June 5, 2023

Volume XIII, Number 156


June 04, 2023

Subscribe to Latest Legal News and Analysis

June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 144

About this Author

Kyle R. Freeny Shareholder Anti-money laundering issues Bank Secrecy Act Anti-corruption, Foreign Corrupt Practices Act, Asset forfeiture, Foreign Agents Registration Act FARA, Government investigations,Compliance counseling

Kyle R. Freeny, a skilled trial attorney and former federal prosecutor for the Special Counsel’s Office and the Department of Justice (DOJ), Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), focuses her practice on white collar criminal defense, government and internal investigations, and anti-money laundering (AML) and international corruption matters.

Kyle was one of 19 prosecutors selected by Robert S. Mueller III to conduct the high-profile investigation into alleged Russian election interference, coordination between Russian officials and the Trump...

Linda Ricci attorney criminal defense Greenberg Traurig Boston

Linda M. Ricci focuses her practice on white collar criminal defense, including matters related to corporate compliance and internal investigations, government investigations, money laundering violations, criminal tax offenses, forfeiture, wire fraud, securities fraud, theft of public funds, obstruction of justice, insider trading, and health care fraud.

Linda draws from more than 15 years of experience working for the U.S. Attorney’s Office for the District of Massachusetts, where she served as Chief of the Narcotics and Money Laundering Unit...

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

 Brittany M. Fisher Boston Commercial Litigation Lawyer Greenberg Traurig

Brittany M. Fisher is a member of the Litigation Practice in Greenberg Traurig’s Boston office. Her practice includes commercial litigation, white collar defense, and eDiscovery matters. Prior to joining the firm, Brittany served as an Assistant U.S. Attorney in the Eastern District of Virginia, where she presented evidence in jury trials and investigated mail fraud, wire fraud, bank fraud, and aggravated identity theft, among other crimes. She also worked as a litigation associate in the Washington, D.C. office of a large, international law firm.