• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

DOJ Issues New Policy on CFAA Prosecutions

May 19, 2022 By Kellen Dwyer, Kim Peretti and Jon Knight

Today, the Department of Justice (“DOJ”) updated its policy regarding charging violations under the Computer Fraud and Abuse Act (“CFAA”).  This is the first update to the DOJ’s policy since 2014, and it is effective immediately.  The policy states that all federal prosecutors who wish to charge cases under the CFAA must follow the new policy and consult with the Criminal Division’s Computer Crime and Intellectual Property Section before bringing any charges.  Importantly, the policy delineates what activities should not be criminal violations of the CFAA and emphasizes that DOJ’s “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

Good-Faith Security Research Should Not Trigger Criminal Charges Under The CFAA.

For the first time, the policy now expressly states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.”  As noted by Deputy Attorney General Lisa O. Monaco, “today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”  The policy defines “good-faith security research” as accessing a system “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”  However, “claiming to be conducting security research is not a free pass,” and DOJ re-affirms that any attempt at extortion is not good-faith research.

The Policy Clarifies (And Narrows) What It Means To “Exceed Authorized Access.”

Courts interpreting the CFAA have often expressed concern over hypothetical violations of the CFAA for “exceed[ing] authorized access.”  In a nod to the Supreme Court’s decision in United States v. Van Buren (2021), the new policy prohibits CFAA prosecutions based on a theory that the “defendant’s authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy,” such as a website’s terms and conditions. Yet, the new policy leaves open a “narrow exception” that would allow a CFAA prosecution based on a contractual limitation if the owner of the accessed computer had a “contract[], agreement[], or polic[y] that entirely prohibit[s] defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances.”  Such a prosecution would raise a question that the Supreme Court expressly reserved in Van Buren and would likely be hotly contested.

Filed Under: Cybercrime, Digital Crimes

About Kellen Dwyer

Kellen Dwyer is partner and co-leader of Alston & Bird’s National Security & Digital Crimes practice. He previously served in the Justice Department in several cyber and national security roles. As an assistant U.S. attorney in the Eastern District of Virginia, he obtained a computer hacking indictment against Julian Assange and represented the United States at Assange’s extradition hearings in London.

[Read Bio]

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Jon Knight

Jon Knight is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team in the Washington, D.C. office. He focuses his practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.