DOJ Announces It Will Not Charge CFAA Violations for Good-Faith Security Research

Seyfarth Shaw LLP

The Department of Justice recently announced a revision of its policy concerning charging violations of the Computer Fraud and Abuse Act (the “CFAA”). Following recent decision from the Supreme Court and appellate courts that seemingly narrow the scope of civil liability under the CFAA, the DOJ’s new policy may likewise limit criminal prosecutions under the law.

As regular readers of this blog are well aware, the CFAA provides that “[w]hoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished” by fine or imprisonment.” The DOJ’s announced policy, however, now directs that “good-faith security research” should not be charged. “Good faith security research” means “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The new policy highlights the DOJ’s goal to promote privacy and cybersecurity by upholding the legal rights of individuals and network owners to ensure confidentiality and availability of information stored in their information systems. Thus, the DOJ will consider several factors in determining whether CFAA prosecution should be pursued, including

  1. the sensitivity of the affected computer system and harm associated with unauthorized access;
  2. concerns pertaining to national security, critical infrastructure, public self and safety, market integrity, international relations, or other considerations having broad impact on national economic interests;
  3. if the activity was in furtherance of a larger criminal endeavor or posed risk of bodily harm or a threat to national security;
  4. the impact of the crime and prosecution on third parties;
  5. the deterrent value of an investigation or prosecution;
  6. the nature of the impact has on a particular community;
  7. whether another jurisdiction is likely to prosecute the criminal conduct effectively; and
  8. the defendant’s conduct consisted of good-faith security research.

Consistent with a recent decision from the Ninth Circuit that scraping information from public LinkedIn accounts did not amount to a violation of the CFAA, the DOJ will not prosecute if the defendant’s authorization to access a particular file was conditioned by a contract or agreement, nor will a prosecution be brought if a defendant exceeds authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or we service available to the general public. Prosecution may, however, be brought against a defendant who accesses a multi-user web service, and is authorized to access only his own account on that service, but instead accesses someone else’s account.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Seyfarth Shaw LLP | Attorney Advertising

Written by:

Seyfarth Shaw LLP

Seyfarth Shaw LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.