DOJ Revises Policy for Charging Cases under the Computer Fraud and Abuse Act
Commentary by Ilan T. Graff
The DOJ revised its policy for bringing charges under the Computer Fraud and Abuse Act ("CFAA") by directing federal prosecutors not to charge "good-faith security research." This revised policy replaces a 2014 policy and is immediately effective.
The DOJ stated that under this revised policy, good-faith security research is defined as "accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability," subject to certain conditions. According to the DOJ, the revised policy will concentrate prosecutorial efforts on cases where the defendant is either (i) not authorized to access a computer or (ii) has limited access to a computer and violates the scope of the access granted.
The updated policy also requires prosecutors intending to bring charges under the CFAA to first consult with the Criminal Division's Computer Crime and Intellectual Property Section ("CCIPS"). In the event CCIPS recommends against charging, prosecutors must notify the Deputy Attorney General (and, in certain cases, receive approval) prior to proceeding with charges.
Commentary
In the nearly four decades since the CFAA's 1986 enactment, computers have become vastly more integrated into virtually every aspect of Americans' lives. Critics (and courts) have assailed some recent instances of the DOJ CFAA enforcement as overbroad. The new policy and consultation requirement reflect ongoing DOJ efforts to ensure a measured and consistent approach.