Texas Computer Crimes & CFAA Defense Guide

The Statutory Map: Federal CFAA Plus Texas Chapter 33

Computer-crime indictments in North Texas typically arrive on one of two tracks. Federal prosecutors charge under the Computer Fraud and Abuse Act, 18 U.S.C. §1030, which reaches "protected computers" used in or affecting interstate commerce. State prosecutors charge under Tex. Penal Code Chapter 33 for offenses that occurred against Texas computer systems, owners, or victims. The federal statute has seven subsections that criminalize different categories of conduct: §1030(a)(1) (national-security information), §1030(a)(2) (information access), §1030(a)(3) (federal-computer trespass), §1030(a)(4) (fraud and unauthorized access), §1030(a)(5) (damage to a protected computer), §1030(a)(6) (trafficking in passwords), and §1030(a)(7) (extortion).

Texas Chapter 33 is organized differently. §33.02 covers breach of computer security, §33.021 covers online solicitation of a minor, §33.022 covers electronic access interference, §33.023 covers electronic data tampering, and §33.07 covers online impersonation. A single course of conduct can violate both federal and state statutes, which produces difficult choices about where the case lands and who prosecutes it. In some matters the U.S. Attorney's Office for the Northern District of Texas takes the lead; in others the Collin, Dallas, or Denton County District Attorney's Office files state charges. Coordination between the two is informal and case-specific, and defense counsel needs to understand both regimes before any meeting with prosecutors.

Federal CFAA charges carry a maximum penalty that depends on the subsection and the loss amount. A misdemeanor under §1030(a)(2) is one year. A felony under §1030(a)(4) is five years for a first offense and ten for a second. §1030(a)(5)(A) charges involving more than $5,000 in loss carry up to ten years. The Texas analogues scale through the felony grades from Class B misdemeanor (under §33.02 with minimal loss) up to first-degree felony when aggregate damage exceeds $300,000. The choice of forum has consequences beyond exposure: federal sentencing is governed by the United States Sentencing Guidelines, while state sentencing in Texas runs through the trial court's discretion within the statutory range and the option of community supervision under Tex. Code Crim. Proc. Chapter 42A.

Van Buren and the Gates-Up-Or-Down Doctrine for "Exceeds Authorized Access"

The CFAA criminalizes access "without authorization" and access that "exceeds authorized access." For two decades the federal circuits were split on what the second phrase meant. Some courts (notably the Eleventh Circuit) read "exceeds authorized access" broadly to include any access for an improper purpose — even by someone who had permission to enter the system. Others (the Second, Fourth, and Ninth Circuits) read the phrase more narrowly to require that the defendant access information located in a part of the system to which they had no permission at all.

In Van Buren v. United States, 593 U.S. 374 (2021), the Supreme Court resolved the split in favor of the narrow reading. Nathan Van Buren was a Georgia police sergeant who used his patrol-car computer to look up a license plate in the state law-enforcement database in exchange for money. He had credentials to access the database for legitimate law-enforcement purposes; the only thing wrong with what he did was the reason he did it. The Eleventh Circuit upheld his CFAA conviction. The Supreme Court reversed, holding that "exceeds authorized access" means accessing a file, folder, or database the user was not entitled to enter at all — not using authorized access for a forbidden reason. The Court adopted what it called a "gates-up-or-down inquiry": the question is whether the user could or could not access the specific area of the system, not why they accessed it.

The practical consequence of Van Buren is enormous for white-collar and employment-related CFAA cases. Before 2021, federal prosecutors routinely charged employees who took company data when leaving for a competitor, or users who violated a website's terms of service, as having "exceeded authorized access." That theory no longer works. If the defendant had ordinary credentials to access the data and simply used it in a way the employer or website disliked, the CFAA does not apply. The remedy lies in contract law, trade-secret law, or other civil statutes, but not in §1030. Defense counsel should look hard at any CFAA indictment built on an authorized employee or contractor accessing information for an unauthorized purpose; many of these survived only because Van Buren had not yet been decided.

The decision did not address whether the "gates" can be set by terms of service, employment policy, or only by code-based access controls. That question is unsettled. In practice, North Texas federal courts have read Van Buren to require some technological or structural barrier — a separate folder, a password gate, a permissions system — rather than a written policy alone. A defendant who had logical access to a file but was told not to read it stands a meaningfully better chance of dismissal today than they did before June 2021.

The Other CFAA Clause: "Without Authorization"

The narrower of the two CFAA access concepts is "without authorization." This covers classic hacking: a defendant who had no credentials at all and used technical means (password guessing, exploitation of a vulnerability, stolen credentials, social engineering) to enter a system they had no right to enter. After Van Buren, this is where prosecutors must focus §1030(a)(2), §1030(a)(4), and §1030(a)(5) charges that survive.

Defendants often dispute the "without authorization" element by pointing to consent that the government overlooks. A spouse who shared a password with a partner during marriage may have authorized continued access even after separation. A former employee whose credentials were never disabled may have had de facto authorization. A friend who allowed access to a streaming account, social-media account, or shared cloud folder may have created exactly the kind of consent that defeats §1030 liability. The Ninth Circuit's hiQ Labs v. LinkedIn litigation, which the Supreme Court vacated and remanded for reconsideration in light of Van Buren, illustrates how complex the "authorization" analysis becomes when public data sources, scraping bots, and cease-and-desist letters interact. The lesson for defense is that authorization is a question of fact that turns on the actual configuration of the system and the actual conduct of the system owner — not just on the prosecutor's narrative of betrayal.

The government also has to prove that the defendant acted intentionally with respect to the access. A user who reached an internal server through a misconfigured web link, who clicked on a phishing-test page, or who used credentials they reasonably believed were still valid may have a mens-rea defense even where the access itself was unauthorized in hindsight. The CFAA is not a strict-liability statute, and indictments that gloss over the intentional-access element are vulnerable on motions to dismiss and at trial.

Texas Penal Code §33.02: Breach of Computer Security

Texas's main computer-crime statute is §33.02, which makes it an offense to knowingly access a computer, computer network, or computer system without the effective consent of the owner. The statute's structure mirrors the federal "without authorization" concept but with broader application. Penalty grades depend on the aggregate amount of loss and the type of system accessed. A baseline violation with no quantifiable loss is a Class B misdemeanor. The grade rises through Class A misdemeanor, state-jail felony, third-degree felony, second-degree felony, and first-degree felony as loss climbs from under $100 to over $300,000.

An important enhancement under §33.02(b-2) raises the offense one grade above the value-based grade when the computer involved is owned by the government, by a critical-infrastructure facility, or by a financial institution. So a state-jail felony quantum of loss against an Oncor substation or a Frisco ISD server becomes a third-degree felony. A second-degree-felony quantum against a Plano Police Department system becomes a first-degree felony. The enhancement matters because it can push a case from probation-eligible territory into mandatory prison territory.

Defense practice under §33.02 turns on two recurring battles. The first is consent. "Effective consent" in Chapter 1 of the Penal Code is broad, and a defendant who had any colorable claim to authorization — an unrevoked password, a shared account, an implied license — has a defense to the access element. The second is the value of the loss. Texas value rules under §31.08 require the State to prove fair market value or, where that cannot be determined, replacement cost. Prosecutors sometimes inflate loss with consultant time, incident-response retainers, and speculative future costs. The defense's job is to make the State prove each dollar.

Texas Penal Code §33.07: Online Impersonation

§33.07 makes it a crime to use another person's name or persona on a social-networking site or to send an electronic message in another person's name, in either case with the intent to harm, defraud, intimidate, or threaten. The statute was enacted in 2009 in response to a wave of fake-profile and impersonation cases. It was challenged on First Amendment grounds in Ex Parte Maddison, 518 S.W.3d 630 (Tex. App. — Texarkana 2017, pet. ref'd), and State v. Stubbs, 502 S.W.3d 218 (Tex. App. — Houston [14th Dist.] 2016), and survived under intermediate scrutiny. The courts held §33.07 is a content-neutral regulation of impersonation that serves a substantial governmental interest in protecting victims from identity-based harm and false attribution.

The defense battlegrounds under §33.07 are intent and identity. The statute requires intent to harm, defraud, intimidate, or threaten — not mere annoyance, embarrassment, or parody. A defendant who created a fake account for satire, comedic mimicry, or to communicate with a small private audience may lack the required intent. Establishing identity is also harder than it looks. The State must prove beyond a reasonable doubt that the defendant — not someone using the defendant's device, not a co-occupant, not a hacker — created the offending content. Multi-user households, shared devices, and unprotected Wi-Fi all create reasonable-doubt arguments at trial. IP-address evidence places a device at a location; it does not place the defendant at the keyboard.

§33.07(a) (use of another's persona on a social network) is a third-degree felony. §33.07(b) (sending a message in another person's name) is a Class A misdemeanor, enhanced to a third-degree felony if certain aggravators apply, such as intent to obtain anything of value. The grade matters because a third-degree felony exposes the defendant to two to ten years in prison and the lifetime collateral consequences of a felony record. Many §33.07 cases resolve through Article 12.45 dismissal of related counts and a pretrial diversion plea on a single misdemeanor count when the facts permit.

Texas Penal Code §33.021: Online Solicitation of a Minor

§33.021 makes it an offense to communicate over the internet with a person believed to be a minor in a sexually explicit manner with the intent to arouse or gratify, or to solicit such a person to meet for sexual contact. The statute was significantly narrowed by the Texas Court of Criminal Appeals in Ex Parte Lo, 424 S.W.3d 10 (Tex. Crim. App. 2013), which struck down §33.021(b) — the "sexually explicit communication" subsection — as overbroad and a content-based restriction on speech that could not survive strict scrutiny. The Legislature responded in 2015 by enacting a narrower §33.021(b) and the "visual material" subsection §33.021(c-1), which targets specific conduct (sending sexually explicit images) rather than speech generally.

The solicitation subsection, §33.021(c), survived Lo and was reaffirmed as constitutional by multiple intermediate courts in cases including Ex Parte Victorick, Ex Parte Wheeler, and Maloney v. State, 294 S.W.3d 613 (Tex. App. — Houston [1st Dist.] 2009). §33.021(c) covers a defendant who, through electronic means, solicits a minor to meet for sexual contact with intent that the minor engage in such contact. Under §33.021(d), it is not a defense that the meeting did not occur, that the defendant did not intend the meeting to occur, or that the defendant was engaged in a fantasy at the time. This "no-fantasy" rule was central to the Texas Court of Criminal Appeals's affirmation that the offense is complete at the time of solicitation.

The defense terrain is narrow but real. The State must prove the defendant believed (or the recipient represented) that the other party was younger than 17. Sting operations in which adult officers pose as minors satisfy the "represents" prong, but the defense can examine the actual chat logs for indications the defendant disengaged, expressed disbelief, or refused. Mens rea under §33.021 requires intent that the meeting result in actual sexual contact — not just intent to communicate in a sexual manner. Cases that end with the defendant declining the meeting or asking only for "chat," without travel or arrangement, are factually weaker than those involving travel, money, or contraband. Online-solicitation convictions trigger sex-offender registration under Chapter 62 of the Code of Criminal Procedure, which makes any conviction — or even certain plea structures — a life-altering event. Defense counsel must screen every disposition for its registration consequences before recommending it.

Texas Penal Code §33.023: Electronic Data Tampering and Ransomware

§33.023 was added to Chapter 33 in 2017 in response to the rise of ransomware attacks. It makes it an offense to intentionally alter data as it transmits between two computers, or to introduce ransomware onto a computer through deception or without effective consent. The statute reaches the encrypt-and-extort attacks that have hit Texas school districts, county clerks, and hospital systems. Penalty grades scale from Class C misdemeanor for no economic loss to a first-degree felony for aggregate damage over $300,000. A separate aggravator at §33.023(e) raises the grade by one level when the computer involved is owned by a critical infrastructure facility.

Charging decisions under §33.023 often overlap with federal CFAA, Computer Fraud and Abuse Act extortion under §1030(a)(7), and federal wire fraud under 18 U.S.C. §1343. A ransomware actor who demanded a crypto payment to release data faces all of these. The defense practice in ransomware cases turns less on legal arguments about the statute and more on attribution — who actually deployed the malware, whether forensic evidence ties the defendant to the wallet that received funds, and whether the chain from compromise to exfiltration to ransom note can be reconstructed without speculative leaps. Many of these prosecutions depend on cooperator testimony, OPSEC failures by the defendant, or international cooperation with foreign law-enforcement agencies. Each link in that chain is a potential defense target.

Identity Theft §32.51 and Its Overlap With Computer Crime

Texas's identity-theft statute, Penal Code §32.51 (Fraudulent Use or Possession of Identifying Information), often appears alongside Chapter 33 charges. §32.51 makes it an offense to possess, use, or transfer identifying information of another person with the intent to harm or defraud. Identifying information includes Social Security numbers, account numbers, biometric data, and other categories that exist primarily in electronic form. A defendant who breached a computer system to obtain identifying information may face both §33.02 charges for the access and §32.51 charges for the possession or use.

The penalty structure under §32.51 scales with the number of items of identifying information involved. Possession of fewer than five items is a state-jail felony. Five to fewer than ten items is a third-degree felony. Ten to fewer than fifty items is a second-degree felony. Fifty or more items is a first-degree felony. The grade can rise one level if the defendant is in a fiduciary position (employee, agent of the victim, professional). The volume-based grading produces strange results: a defendant who possessed a single spreadsheet with fifty records faces the same exposure as one who committed fifty separate frauds. Defense practice under §32.51 often turns on whether items are counted by file or by record, whether duplicates count, and whether the defendant actually used the information or merely possessed it.

§32.51 also creates a presumption that a person who possesses identifying information of three or more persons obtained without consent intends to harm or defraud. The presumption can be rebutted by evidence of legitimate purpose. Defense counsel must work to document any innocent explanation — IT troubleshooting, security research, public-records compilation — before the presumption hardens into a jury instruction.

Federal Wire Fraud and the Computer-Crime Dragnet

Federal prosecutors often pair CFAA charges with wire fraud under 18 U.S.C. §1343. Wire fraud is broad: any scheme to defraud that uses interstate wire transmissions (which now includes virtually any internet communication) is reachable. The maximum sentence is 20 years, rising to 30 years if the scheme affects a financial institution or involves a federal disaster. Adding wire fraud to a CFAA indictment dramatically raises the statutory maximum and the guidelines range.

The reason this matters for defense is that the wire-fraud charge does not depend on whether the access was authorized. Even if Van Buren defeats the §1030(a)(2) count, the wire-fraud count may survive if the government can prove a scheme to defraud. Defense counsel needs to think about CFAA defenses and wire-fraud defenses in parallel. A successful §1030 motion can strip the indictment of its lighter counts while leaving the bigger exposure untouched. The strongest wire-fraud defenses focus on materiality (whether the alleged misrepresentation could have affected a reasonable decision-maker), specific intent to defraud (which requires more than carelessness or aggressive negotiation), and the absence of a property interest the defendant actually deprived the victim of.

The Supreme Court's recent decisions in Ciminelli v. United States (2023) and Percoco v. United States (2023) narrowed federal wire-fraud theories. Ciminelli rejected the "right-to-control" theory, which had allowed the government to prove fraud based on the deprivation of valuable economic information rather than tangible property. After Ciminelli, the government must prove the defendant sought to deprive the victim of a traditional property interest. This narrowing matters for computer-crime cases where the alleged "fraud" consisted only of using data the defendant accessed in ways the data owner would not have approved.

Stored Communications Act and Electronic Surveillance Crimes

The Stored Communications Act, 18 U.S.C. §§2701–2712, criminalizes unauthorized access to stored electronic communications — typically email, voicemail, and cloud-stored content. §2701 punishes intentional access without authorization or in excess of authorization to a facility that provides electronic communication service. Penalty depends on purpose: up to one year for the baseline offense, up to five years if committed for commercial advantage, financial gain, or in furtherance of a tortious act.

The SCA charges most often appear when a defendant accessed a spouse's, ex-partner's, or business associate's email account. The same conduct often violates the federal Wiretap Act for interceptions in real time, and Texas §33.02 for the access. The SCA's authorization standard tracks the CFAA, so Van Buren's gates-up-or-down framework probably applies — though the question has not yet been definitively decided. The defense should treat SCA cases the same as CFAA cases: focus on actual authorization, intent, and any shared-credential history that creates colorable consent.

The federal Wiretap Act, 18 U.S.C. §2511, reaches real-time interceptions and is a five-year felony. Texas has parallel offenses under Penal Code Chapter 16, including §16.02 (unlawful interception of communication) and §16.04 (unlawful access to stored communication). Texas is a one-party-consent state for recording: a participant in a conversation may record it, but interception by a non-participant is criminal. This distinction often controls whether messages, calls, or shared-app data are admissible at all.

Damages, Loss, and the $5,000 Threshold

CFAA loss calculation is one of the most contested issues in federal computer-crime defense. The statute defines "loss" broadly at §1030(e)(11) to include any reasonable cost of responding to an offense, conducting a damage assessment, restoring data, and any revenue lost or consequential damage from interruption of service. The $5,000 threshold appears in three different places: as a felony enhancement for §1030(a)(2), as a civil-action jurisdictional threshold under §1030(g), and as part of the damage element under §1030(a)(5)(B).

Federal courts disagree on the edges of what counts. Hourly cost of in-house IT staff investigating? Yes, in most circuits. Cost of retaining outside counsel to navigate the breach? Disputed. Lost productivity from an employee whose access was disabled while the investigation proceeded? Disputed. Cost of upgrading security after the incident? Generally not, because that is a forward-looking expense unrelated to the alleged conduct. Defense counsel must demand line-item documentation of every dollar the government claims as "loss," and push to exclude double counting, speculative future costs, and remediation that the victim would have done regardless of the incident.

Loss matters at sentencing even more than at the threshold. Under USSG §2B1.1, the base offense level for fraud and theft offenses (including most CFAA cases) increases steeply with loss. A loss of $6,500 to $15,000 adds two levels. $40,000 to $95,000 adds six. $1.5 million to $3.5 million adds sixteen. The difference between a contested loss of $90,000 and an agreed loss of $110,000 can be one to two years of imprisonment after the guidelines table is applied. Loss is the single most important number in any federal computer-crime sentencing and is worth fighting at every stage.

Riley, Carpenter, and Search of Electronic Devices

Most computer-crime investigations involve seizure and search of the defendant's digital devices: laptops, phones, tablets, external drives, cloud accounts. Two Supreme Court decisions reshape what police can do without a warrant. In Riley v. California, 573 U.S. 373 (2014), the Court held that police must generally obtain a warrant before searching the contents of a cell phone seized incident to arrest. The Court reasoned that the immense storage capacity and the private content typically held on a phone — emails, photos, search history, location data — make warrantless searches unreasonable even where the search would be allowed for physical objects in a pocket.

In Carpenter v. United States, 585 U.S. 296 (2018), the Court held that the government's acquisition of historical cell-site location information from a wireless carrier is a Fourth Amendment search that ordinarily requires a warrant supported by probable cause. The third-party doctrine — which had allowed warrantless access to records voluntarily turned over to a third party — does not extend to CSLI because of the pervasive and unavoidable nature of cell-phone usage in modern life. Carpenter matters for computer-crime defense because cell-site location records often place the defendant near the targeted system at the relevant time. Without a valid warrant or a recognized exception, those records may be suppressible.

The practical defense workflow after Riley and Carpenter is rigorous. Every device search and every records request must be traced back to a warrant or to a specific exception. The warrant must identify what is being sought with particularity and must be supported by probable cause specific to the device or the records, not boilerplate. Overbroad warrants that authorize a search of "all data" on a device, without temporal or topical limits, are vulnerable under United States v. Comprehensive Drug Testing and analogous decisions. Suppression of device evidence is often the case-dispositive issue in computer-crime prosecutions, and defense counsel should treat the Fourth Amendment review as the most important early-case task.

Common Defenses in Computer-Crime Cases

Five defense theories recur across federal CFAA and Texas Chapter 33 cases. Authorization. The defendant had permission to access the system, either explicitly (credentials issued, account shared) or implicitly (de facto access not revoked, terms of service did not prohibit the conduct, shared-device household). After Van Buren, authorization defenses are dramatically stronger for cases involving employees, contractors, and household co-users. Identification. The defendant was not the person at the keyboard. IP addresses, MAC addresses, and even named accounts can be shared, spoofed, or compromised. The State must prove who actually performed the conduct, not just whose device was used.

Lack of intent. The CFAA and Chapter 33 are intent crimes. A defendant who acted by mistake, through inadvertence, or under a reasonable belief in consent has a mens-rea defense. Inadequate loss calculation. When loss is an element or a sentencing driver, the government must prove each dollar. Speculative, double-counted, and forward-looking expenses do not qualify. Constitutional challenges. Some Texas Chapter 33 provisions have been narrowed or struck down on First Amendment grounds. Federal CFAA prosecutions sometimes implicate the rule of lenity, vagueness, and overbreadth. Defense counsel should screen every charge against the constitutional framework before plea or trial.

Two additional defenses appear less often but matter in specific cases. Suppression of digital evidence under the Fourth Amendment can eliminate the prosecution's proof. Statute of limitations matters because computer-crime investigations sometimes take years to develop and indict; the federal CFAA limitation period is generally five years, and Texas Chapter 33 limitations track the felony grade. Counsel should compute the limitations clock from the date of the alleged conduct, not the date of discovery.

Federal Versus State Prosecution: Choice and Coordination

Some computer-crime conduct can be charged federally, in state court, or both. The choice is usually made early by the investigating agency and prosecutor in consultation. Federal prosecution under the CFAA is more likely when the affected system crossed state lines, when loss exceeds $5,000, when the victim is a federal agency or critical infrastructure, when the conduct is part of a larger interstate scheme, or when state law does not adequately address the conduct. State prosecution under Chapter 33 is more likely when the affected system is in Texas, when the victim is a state or local entity, or when the federal interest is incidental.

Dual sovereignty allows both sovereigns to prosecute the same conduct without violating Double Jeopardy. In practice, the Petite policy at the U.S. Attorney's Office and informal coordination with the District Attorney's Office usually result in one prosecution. Defense counsel should ask early whether a parallel state or federal investigation exists, whether a federal grand jury has been convened, and whether the matter has been declined by one sovereign in favor of the other. A federal declination often signals an opportunity for a favorable resolution at the state level (and vice versa). Defendants who learn of parallel investigations late in the process lose negotiating leverage; counsel should ask the questions in writing at the first interview with prosecutors.

When both federal and state charges are filed, sequencing matters. A federal plea bar will not always cover state conduct, and a state plea will not always cover federal conduct. Counsel should negotiate a global resolution where possible, with explicit waivers and reservations in writing. Where the federal and state prosecutors will not coordinate, the defense must choose which forum to resolve first based on relative exposure, evidentiary strength, and the likely outcome in each.

Pretrial Bond, Device Restrictions, and Internet Conditions

Computer-crime defendants face pretrial conditions that go beyond ordinary bond. Federal magistrate judges in the Northern District of Texas routinely impose conditions that include surrender of passports, limits on travel, no contact with victims or co-defendants, no use of the internet except for employment, no possession of devices not registered with pretrial services, and monitoring software on permitted devices. Some conditions require the defendant to consent to suspicionless searches of any device they touch. These are constitutionally permissible as conditions of pretrial release but can be modified for cause.

In state court, magistrate-set conditions are usually lighter, but the trial court can impose computer-restriction conditions under Texas Code of Criminal Procedure Article 17.40. Conditions that prohibit internet use entirely have been challenged as overbroad, particularly for defendants whose employment, education, or family obligations depend on connectivity. Defense counsel should propose narrowly tailored alternatives — restrictions on specific platforms, monitoring software in lieu of a ban, employer-issued devices only — that satisfy the legitimate concern while preserving the defendant's ability to function during the long pretrial period.

Pretrial-service compliance is more difficult in computer-crime cases because of the temptation to access old accounts, the difficulty of avoiding every connected device, and the breadth of monitoring software. Defendants who violate conditions face revocation of bond and detention until trial, with cascade effects on plea leverage. Counsel should brief the client on the practical scope of conditions early and check in periodically to identify near-misses before they become violations.

Plea Negotiation Strategy and Restitution

Plea negotiations in computer-crime cases turn on three variables: the loss number, the role of the defendant, and the cooperation potential. Loss drives the guidelines range under USSG §2B1.1 in federal cases and the punishment-range tier in Texas cases. Role under USSG §3B1.1 (aggravating) or §3B1.2 (mitigating) can shift the level by two to four points. Cooperation under USSG §5K1.1 (federal) or as a leverage point in state negotiation can shift the outcome dramatically. Defense counsel should run all three variables in parallel before any plea offer is accepted or rejected.

Restitution is mandatory in most federal computer-crime cases under the Mandatory Victims Restitution Act, 18 U.S.C. §3663A. The amount tracks the loss calculation but with one important difference: restitution must be limited to actual losses caused by the offense conduct, not all losses claimed for guidelines purposes. Inflated victim claims that survive at sentencing may not survive a restitution hearing. Counsel should request a separate restitution hearing where appropriate, demand line-item documentation from the victim, and contest any claim that exceeds the actual offense conduct.

In Texas state court, restitution is governed by Article 42.037 of the Code of Criminal Procedure. The trial court must consider the defendant's ability to pay, the loss sustained by the victim, and the relationship between the offense and the loss. Restitution can be modified during community supervision, and unrestrained restitution claims can derail an otherwise workable plea. Counsel should negotiate restitution amounts as part of the plea, not leave them to a post-plea hearing.

Trial Strategy and Expert Witnesses in Computer-Crime Cases

Computer-crime trials depend heavily on expert witnesses. The government typically calls a forensic examiner from the FBI, Secret Service, Texas Department of Public Safety, or a local cybercrime unit to walk the jury through device imaging, log analysis, malware reverse engineering, or financial-tracing testimony. Cross-examination of these experts requires defense counsel to understand the underlying methodology and to develop, well in advance, the specific points of attack.

Common cross-examination targets include chain of custody (was the device handled in a way that preserved evidentiary integrity); imaging methodology (was the image verified against the original with a cryptographic hash); the limits of the examiner's expertise (forensic analysts often testify beyond their actual training); and the certainty of attribution (an account in the defendant's name is not the same as the defendant). Where the case turns on contested forensics, defense counsel should retain an independent examiner to perform a parallel analysis and to testify at trial. Funding for defense experts is available under the Criminal Justice Act in federal cases and under Article 26.05 of the Texas Code of Criminal Procedure for indigent defendants in state cases.

Jury comprehension is a particular concern. Computer evidence does not explain itself, and a jury that does not understand the technical record is likely to defer to the government's expert. Demonstratives, simplified analogies, and well-constructed timelines help. Counsel should also consider voir dire questions designed to identify jurors with computer-science backgrounds — they can be friend or foe depending on the theory of the case — and to remove jurors whose intuitions about "hacking" will not give the defendant a fair hearing.

Post-Conviction: Computer Monitoring, Supervised Release, and Restitution

Federal computer-crime defendants who serve a custodial sentence usually face supervised release thereafter, often three to five years under 18 U.S.C. §3583. Standard conditions for computer-crime offenders include continued monitoring software on devices, internet-use restrictions, prohibitions on encryption tools or anonymizing networks, and warrantless device searches by the probation officer. The Fifth Circuit and other circuits have upheld many such conditions but have struck down those that are unduly burdensome or that bear no reasonable relationship to the offense.

Defense counsel should engage the conditions of supervised release at sentencing, not afterward. Generic computer-monitoring conditions can be narrowed by negotiating with the probation officer and the prosecutor before the presentence report is finalized. The conditions that appear in the judgment are difficult to modify later. Restitution payments during supervised release are also negotiated terms; payment schedules that exceed the defendant's realistic ability to pay set up violations that lead to revocation.

In Texas state court, computer-restriction conditions of community supervision are governed by Tex. Code Crim. Proc. Article 42A.301. The trial court has broad discretion. Counsel should request narrowly tailored conditions and should propose specific alternatives. Sex-offender registration under Chapter 62 attaches to certain computer-crime convictions involving minors and produces lifetime collateral consequences that often outweigh the carceral sentence. Screening for registration consequences must occur before any plea decision.

How to Choose Defense Counsel for a Computer-Crime Case

Computer-crime defense requires technical fluency on top of standard criminal-defense skills. When evaluating counsel, ask the following. Has counsel handled CFAA cases under Van Buren? The 2021 decision changed the framework for "exceeds authorized access" charges, and counsel must be conversant with the new standard. Does counsel work regularly with digital-forensics experts? The names and methodologies of credible defense examiners are not common knowledge, and counsel who has used them will know who fits which case. Has counsel litigated suppression motions involving Riley, Carpenter, and search-warrant overbreadth? Suppression is the most important early-case task in computer-crime defense.

The federal CFAA and Texas Chapter 33 frameworks are technical and evolving. A defendant facing computer-crime charges in Frisco, Plano, McKinney, Dallas, or Fort Worth needs counsel who is admitted in the relevant state or federal court, who has worked on cases of similar scope, and who is prepared to spend the time necessary to challenge each technical element of the government's case. A 30-minute consultation with a candidate should leave the client able to explain the difference between authorization and exceeding authorization, the role of loss in sentencing, the framework for device searches, and the specific defenses that apply to the conduct alleged. If counsel cannot deliver that briefing, the fit is wrong.

To discuss a Texas computer-crime or federal CFAA case with L&L Law Group, call (972) 370-5060 or email info@landllawgroup.com. Initial consultations are free and confidential.

Related Topics

Specific computer-crime issues and adjacent topics:

• CFAA Unauthorized Access
• CFAA Fraud Under §1030(a)(4)
• CFAA Loss Calculation and the $5,000 Threshold
• Van Buren and Its Impact on CFAA Practice
• Texas Breach of Computer Security §33.02
• Texas Online Impersonation §33.07
• Identity Theft and CFAA Overlap
• Insider Data Theft
• Data Damage and Ransomware
• Stored Communications Act
• Wire Fraud
• Mail Fraud
• CAN-SPAM Act Criminal Cases