June 01, 2022

On May 19, 2022, the Department of Justice (DOJ) issued revisions to its existing policy for charging offenses under the Computer Fraud and Abuse Act (CFAA) (2022 CFAA Policy). The revisions state that “good-faith” security research will not be charged as a criminal CFAA violation. Comments accompanying the revised policy statement also highlight the importance of technical barriers—in addition to contractual limits—to determinations of when access exceeds authorization. Although the announcement regarding security research made a splash in the press, it is unclear to what degree the policy represents a change in how DOJ will approach cases. Nor can security researchers rely on the guidance for concrete assurances against liability, because the policy revision has no effect on civil CFAA liability or state laws that provide for criminal or civil liability for unauthorized access to computer systems. The revision may also introduce uncertainty for system owners, who may be left wondering how the new policy will be applied, and how federal law enforcement will react to conduct viewed by some as good-faith research and by others as in a gray area.

To read the full alert, click here