Federal prosecutors rely on the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to address the growing threat of cyber-based crimes. On September 11, 2014, the U.S. Attorney General issued its internal Intake and Charging Policy for Computer Crime Matters (the “Policy”) to help ensure that federal prosecutors apply the CFAA consistently and limit charging to cases where prosecution would serve a substantial federal interest.
On October 24, 2016, the U.S. Department of Justice (DOJ) released the once private Policy, which offers a glimpse into how the DOJ assesses and prosecutes computer crimes. The Policy sets forth several factors that prosecutors should consider when determining whether to prosecute alleged computer crimes. The factors include:
- The sensitivity of the affected computer system or the information transmitted by or stored on it, and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information;
- The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests;
- The extent to which the activity was in furtherance of a larger criminal endeavor or posed a risk of bodily harm or a threat to national security;
- The impact of the crime and prosecution on the victim or other third parties;
- Whether the criminal conduct is based upon exceeding authorized access;
- The deterrent value of an investigation or prosecution, including whether the need for deterrence is increased because the activity involves:
- a new or expanding area of criminal activity,
- a recidivist defendant,
- use of a novel or sophisticated technique,
- abuse of a position of trust,
- an otherwise sensitive level of access,
- the conduct is particularly egregious or malicious;
- The nature of the impact that the criminal conduct has on a particular District or community; and
- Whether any other jurisdiction is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution.
The Policy supplements the Principles of Federal Prosecution of Business Organizations that provides guidance to prosecutors on charging companies and the September 2015 memorandum regarding Individual Accountability for Corporate Wrongdoing (i.e. the “Yates Memorandum”) pertaining to individual liability.
The Policy (similar to other guidance on anti-corruption and environmental crimes) provides in-house counsel and executives with a roadmap for analyzing potential exposure from unauthorized cyber activities by employees or data breaches. The Policy can also can guide companies how to effectively work with law enforcement and security consultants in response to cyber incidents while minimizing legal exposure under the CFAA.
When unauthorized computer access occurs and the personal information of employees, customers, or partners is exposed, a referral to law enforcement may be appropriate. When personal information has not been exposed, but unlawful access to a computer may have occurred, companies may still refer incidents to law enforcement to help prevent future breaches. The Policy may be helpful to counsel when determining whether federal law enforcement would take interest in an incident.
Finally, the CFAA is often cited in computer system logon banners, effectively giving notice to users, both authorized and unauthorized, that they are about to access a private system and that unauthorized access is an offense under 18 U.S.C. § 1030. This notice also may help law enforcement and prosecution efforts and deter prospective attackers.