June 26, 2022

Volume XII, Number 177


June 24, 2022

Subscribe to Latest Legal News and Analysis

DOJ’s New CFAA Policy: Relief for White Hat Hackers and Web Scrapers?

In an effort to “promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems,” the US Department of Justice (DOJ) recently announced an updated policy directing that good-faith security research not be charged under the federal Computer Fraud and Abuse Act (CFAA), provided that:

  • The activity involves accessing a computer solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability;

  • Such activity is carried out in a manner designed to avoid any harm to individuals or the public; and

  • The information derived from the activity is used primarily to promote the security or safety of the class of devices, machines or online services to which the accessed computer belongs, or those who use such devices, machines or online services.[1]

Security “research” for the purpose of discovering security holes in devices, machines or services in order to “extort” the owners of such devices, machines or services is not considered in good faith.

The new policy also provides further clarity on CFAA charging in the wake of the US Supreme Court’s decision in Van Buren v. United States, 141 S. Ct. 1648 (2021). The DOJ has announced that it will not charge defendants with:

  • Accessing computers “without authorization” unless when, at the time of the defendant’s conduct, (1) the defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization; (2) the defendant knew of the facts that made the defendant’s access without authorization; and (3) prosecution would serve the DOJ’s goals for CFAA enforcement; and

  • “Exceeding authorized access” unless, at the time of the defendant’s conduct, (1) a protected computer is divided into areas, such as files, folders, user accounts or databases; (2) that division is established in a computational sense, that is, through computer code or configuration, rather than through contracts, terms of service agreements or employee policies; (3) a defendant is authorized to access some areas, but unconditionally prohibited from accessing other areas of the computer; (4) the defendant accessed an area of the computer to which his authorized access did not extend; (5) the defendant knew of the facts that made his access unauthorized; and (6) prosecution would serve the DOJ’s goals for CFAA enforcement.

The DOJ’s new policy provides needed clarity to a dynamically evolving area of the law, but questions remain about the distinction between “extortion” and legitimate remuneration for discovered vulnerabilities, the boundaries of permissible offensive cybersecurity activities, and civil relief under the CFAA and state CFAA analogues, among other areas.


[1] DOJ’s new CFAA policy complements other helpful guidance that the Department has issued in the area of cybersecurity, including: Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (Feb. 2020), Best Practices for Victim Response and Reporting of Cyber Incidents (Sep. 2018) and A Framework for a Vulnerability Disclosure Program for Online Systems (July 2017).

© 2022 McDermott Will & EmeryNational Law Review, Volume XII, Number 146

About this Author

Scott Ferber Cybersecurity Attorney McDermott Will and Emery Washington DC

Scott leverages his extensive experience as a former federal cybercrime prosecutor and in senior leadership at the US Department of Justice (DOJ) to advise clients across industries on the full range of privacy and security issues created by global data collection and usage. This includes responding to cyber incidents and managing complex privacy and cyber risk assessments. Scott often defends clients in regulatory investigations from the Federal Trade Commission (FTC), State Attorneys General and other federal, state and local regulators and criminal authorities.


Todd S. McClelland advises companies on complex, international legal issues associated with cybersecurity breaches and compliance, data privacy compliance, and data, technology, cloud and outsourcing transactions. Todd counsels clients in many industries, including payment processors, cybersecurity product providers, retailers, petro companies, financial institutions and traditional brick-and-mortar companies.

Prior to his legal career, Todd was an engineer designing and programming industrial control, robotics and automation systems. This background gives him unique perspective and...

Robert Duffy Counsel Attorney Cyberseurity Privacy Washington DC

Robert Duffy helps clients manage their cybersecurity, privacy, and information technology legal risks by delivering practical advice, navigating crisis response and aggressively pursuing justice for victims of cybercrime and business torts. Robert conducts internal investigations into security incidents, vulnerability reports, potential compliance issues, insider threats and other high-stakes matters. Robert helps clients meet regulatory and legal obligations by assessing cybersecurity maturity and developing cost-effective and risk-prioritized remediation plans and...

David Sorenson Associate McDermott Will & Emery

David Sorenson focuses his practice on global privacy & cybersecurity matters.

During law school, David served as an editor of the Southern California Interdisciplinary Law Journal. He was also executive director of the People’s Tax Page, a tax policy nonprofit.