by Alex Iftimie, William Frentzen, Brian Kidd, and Reiley Porter
On May 19, 2022, the Department of Justice (DOJ) updated its policy guiding charges under the Computer Fraud and Abuse Act (CFAA), the main law used by prosecutors to charge cyber‑based crimes. The policy changes answer longstanding questions about the language of the CFAA and its potential for broad application. The new policy further refines DOJ’s goals for enforcing the CFAA and establishes as policy DOJ’s longstanding informal position that it will not charge “good-faith security research” as a violation of the CFAA. The new policy also directs that DOJ will not bring CFAA charges in a number of other situations that implicate the Supreme Court’s 2021 decision in Van Buren v. United States[1] and have long concerned courts and legal commentators, such as violations of access restrictions contained in a contractual agreement or terms of service or violations of an employer’s policy against checking sports scores or paying bills at work.