Tag Archives: Alex Iftimie

Justice Department Revises Cyber Crime Charging Policy to Shield Good-Faith Security Research

by Alex IftimieWilliam Frentzen, Brian Kidd, and Reiley Porter

On May 19, 2022, the Department of Justice (DOJ) updated its policy guiding charges under the Computer Fraud and Abuse Act (CFAA), the main law used by prosecutors to charge cyber‑based crimes. The policy changes answer longstanding questions about the language of the CFAA and its potential for broad application. The new policy further refines DOJ’s goals for enforcing the CFAA and establishes as policy DOJ’s longstanding informal position that it will not charge “good-faith security research” as a violation of the CFAA. The new policy also directs that DOJ will not bring CFAA charges in a number of other situations that implicate the Supreme Court’s 2021 decision in Van Buren v. United States[1] and have long concerned courts and legal commentators, such as violations of access restrictions contained in a contractual agreement or terms of service or violations of an employer’s policy against checking sports scores or paying bills at work.

Continue reading

Executive Order on Cybersecurity Expands Mandatory Breach Notification and Supply Chain Security Requirements for Government Contractors

by Tina D. Reynolds, Alex Iftimie, and Sandeep N. Nandivada

On May 12, 2021, the Biden administration issued an ambitious Executive Order on Improving the Nation’s Cybersecurity (EO) declaring the prevention, detection, assessment, and remediation of cyber incidents to be a “top priority and essential to national and economic security.” Over 8,000 words long, the EO establishes a series of initiatives designed to better equip the U.S. federal government to respond to cybersecurity threats.  The most notable provisions of the EO are as follows:

  • It sets in motion changes to federal contracts that will add breach notification and information sharing requirements for government service providers and remove existing contractual barriers to threat information sharing by the private sector;
  • It establishes baseline security standards for the development of software sold to the government by all commercial suppliers; and
  • It provides minimum cybersecurity requirements for federal agencies, like the use of multifactor authentication and encryption, and helps to move the federal government toward secure cloud services and zero-trust architecture.

The EO reflects the government’s heightened concerns about cyber threats, particularly following the SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents.  It also reflects the Administration’s efforts to leverage the buying power of the federal government to incentivize the software market to build security into the software development lifecycle, and to expand and enhance the information sharing between the private sector and the government.    Continue reading