Florida Cybercrime Laws: State Statutes and Enforcement
Florida's cybercrime statutes establish a layered enforcement framework that intersects state criminal law, civil liability, and federal jurisdiction. Chapter 815 of the Florida Statutes — the Florida Computer Crimes Act — defines the primary offense categories, penalty structures, and enforcement authority applicable within the state. This page covers the structure of those statutes, how offenses are classified and prosecuted, the agencies responsible for enforcement, and the boundaries where state law yields to or overlaps with federal authority.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Florida's cybercrime law operates principally under Chapter 815, Florida Statutes (the Florida Computer Crimes Act), which was enacted to address unauthorized access, data manipulation, and computer fraud as distinct criminal categories. The Act defines a "computer" broadly to encompass electronic, magnetic, optical, or electrochemical devices that process data, and it covers "computer networks," "computer programs," and "computer services" as separate protected assets.
The geographic scope of Chapter 815 applies to offenses committed within Florida or where a computer system located in Florida was targeted, accessed, or affected. Offenses originating outside Florida but targeting Florida-based systems remain prosecutable under state law pursuant to § 815.07, which establishes venue when any element of the crime touches Florida.
Adjacent statutes also operate within this space. Section 817.568, Florida Statutes addresses criminal use of personal identification information, a category that intersects heavily with cybercrime in identity theft scenarios. Section 668.801–668.812, Florida Statutes governs electronic fraud, wire transfer crimes, and fraudulent online solicitation.
Scope boundary: This page covers Florida state statutes and enforcement mechanisms. Federal cybercrime law — including the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 — operates concurrently but is not Florida-specific and falls outside this page's coverage. Regulatory compliance obligations under HIPAA, GLBA, or federal critical infrastructure mandates are similarly outside this page's primary scope, though those frameworks are addressed in the Regulatory Context for Florida Cybersecurity reference.
Core mechanics or structure
Chapter 815 establishes offense definitions across five primary categories:
§ 815.04 — Offenses Against Computer Users: Prohibits willful, knowing, or reckless modification, destruction, disclosure, or denial of access to data or computer systems belonging to another. A first violation can constitute a third-degree felony; subsequent or aggravated violations escalate to second-degree felony status.
§ 815.06 — Offenses Against Computer Equipment or Supplies: Addresses physical or electronic destruction or theft of computer equipment, peripherals, and software belonging to another. Penalties scale with the value of the damage: damage exceeding $5,000 elevates the charge to a third-degree felony under § 775.082–775.083, Florida Statutes.
§ 815.045 — Trade Secret Information: Specifically criminalizes the taking of trade secret data from computer systems, recognizing the overlap between cybercrime and economic espionage.
The statute's penalty framework feeds into Florida's general criminal sentencing scoresheet system administered under Chapter 921. Points are assigned per offense severity level, and prior convictions compound sentencing exposure. Cybercrime offenses at the third-degree felony level carry a statutory maximum of 5 years imprisonment; second-degree felonies carry a 15-year maximum (§ 775.082, Florida Statutes).
Civil remedies are available in parallel. Any person whose data, equipment, or computer service was damaged or destroyed may pursue civil action under § 815.04(5) to recover actual damages, reasonable attorney's fees, and costs — including injunctive relief.
Causal relationships or drivers
Florida's cybercrime enforcement landscape is shaped by three convergent pressures: the concentration of high-value targets in the state, legislative responsiveness to emerging threat categories, and the structural capacity of law enforcement agencies.
Florida consistently ranks among the top 3 states nationally for reported internet crime losses, according to the FBI Internet Crime Complaint Center (IC3) 2023 Internet Crime Report, which reported Florida residents losing over $874 million in 2023 — the third-highest total of any state. The density of healthcare organizations, financial institutions, tourism infrastructure, and government entities creates a concentrated attack surface. The threat landscape specific to Florida is catalogued in the Florida Cyber Threat Landscape reference.
Legislative drivers include the 2022 amendments to Chapter 815 that clarified ransomware as an explicit offense category, responding to the documented increase in ransomware incidents targeting Florida municipalities and school districts. Florida ransomware threats are documented separately, but the statutory response — designating ransomware deployment as a first-degree felony under certain conditions — reflects direct legislative-to-statute causation.
The Florida Department of Law Enforcement (FDLE) and its Cyber Crime Unit function as the primary state-level enforcement driver, working in coordination with the 20 judicial circuits across the state.
Classification boundaries
Florida cybercrime offenses are classified across four dimensions: severity of harm, target type, actor intent, and value threshold.
By severity of harm:
- Misdemeanor: Unauthorized access without data compromise, low-value interference
- Third-degree felony: Unauthorized access causing disruption; damage between $200 and $5,000
- Second-degree felony: Attacks on critical infrastructure; damage exceeding $5,000; offenses involving minors
- First-degree felony: Ransomware attacks that interrupt critical public services; attacks resulting in serious bodily harm
By target type:
- Private individual systems
- Business systems
- Government systems (heightened penalties apply under § 815.04(4))
- Critical infrastructure (additional exposure under Florida's Critical Infrastructure Protection Act)
By actor intent:
- Knowing and willful (highest culpability)
- Reckless (lower but still criminal)
- Negligent access is generally not criminalized under Chapter 815 but may trigger civil liability
The distinction between state and federal prosecution is driven by nexus: offenses that cross state lines or involve interstate commerce are typically prosecuted federally under 18 U.S.C. § 1030, while purely intrastate offenses remain in state jurisdiction. Dual prosecution is legally permissible under the dual-sovereignty doctrine.
Tradeoffs and tensions
Breadth vs. precision in § 815.04: The statutory language covering "willful, knowing, or reckless" conduct creates prosecutorial flexibility but generates defense challenges around intent. The recklessness standard, in particular, has been contested in cases involving security researchers and penetration testers who access systems without explicit authorization but with plausible justification.
State vs. federal jurisdictional competition: When an incident involves both intrastate and interstate elements — common in cloud-hosted environments — agencies must negotiate jurisdiction. The FBI's Cyber Division typically assumes primary jurisdiction when federal nexus is present, which can reduce Florida state prosecutors' ability to pursue cases independently. This dynamic is explored in the Florida Law Enforcement Cyber Units reference.
Civil remedy access vs. criminal prosecution: Victims who pursue civil remedies under § 815.04(5) may inadvertently complicate parallel criminal prosecutions, particularly around discovery and the use of evidence obtained through civil subpoena.
Ransomware prosecution vs. victim negotiation: Florida statute prohibits ransom payments to sanctioned entities under overlapping federal OFAC regulations, yet no Florida statute explicitly prohibits ransom payment per se. This gap creates a tension between victim response practices and law enforcement preferences, a dimension covered in Florida Ransomware Threats.
Common misconceptions
Misconception: Unauthorized access requires "hacking" tools or malware.
Correction: Under § 815.04, unauthorized access includes use of a legitimately obtained password to access a system the user is not authorized to use — no technical exploitation is required. Accessing a former employer's database with a retained credential constitutes a violation.
Misconception: Florida cybercrime law only applies to data theft.
Correction: Chapter 815 criminalizes modification, destruction, disclosure, and denial of access — not just theft. Deleting records or disrupting service without taking data still constitutes an offense.
Misconception: Federal prosecution preempts state charges.
Correction: The dual-sovereignty doctrine allows both federal and state prosecution for the same underlying conduct. Florida prosecutors retain independent authority under Chapter 815 regardless of federal action.
Misconception: Small-scale intrusions below $200 in damage are not criminal.
Correction: The $200 threshold applies to the misdemeanor-to-felony escalation, but unauthorized access itself is a criminal offense regardless of damage amount under § 815.06.
Misconception: Civil liability requires criminal conviction first.
Correction: Florida's civil remedy provision under § 815.04(5) is independent of criminal prosecution. A civil plaintiff need only satisfy the civil preponderance standard, not prove guilt beyond reasonable doubt.
Checklist or steps (non-advisory)
The following sequence reflects the documented incident-to-prosecution workflow under Florida cybercrime statutes. It describes the structural process, not a recommended course of action for any specific situation.
Florida Cybercrime Case Processing Sequence
-
Incident identification — Victim or system owner identifies unauthorized access, data manipulation, or service disruption affecting a Florida-based system or Florida resident.
-
Initial report filing — Report submitted to local law enforcement, FDLE, or the FBI IC3 portal. FDLE accepts reports through its Cybercrime Reporting portal; local agencies may route cases to FDLE's Cyber Crime Unit.
-
Jurisdiction determination — Agencies assess whether the offense is intrastate (Chapter 815 primary), interstate (federal CFAA primary), or subject to concurrent jurisdiction.
-
Preservation request — Law enforcement may issue a preservation letter to internet service providers and cloud providers under 18 U.S.C. § 2703(f), requiring data retention pending formal legal process.
-
Forensic investigation — FDLE Cyber Crime Unit or FBI Cyber Division conducts digital forensics. Chain of custody protocols apply; evidence must meet Florida Rules of Evidence standards for admissibility.
-
Charge assessment — State attorney's office reviews offense classification under Chapter 815 and Florida Statutes § 775 for applicable felony or misdemeanor designation.
-
Grand jury or direct filing — Felony charges proceed via grand jury indictment or state attorney's direct filing (information) under Florida Rule of Criminal Procedure 3.140.
-
Prosecution and sentencing — Conviction results in sentencing under Chapter 921 scoresheet calculation; victim may simultaneously pursue civil remedies under § 815.04(5).
-
Post-conviction — Offenders convicted of computer crimes may be subject to restitution orders, supervised release conditions restricting computer access, and forfeiture of equipment used in the offense.
For broader context on how Florida structures its cybersecurity service sector, the Florida Cybersecurity Authority Index provides an overview of related coverage areas, including Florida Cybersecurity Incident Response procedures.
Reference table or matrix
Florida Cybercrime Offense Classification Matrix
| Offense | Statute | Minimum Classification | Penalty Ceiling | Damage/Value Threshold |
|---|---|---|---|---|
| Unauthorized access (basic) | § 815.04 | 1st-degree misdemeanor | 1 year / $1,000 fine | Below $200 damage |
| Unauthorized access (data disruption) | § 815.04 | 3rd-degree felony | 5 years / $5,000 fine | $200–$5,000 damage |
| Unauthorized access (critical infrastructure / government) | § 815.04(4) | 2nd-degree felony | 15 years / $10,000 fine | Any damage |
| Computer equipment destruction | § 815.06 | 3rd-degree felony | 5 years / $5,000 fine | Damage exceeds $200 |
| Trade secret data theft via computer | § 815.045 | 3rd-degree felony | 5 years / $5,000 fine | Any |
| Ransomware deployment (critical services) | § 815.04 (as amended) | 1st-degree felony | 30 years | Any |
| Criminal use of personal ID via computer | § 817.568 | 3rd-degree felony | 5 years per count | Any |
| Electronic wire fraud | § 668.801–668.812 | 3rd-degree felony | 5 years | Below $50,000 |
| Electronic wire fraud (large scale) | § 668.801–668.812 | 2nd-degree felony | 15 years | Exceeds $50,000 |
Penalty ceilings derived from § 775.082–775.083, Florida Statutes. Individual case outcomes depend on prior record, victim count, and scoresheet calculation under Chapter 921.
References
- Florida Computer Crimes Act, Chapter 815, Florida Statutes
- Florida Statutes § 817.568 — Criminal Use of Personal Identification Information
- Florida Statutes § 775.082–775.083 — Felony Penalties
- Florida Statutes Chapter 668 — Electronic Commerce
- Computer Fraud and Abuse Act, 18 U.S.C. § 1030
- 18 U.S.C. § 2703 — Required Disclosure of Customer Communications or Records
- FBI Internet Crime Complaint Center (IC3) — 2023 Internet Crime Report
- FBI Cyber Division
- Florida Department of Law Enforcement (FDLE)
- Florida Senate — Statutes & Constitution Search