All Things Newz
Law \ Legal

DOJ Announces It Will Not Charge CFAA Violations For Good-Faith Security Research – Security


To print this article, all you need is to be registered or login on

The Department of Justice recently announced a revision of its policy concerning charging violations of the
Computer Fraud and Abuse Act (the “CFAA”). Following
recent decision from the Supreme Court and appellate courts that seemingly narrow the
scope of civil liability under the CFAA, the DOJ’s new policy
may likewise limit criminal prosecutions under the law.

As regular readers of this blog are well aware, the CFAA
provides that “[w]hoever … intentionally accesses a computer
without authorization or exceeds authorized access, and thereby
obtains … information from any protected computer … shall be
punished” by fine or imprisonment.” The DOJ’s
announced policy, however, now directs that “good-faith
security research” should not be charged. “Good faith
security research” means “accessing a computer solely for
purposes of good-faith testing, investigation, and/or correction of
a security flaw or vulnerability, where such activity is carried
out in a manner designed to avoid any harm to individuals or the
public, and where the information derived from the activity is used
primarily to promote the security or safety of the class of
devices, machines, or online services to which the accessed
computer belongs, or those who use such devices, machines, or
online services.”

The new policy highlights the DOJ’s goal to promote privacy
and cybersecurity by upholding the legal rights of individuals and
network owners to ensure confidentiality and availability of
information stored in their information systems. Thus, the DOJ will
consider several factors in determining whether CFAA prosecution
should be pursued, including

  1. the sensitivity of the affected computer system and harm
    associated with unauthorized access;

  2. concerns pertaining to national security, critical
    infrastructure, public self and safety, market integrity,
    international relations, or other considerations having broad
    impact on national economic interests;

  3. if the activity was in furtherance of a larger criminal
    endeavor or posed risk of bodily harm or a threat to national

  4. the impact of the crime and prosecution on third parties;

  5. the deterrent value of an investigation or prosecution;

  6. the nature of the impact has on a particular community;

  7. whether another jurisdiction is likely to prosecute the
    criminal conduct effectively; and

  8. the defendant’s conduct consisted of good-faith security

Consistent with a recent decision from the Ninth Circuit that
scraping information from public LinkedIn accounts did not amount
to a violation of the CFAA, the DOJ will not prosecute if the
defendant’s authorization to access a particular file was
conditioned by a contract or agreement, nor will a prosecution be
brought if a defendant exceeds authorized access solely by
violating an access restriction contained in a contractual
agreement or term of service with an Internet service provider or
we service available to the general public. Prosecution may,
however, be brought against a defendant who accesses a multi-user
web service, and is authorized to access only his own account on
that service, but instead accesses someone else’s account.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Incorporating AI Into Today’s Risk Management Processes

Wilson Elser Moskowitz Edelman & Dicker LLP

Stratton Horres (Senior Counsel-Dallas, TX) co-authored “Incorporating AI into Today’s Risk Management Processes” along with David Steiger for the May 26, 2022, edition of Westlaw Today.

New York Releases Stablecoin Guidance

Sheppard Mullin Richter & Hampton

On June 8, the New York State Department of Financial Services (DFS) released its Guidance on the Issuance of U.S. Dollar-Backed Stablecoins meant to set foundational criteria for USD-backed stablecoins…


Source link

Related posts

An Inverse Condemnation Claim Arising From A Public Project’s General Construction Activities Requires A Unique, Peculiar, And Substantial Impact To Property – Real Estate

Launch Of The 2023-2025 Immigration Levels Plan – General Immigration

The online school environment during the COVID recovery: child protection, duty of care and privacy – Education