The Department of Justice announced a revision to its policy for charging cases under the Computer Fraud and Abuse Act (CFAA). The CFAA permits prosecutors to address cyber-based crimes. For the first time under the CFAA, the policy “directs that good-faith security research should not be charged.” Deputy Attorney General Lisa O. Monaco acknowledged that “[c]omputer research is a key driver of improved cybersecurity” and that “the department has never been interested in prosecuting good-faith computer research as a crime.”
The policy directs all federal prosecutors to follow the new policy and to consult with the Criminal Division’s Computer Crime and Intellectual Property Section before bringing any charges. The policy reflects the Department’s shifted focus toward more blatant instances of individuals exceeding their permitted access to a device. However, the updated policy does not give “a free pass for those acting in bad faith” when conducting security research, such as instances where one is “discovering vulnerabilities in devices in order to extort their owners.”
The new policy is available here or below.