-misuse offenses. Security clearances, employment in regulated industries, and immigration status (fraud-intent offenses raise moral-turpitude issues that require case-specific analysis) can all be affected. These consequences, more than the jail range, usually drive defense strategy in first-offense cases.
How § 33.02 Compares to Neighboring Offenses
Chapter 33 and its neighbors carve up overlapping conduct, and charge selection matters:
Online impersonation — § 33.07. Using another person’s name or persona online; targets the deception itself rather than the access.
Electronic access interference — § 33.022. Denial-of-service-style disruption of access to systems without effective consent.
Electronic data tampering — § 33.023. Altering data or introducing ransomware; often charged alongside § 33.02 when files were changed rather than just viewed.
Theft — § 31.03. Where the accessed data or funds were appropriated outright.
Theft of trade secrets — § 31.05. The companion intellectual-property count when the data copied from the system was a protected trade secret rather than money or identity information.
Knowingly accessing a computer, computer network, or computer system without the effective consent of the owner; Texas’s general computer-intrusion offense since 1985.
Access (§ 33.01(1))
To approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, network, program, or system.
Effective Consent (§ 33.01(12))
Permission from the owner or someone legally authorized to act for the owner. Consent fails if induced by deception or coercion, given without authority, given by someone unable to decide reasonably, given solely to detect an offense, or used beyond the purpose for which it was given.
Aggregate Amount (§ 33.01(2))
The grading figure in fraud-intent cases: direct and indirect victim losses plus expenditures to investigate the intrusion and to restore, recover, or replace affected data.
State Jail Felony
A Texas felony grade punished by 180 days to 2 years in a state jail facility and a fine up to $10,000; § 12.44(a) permits misdemeanor-range punishment in appropriate cases.
Frequently Asked Questions
Is breach of computer security a felony in Texas?
It can be either. Simple unauthorized access under Penal Code § 33.02(a) is a Class B misdemeanor, but it becomes a state jail felony if the computer belongs to the government or a critical infrastructure facility or if the defendant has two or more prior Chapter 33 convictions. Access with intent to defraud or harm is graded by aggregate loss and can reach a first-degree felony.
Can I be charged for snooping through my spouse’s phone or email?
Yes. Texas Penal Code § 33.02 contains no marriage exception. Logging into a spouse’s or ex-partner’s email, phone, or cloud account without effective consent is a common fact pattern behind misdemeanor § 33.02 filings, often arising out of divorce or custody disputes. Whether consent existed, was revoked, or was exceeded is usually the central contested issue.
What does effective consent mean under § 33.02?
Effective consent is permission from the owner or someone legally authorized to act for the owner. Under § 33.01(12), consent is not effective if it was induced by deception or coercion, given by a person the actor knows lacked authority, given by someone unable to make reasonable decisions, given solely to detect the commission of an offense, or used for a purpose other than the one for which it was given.
I had the password — can it still be unauthorized access?
Yes. Possessing valid credentials is not the same as having the owner’s effective consent. A password shared for one purpose does not authorize use for a different purpose — § 33.01(12)(E) strips consent that is used beyond the purpose for which it was given. The State must still prove the defendant knew the access was without consent, which is where shared-credential cases are often won.
Is violating a website’s terms of service a crime in Texas?
Not by itself. Section 33.02(b-1)(2) reaches access that violates a clear and conspicuous prohibition or a contractual agreement only when the State also proves intent to defraud or harm another or to alter, damage, or delete property, plus intent to obtain or use files, data, or proprietary information. An ordinary terms-of-service breach without that intent is not a § 33.02 offense.
How does the State calculate the dollar amount in a § 33.02 case?
Aggregate amount under § 33.01(2) includes the victim’s direct and indirect losses plus expenditures to investigate the intrusion and to restore, recover, or replace data. Amounts from one scheme or continuing course of conduct may be combined under § 33.02(c). Because forensic-response invoices count toward the total, the alleged figure — and therefore the felony grade — is often the most attackable number in the case.
What is the penetration-testing defense?
Section 33.02(f) provides a defense to a (b-1)(2) prosecution when the actor’s conduct consisted solely of action taken under a contract with the owner to assess the security of the computer, network, or system or to provide other security-related services. Written scope-of-work and authorization documents are the heart of this defense for security professionals.
Will a computer intrusion case be filed in state or federal court?
It depends on who investigates and the scale of the alleged conduct. Texas prosecutors file § 33.02 cases in county and district courts, while intrusions involving interstate systems, larger losses, or federal agencies can be charged under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, in the Northern or Eastern District of Texas. The same conduct can support charges in both systems.
Can a breach of computer security charge be expunged in Texas?
If the charge is dismissed or the accused is acquitted, expunction under Code of Criminal Procedure Chapter 55A is generally available. Successfully completed deferred adjudication usually supports an order of nondisclosure under Government Code Chapter 411, Subchapter E-1. A final conviction generally cannot be expunged or sealed, which is a major reason charge-reduction and diversion strategies matter.
Does the State have to prove I knew I did not have permission?
Yes. In Muhammed v. State, 331 S.W.3d 187 (Tex. App. 2011), the court held that the State must prove the defendant knowingly accessed the computer and knew the access was without the owner’s effective consent. That knowledge requirement is the backbone of the defense in shared-password, workplace-authorization, and family-dispute cases.
Reggie London co-founded L and L Law Group with a focus on federal criminal defense, complex felony defense, and TEA/SBEC matters. Licensed in Texas, admitted to TXND and TXED.
Njeri London co-founded L and L Law Group with a focus on DWI defense, family violence cases, and juvenile defense. Licensed in Texas, admitted to TXND and TXED.
Charged with Breach of Computer Security? Talk to L and L Law Group.
Co-founding partners Reggie London and Njeri London personally handle every case. Free consultation. Frisco, Texas.
L&L Law Group represents clients across North Texas counties for DWI, assault, drug crimes, juvenile defense, outstanding warrants, bond reduction, and expunction matters.
