by Harley Geiger and Tanvi Chopra

Harley Geiger and Tanvi Chopra (photos courtesy of the authors)

On Nov. 21, 2024, the Virginia Supreme Court issued a pivotal ruling with significant implications for corporate security, ethical hacking, and everyday computer users. The Commonwealth v. Wallace decision greatly expands the scope of Virginia’s computer fraud law, turning any unauthorized use of a computer into a state hacking crime.

The Hacking Policy Council previously warned that overbroad state laws risk conflating security research and ordinary internet activities with malicious cybercrime. While substantial progress on this issue has been made at the federal level, sweeping state statute language and court decisions like Commonwealth v. Wallace demonstrate the need for engagement to focus enforcement of state anti-hacking laws on actual criminal behavior.

In the meantime, state laws continue to be a legal minefield for ethical hackers who test systems to identify vulnerabilities in an effort to improve cybersecurity. Prosecutor discretion and guidelines will be key to focusing broad state computer crime laws on malicious behavior and not good faith security researchers. Continue reading →