Department of Justice Revises Policy for Charging Cases Under the Computer Fraud and Abuse Act

Alvaro Marañon
Thursday, May 19, 2022, 2:59 PM

Federal prosecutors are advised to not charge good-faith security research under the CFAA.

Published by The Lawfare Institute
in Cooperation With
Brookings

The Department of Justice announced a revision to its policy for charging cases under the Computer Fraud and Abuse Act (CFAA). The CFAA permits prosecutors to address cyber-based crimes. For the first time under the CFAA, the policy “directs that good-faith security research should not be charged.” Deputy Attorney General Lisa O. Monaco acknowledged that “[c]omputer research is a key driver of improved cybersecurity” and that “the department has never been interested in prosecuting good-faith computer research as a crime.” 

The policy directs all federal prosecutors to follow the new policy and to consult with the Criminal Division’s Computer Crime and Intellectual Property Section before bringing any charges. The policy reflects the Department’s shifted focus toward more blatant instances of individuals exceeding their permitted access to a device. However, the updated policy does not give “a free pass for those acting in bad faith” when conducting security research, such as instances where one is “discovering vulnerabilities in devices in order to extort their owners.”

The new policy is available here or below. 


Alvaro Marañon is a former fellow in Cybersecurity Law at Lawfare. Alvaro is a graduate from the American University Washington College of Law and the University of New Hampshire.

Subscribe to Lawfare