The U.S. Department of Justice will decline to prosecute cyber intrusions based solely on exceeding contractual authorization or which occur pursuant to "good-faith security research."
On May 19, 2022, the Department of Justice ("DOJ") announced significant revisions to its policy on charging violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 ("the Policy"). The DOJ clarified two longstanding ambiguities under the CFAA: The Policy makes clear that the DOJ will not prosecute good-faith cyber intrusions for security research purposes, nor will the DOJ prosecute most cases involving system access exceeding contractual authorization.
As to the former, the Policy provides that the reviewing DOJ attorney "should decline prosecution" for good-faith security research that would otherwise violate the CFAA. While the Policy provides a definition of "good-faith security research," the line between legitimate and unlawful activity remains unclear. Companies should take note of this significant change, as CFAA enforcement has been the DOJ's primary tool for deterring the growing number of firms that purport to offer good-faith security research, only to later exploit companies' cyber vulnerabilities for financial gain or publicity. In light of the DOJ announcement, companies should revisit their bug bounty program and participation terms to better address good-faith security research and contractual access restrictions. Security research firms should also revisit their procedures to better address CFAA risks when requesting payment in exchange for disclosing discovered security vulnerabilities or active exploits in the absence of a bounty program.
The Policy also clarifies that the DOJ "will not bring 'exceeds authorized access' cases based on the theory that a defendant's system authorization was limited by contract or company policy," except for "contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances." This language is informed by the U.S. Supreme Court's decision last year in Van Buren v. United States, which held that an individual "exceeds authorized access" if there is access to data that is off limits in a computer system that the person otherwise is authorized to use.
While companies that wish to deter employees, vendors, or security research firms from unauthorized access to certain systems may continue to restrict access through contract, they should recognize, in light of the revised DOJ policy, that there is limited prospect of criminal enforcement for access exceeding the contractually permitted scope. Moreover, the carve-out for good-faith security research, when combined with the carve-out for access exceeding contractual authorization, could create situations in which security firms can claim exemption from prosecution even when violating an explicit contract with the company.