On May 19, 2022, the Department of Justice (“DOJ”) announced a new revised policy (“Revised Policy”) for charging violations under the Computer Fraud and Abuse Act (“CFAA”). The Revised Policy is effective immediately.
The Revised Policy for the first time directs that good-faith security research should not be charged. The DOJ provided that “[g]ood faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” The DOJ reasoning was the practical reality that computer security research is key for improved cybersecurity.
Notwithstanding the foregoing, the DOJ made clear that the Revised Policy would not be a free pass for those acting in bad faith, such as discovering vulnerabilities in devices in order to extort business owners, while claiming “research.”
The Revised Policy advises prosecutors to follow the Revised Policy, and to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (“CCIPS”) before bringing charges under the CFAA. If CCIPS recommends against charging, prosecutors must inform the Deputy Attorney General (“DAG”), and in some cases receive approval from DAG before bringing charges.