Elements
Section summary§33.02 requires knowing access to a computer, computer network, or computer system without effective consent of the owner.
Elements:
- Knowing access.
- Computer, computer network, or computer system.
- Without effective consent of owner.
Effective Consent
Section summaryConsent must be effective — informed and from a person with authority. Limits on consent (purpose, time) can be effective restrictions.
Consent analysis:
- Owner consent or person with apparent authority.
- Limits on consent can be effective.
- Consent obtained by deception not effective.
Enhancements
Section summaryEnhancements for damage caused, intent to defraud, government computer access, and other aggravating factors elevate the offense.
Enhancement categories:
- Damage caused (value-based).
- Intent to defraud or harm.
- Government computer.
- Financial institution.
- Critical infrastructure.
Sentencing
Section summaryClass A misdemeanor base (up to 1 year). State jail felony to 1st-degree felony with enhancements based on harm.
Sentencing tiers:
- Class A misdemeanor (base).
- State jail felony (with enhancements).
- 3rd-degree felony (further enhancements).
- 2nd-degree felony (substantial damage).
- 1st-degree felony (major damage).
Federal vs State
Section summaryFederal CFAA is broader and reaches more conduct. Texas §33.02 may apply in cases where CFAA does not (purely intrastate, lower jurisdictional thresholds).
Federal vs state:
- CFAA reaches "protected computers" (very broad).
- §33.02 applies to all computers in Texas.
- Federal post-Van Buren more constrained.
- Many cases support both federal and state prosecution.
Need defense counsel?
L&L Law Group, PLLC handles Computer Crimes Defense cases throughout DFW. Initial consultations are free.
Call (972) 370-5060 →Forensic Foundation
Texas Breach of Computer Security §33.02 cases turn on digital-forensic evidence: device images, file metadata, network logs, cloud-account records, malware reverse engineering, and attribution analysis. Counsel handling a §33.02 prosecution must engage with the forensic record at a technical level, not just legal level.
The defense's threshold task is review of the government's forensic methodology. Was the device imaged using accepted procedures? Was the image hash-verified against the original? Did the examiner have appropriate certifications? Did the analysis follow the examiner's lab's standard operating procedures? Each step in the chain produces potential challenges at hearing and trial.
Where the case turns on contested forensic findings, the defense should retain an independent examiner. The defense expert reviews the government's work, performs parallel analysis where possible, and is available to testify if needed. Funding for defense experts is available in federal cases under the Criminal Justice Act (18 U.S.C. §3006A) and in Texas indigent cases under Code of Criminal Procedure Article 26.05.
Van Buren and Authorization Screen
The Supreme Court's decision in Van Buren v. United States, 593 U.S. 374 (2021), reshaped the CFAA "exceeds authorized access" analysis. The Court held that the statute applies only where the defendant accessed an area of a computer system they were not entitled to enter at all — not where they had credentials but used them for an improper purpose. The "gates-up-or-down" inquiry asks whether the user could or could not access the specific area, not why they accessed it.
For a §33.02 prosecution (where authorization is in issue), the defense must screen the indictment against the post-Van Buren framework. Cases built on theories that the defendant misused authorized access — rather than entering a system they had no right to enter — should be evaluated for dismissal under Van Buren. Many CFAA charges filed before 2021 survived only because the law had not yet been clarified; charges filed since must satisfy the gates-up-or-down standard.
The defense should also consider whether parallel state charges (Texas Penal Code §33.02) provide the same protection. Texas "effective consent" analysis under Chapter 1 of the Penal Code is broad. A defendant who had colorable authorization — an unrevoked password, a shared account, an implied license — has a defense to the access element under state law that runs parallel to the federal Van Buren analysis.
The structure of Texas Penal Code Section 33.02
Texas Penal Code Section 33.02 criminalizes breach of computer security, which is the Texas state-law analog to the federal Computer Fraud and Abuse Act. The statute reaches unauthorized access to a computer, computer network, or computer system, with offense levels ranging from Class B misdemeanor to first-degree felony depending on the aggregate loss caused and other aggravating factors. The Texas framework has been amended multiple times to address evolving technology and conduct patterns.
The base offense under Section 33.02(a) is the knowing access of a computer, computer network, or computer system without the effective consent of the owner. The statute defines effective consent broadly to cover both express authorization and implied authorization based on the circumstances. The defense in many cases focuses on whether the alleged access was actually without effective consent, considering whether the defendant had legitimate credentials, whether the access was within the scope of any authorization, and whether the owner had taken steps to communicate the limits of authorization.
The penalty structure under Section 33.02(b) escalates based on the aggregate loss caused by the conduct. Loss less than $2,500 produces a Class B misdemeanor. Loss between $2,500 and $30,000 produces a Class A misdemeanor. Loss between $30,000 and $150,000 produces a state jail felony. Loss between $150,000 and $300,000 produces a third-degree felony. Loss exceeding $300,000 produces a second-degree felony. Critical infrastructure cases produce additional enhancement to first-degree felony.
The relationship between Section 33.02 and the federal CFAA
Section 33.02 and the federal CFAA cover overlapping conduct but have distinct elements and penalty structures. The same underlying conduct can violate both statutes, and dual-sovereignty principles allow prosecution under both. In practice, federal prosecution typically takes priority for cases involving large losses, interstate elements, or critical infrastructure, while state prosecution typically handles cases with limited interstate elements or lower losses.
The Van Buren framework that narrowed federal CFAA liability does not directly affect Section 33.02 because the Texas statute does not include the exceeds-authorized-access concept that Van Buren interpreted. Section 33.02 reaches access without effective consent rather than excess of authorization, and the analytical framework is therefore different. Texas courts may apply analogous principles in some cases, but the federal Van Buren analysis is not binding on Texas state courts interpreting Section 33.02.
The defense practice should consider both the federal and state implications when developing case strategy. A defendant facing potential prosecution under both statutes may benefit from negotiation that resolves both matters simultaneously. A defendant facing only state prosecution may have less complex strategic considerations but should still consider the federal exposure that could attach if the case is transferred or referred to federal authorities.
The loss calculation under Section 33.02
The loss calculation under Section 33.02 considers the aggregate loss caused by the conduct, including damages to the computer system, the cost of incident response, the value of data accessed or copied, and other losses connected to the unauthorized access. The loss calculation can dramatically affect the offense level and the sentencing exposure, making it a central focus of defense practice.
The defense in loss-calculation cases should scrutinize each component of the alleged loss. Direct damages to the computer system should be supported by specific evidence of repair or replacement costs. Incident response costs should be reviewed for relevance to the specific alleged access and for reasonableness of the rates charged. Data value calculations should be supported by appropriate methodology and should not include speculative or consequential damages.
Expert testimony can substantially affect the loss calculation. A defense expert in cybersecurity or forensic accounting can analyze the incident response costs, the system damages, and other loss components and provide alternative valuations. The defense expert can also testify about industry standards for incident response and the relationship between specific costs and the alleged access. The expert testimony can substantially reduce the proven loss amount and the resulting offense level.
Defense theories and strategic considerations
The defense theories in Section 33.02 cases include factual challenges to the alleged unauthorized access, consent-based defenses, scope-of-authorization defenses, and challenges to the loss calculation. Each theory can be developed depending on the specific facts of the case and can substantially affect the outcome.
The consent-based defense focuses on whether the alleged access was actually without effective consent. The defense can show that the defendant had credentials that authorized the access, that the owner had communicated implied consent through previous interactions, or that the defendant reasonably believed consent had been given. The consent defense is particularly applicable in cases involving employment relationships where the scope of authorization may have been ambiguous.
The strategic considerations in Section 33.02 cases include the relative advantages of negotiated disposition versus contested litigation, the implications of conviction on the defendant career and reputation, and the potential parallel exposure under other statutes. The defense should consider the full range of considerations and should develop case strategy that addresses both the immediate disposition and the longer-term implications. The negotiated disposition is often preferable because Section 33.02 convictions can have substantial collateral consequences including effects on employment in technology-related fields where Section 33.02 history may affect security clearance or credential decisions.
Critical infrastructure enhancement and the cybersecurity reporting overlap
The Section 33.02 critical infrastructure enhancement under Texas Penal Code Section 33.02(b-2) elevates conduct involving critical infrastructure facilities to a first-degree felony regardless of the dollar loss. The critical infrastructure definition draws on federal frameworks and includes facilities related to power generation, water treatment, telecommunications, financial services, and other systems whose disruption would have substantial public impact. The enhancement reflects the elevated public interest in protecting these systems and the substantial penalty differential that can apply.
The Texas cybersecurity reporting framework under Business and Commerce Code Chapter 521 imposes notification obligations on businesses experiencing data breaches involving Texas residents. The reporting obligations apply regardless of the criminal prosecution status of the underlying conduct, and the reporting can become relevant evidence in subsequent Section 33.02 prosecutions. Defense practice must consider both the criminal exposure and the regulatory reporting implications of any breach, with attention to how the disclosures in regulatory reports may affect the criminal case.
Frequently Asked Questions
Does §33.02 apply to my own computer?
Does sharing passwords violate §33.02?
Can §33.02 apply to social media accounts?
Is §33.02 commonly prosecuted in Texas?
Read the full Texas Computer Crimes Defense Guide
This article is one section of our comprehensive Texas Computer Crimes Defense Guide. The pillar guide covers recent developments, official resources, and the complete framework with deeper analysis.
Read the Pillar Guide →Practical Checklist
- Document everything early. Communications, records, and witness contact information lose value as time passes. Preserve them at the start of the case.
- Identify all parallel proceedings. Criminal, administrative, civil, and regulatory tracks often run in parallel. A statement in one becomes evidence in another. Map the full picture before any disclosure.
- Calendar every deadline. Filing deadlines, response deadlines, discovery deadlines, and hearing dates all have consequences. Missing a deadline can foreclose defenses that the facts otherwise support.
- Build the mitigation package early. Witness letters, treatment records, employment verification, and character references take time to gather. Counsel should begin building the package at the first consultation, not as the hearing approaches.
- Coordinate counsel across forums. Where the matter implicates multiple proceedings, having coordinated counsel (whether one firm or multiple firms in close communication) avoids the strategic errors that inconsistent representation creates.
- Understand the public-record dimension. Many dispositions create searchable records that follow the licensee, defendant, or respondent for years. The decision to contest versus resolve must account for the public visibility of each path.
For a confidential evaluation of your matter, call L&L Law Group at (972) 370-5060 or email info@landllawgroup.com. Initial consultations are free.
Next Steps
If you are facing a situation described here, consult counsel promptly. Many issues in this area run on strict deadlines.
- Call (972) 370-5060
- Email info@landllawgroup.com
Cite this guide
Bluebook: Reggie London & Njeri London, Texas Breach of Computer Security §33.02, L&L Law Group (May 30, 2026), https://landllawgroup.com/insights/texas-breach-computer-security-33-02/.
APA: London, R., & London, N. (2026, May 30). Texas Breach of Computer Security §33.02. L&L Law Group.