DOJ Enacts New Prosecutorial Policy to Reflect Limits of the CFAA
June 6, 2022
The Department of Justice (DOJ) has recently updated its prosecutorial policy under the Computer Fraud and Abuse Act (CFAA). Enacted in 1984 and repeatedly amended since, the CFAA has produced a circuit split concerning the law’s reach, leading to recent attempts by the judiciary to restrict the open-ended language of the statute.
Definitions
The CFAA provides that a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… information from any protected computer” has violated the law. 18 U.S.C. § 1030(a)(2)(C).
Exceeding authorized access is defined by the statute as accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
Recent Jurisprudence
The DOJ’s new policy reflects both changing jurisprudence and changing technological and business practices.
Heeding the decisions by the Ninth Circuit in hiQ Labs, Inc. v. LinkedIn Corp., 17-16783 (9th Cir. 2019), and the Supreme Court ruling in Van Buren v. United States 19-783, 593 U.S. (June 3, 2021), the new DOJ policy will limit the scope of its investigations into CFAA violations relating to “web scraping” and departing employees accessing sensitive information.
- In the hiQ case, the Ninth Circuit ruled that hiQ did not violate the CFAA by “scraping” large quantities of publicly available LinkedIn member profile data to create a competing product. LinkedIn argued that hiQ’s continued scraping practice constituted a violation of the CFAA. The Ninth Circuit ruled in hiQ’s favor, and did so again in April 2022.
- In the Van Buren case, the Supreme Court sided against the government’s argument that a person authorized to access a protected computer system “exceeds” authorization by doing so with improper motives.
Policy shift
The DOJ has enumerated new conditions under which it will prosecute cases under the CFAA, defining what kinds of actions fall under the statute’s language.
- The DOJ now says it will charge defendants for accessing “without authorization” in cases where the defendant was “not authorized to access the protected computer under any circumstances” and did so knowingly.
It defines “exceeding authorized access” as cases where:
- a defendant knowingly accesses information from which they are “unconditionally prohibited” in a protected computer that has clear “computational” divisions of its contents.
In either case, DOJ says it will also weigh whether prosecution “would serve the Department’s goals for CFAA enforcement,” which it defines through several criteria, including:
- the scale of the crime and harm committed, whether the crime impacts broad national or economic interests
- the deterrent value of an investigation, if any other jurisdiction is likely to hold a defendant accountable if DOJ declines to prosecute
- whether “the defendant’s conduct consisted of… good-faith security research.”
To read more about the DOJ’s new CFAA enforcement policy, click here for Jeffrey Neuberger’s detailed post in Proskauer’s New Media and Technology Law Blog.
To read the Department of Justice’s press release as well as its stated policy, click here and here.
To read how Castaybert PLLC can assist in employment disputes raising unauthorized access issues under the CFAA and in protecting trade secrets and company confidential information, click here.