Substantive criminal cyberlaw

Substantive criminal cyberlaw

by John Bandler

Substantive criminal cyberlaw is that portion of criminal cyberlaw that relates to the actual crimes that a prosecutor could charge a cybercriminal with.

Explaining the terms and where you are with this article

Let's unpack each word in the term "substantive criminal cyberlaw" with some rough definitions.

• Cyberlaw = cyber + law. Areas of law that involve the internet and cyberspace
• Criminal law = areas of law that are not "civil law" but involve crimes and their prosecution
• Substantive law = laws for conduct, meaning laws about what you can do or not do (in criminal law it is about what you cannot do). Compare there are also laws of procedure, or about the process of how the legal cases flow.

Since this article is about substantive criminal cyberlaw, we essentially cover the crimes that a prosecutor could charge that relate to cybercrime.

Cyberlaw recap

Remember that cyberlaw is the merging of two words, "cyber" and "law".

Cyber essentially means using cyberspace, using the Internet and a computer.

Law is our system of laws, which is a continually evolving process that started hundreds of years ago (thousands even) and continues.

More on this in my article on cyberlaw.

The parts of criminal cyberlaw

Criminal cyberlaw is the portion of cyberlaw that relates to "crime". Think cybercrime.

Cybercrime involves people and organizations committing those crimes, usually for profit and greed and to make money.

Cybercrime involves victims and people and organizations trying to protect against cybercrime attacks, and responding to them. Here we need to think about civil cyberlaws, which impose obligations upon these people and organizations for data breach reporting, cybersecurity, privacy, and more. More on this civil cyber laws below.

Cybercrime also involves government investigating and attempting to prosecute cybercriminals.

As we think about criminal cyberlaw, we think about two important parts:

• Substantive criminal law (the laws that cybercriminals violate and could be charged with, if identified and apprehended)
• Procedural criminal law (the process of investigating and prosecuting cybercriminals)

As above, I put the "civil" cyberlaws into a different category, covering them separately.

Substantive criminal cyber specific laws

Before we dive into various statutes that cybercriminals could be charged with violating, let's consider some categories of cybercrime substantive statutes:

• Federal laws vs. state laws
• "Traditional" crimes vs. "cyber-specific" crimes

As we think like prosecutor, we remember that the prosecutor is either federal or state, and that determines whose laws they are going to enforce (charge). Then we look to the entire body of that law to see what charges are available, and try pick the "best" ones.

Most cybercrime is about theft, so we should consider those "traditional" criminal substantive laws including:

• Theft crimes
• Identity theft crimes
• Money laundering crimes.

Where criminals earn a lot of money through their illegal activity, they need to move and hide (launder) those proceeds, so prosecutors should also consider following the money and charging money laundering as an offense.

For cybercrime, we (of course) need to consider specific cybercrime statutes that relate to cybercrime conduct, including:

• Laws about intruding into computers and data systems
• Laws about stealing data
• Laws about monitoring communications.

Here are some specific statutes to consider charging, from the perspective of a New York State prosecutor and then a federal prosecutor.

New York

• NY PL 155.00, Larceny and definitions, Petit Larceny, Grand Larceny in the Fourth Degree, https://ypdcrime.com/penal.law/article155.php
• NY PL 190.77, 190.78, Identity Theft, definitions, Identity Theft Third Degree, etc., https://ypdcrime.com/penal.law/article190.php#p190.77
• NY PL 470.00, Money Laundering and definitions, Money Laundering in the Fourth Degree, etc. https://ypdcrime.com/penal.law/article470.php
• NY PL 156.05, Unauthorized use of a computer, 156.10, Computer Trespass, https://ypdcrime.com/penal.law/article156.php

Federal (U.S.)

• Computer Fraud and Abuse Act (CFAA), 18 U.S. Code § 1030 - Fraud and related activity in connection with computers, https://www.law.cornell.edu/uscode/text/18/1030
• Electronic Communications Privacy Act (ECPA),
  • Title I: Wiretap Act 18 U.S.C. §§ 2510–2523, https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119
  • Title II: Stored Communications Act (SCA) 18 U.S.C. §§ 2701–2713, https://www.law.cornell.edu/uscode/text/18/2713
  • Title III: Pen Registers and trap and trace devices 18 U.S.C. §§ 3121–3127, https://www.law.cornell.edu/uscode/text/18/part-II/chapter-206

• 18 U.S.C. §1028, Fraud and related activity in connection with identification documents, authentication features, and information, https://www.law.cornell.edu/uscode/text/18/1028
• 18 U.S.C. §1956 Laundering of Monetary Instruments, https://www.law.cornell.edu/uscode/text/18/1956
• 18 U.S.C. §1957 Engaging in monetary transactions in property derived from specified unlawful activity,    https://www.law.cornell.edu/uscode/text/18/1957

The value of thinking like a prosecutor

I encourage students and learners to "think like a prosecutor" when assessing criminal laws (including cybercrime substantive criminal laws).

That requires important knowledge and skills and thinking about:

• Facts
• Law
  • Substantive laws (the crimes that could be charged)
  • Procedural laws to investigate (to gather evidence)
  • Procedural laws to prosecute (to litigate and prove guilt)
• The interests of justice (what is fair)
• How others will think about it.

As the prosecutor thinks, they also think like a defense attorney (who will attack the case -- that's their job) and a judge (who will make many legal rulings on the case) and as a juror (who will make the ultimate decisions on the facts of a case, if it gets there).

As we focus on substantive laws, the prosecutor needs to decide what charges to pursue. Initially, this would be within a Grand Jury presentation, where the prosecutor needs to obtain evidence, present it to a Grand Jury, and then ask them to vote to approve (indict) certain substantive charges.

To do all this, the prosecutor needs to assess the evidence, facts, and all possible criminal charges, assess procedural limitations, and then pick those specific criminal charges that the Grand Jury should vote on. Ultimately, the prosecutor knows they would be required to prove each charge beyond a reasonable doubt (BRD) to the judge and jury's satisfaction.

Thinking like a prosecutor is a helpful way to accurately learn about all of these issues.

Is there more to know about substantive criminal cyberlaw?

Of course, see some of the references below, especially my 2020 book Cybercrime Investigations and book on Cyberlaw.

Conclusion

Criminal cyberlaw is a fascinating area built on traditional law. We can broaden our understanding of traditional law, and then see how it applies to cyber, and examine new rules relating to cyber.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

Additional reading on this site

• Introduction to Law (Outline)
• Rules
• Law
• Cyberlaw (this article)
  • Cyberlaw things to know
  • Criminal cyberlaw
    • Substantive criminal cyberlaw (this article)
    • Procedural criminal cyberlaw
• Civil Law
  • Civil cyberlaw
• Criminal Law
• U.S. Constitution
• Cybersecurity Laws and Regulations Part 1
• Cybercrime
  • The Three Priority Cybercrime Threats
  • The Western Express Case
  • Identity theft
• Introduction to Cybersecurity and Information Security
• Cybersecurity for the Home and Office (book)
• Cybercrime Investigations (book), special attention to Chapter 6 and Chapter 7
• Policies and Procedures (book)
• Cyberlaw Book

This article is hosted at https://johnbandler.com/criminal-cyberlaw-substantive, copyright John Bandler, all rights reserved.

Originally posted 9/29/2024, updated 9/29/2024.