Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.
DOJ Cybersecurity Policy Overview:
- Who: The DOJ notified government attorneys that they should not prosecute security researchers who act in “good faith” to detect and/or correct organizations’ security flaws.
- Why: The government says it wants to provide clarity for security researchers who detect cybersecurity vulnerabilities for the common good.
- Where: The policy directive applies nationwide.
On May 19, the U.S. Department of Justice (DOJ) sent a policy directive to government attorneys announcing that it would not prosecute security researchers who access organizations’ networks in “good faith” to investigate and/or correct security flaws as long as they do not cause harm to individuals or the public.
Cybersecurity researchers have reported incidents in which organizations who learn about security flaws on their networks threaten to report the researchers instead of fixing the flaws. This policy shift will reassure those researchers who investigate networks for vulnerabilities and protect those who report cybersecurity flaws in good faith from being charged with breaching the Computer Fraud and Abuse Act (CFAA), the DOJ says.
“The department has never been interested in prosecuting good-faith computer security research as a crime,” Deputy Attorney General Lisa Monaco says in a press release. “Today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The DOJ’s policy does not apply to situations in which a purported researcher discovers a vulnerability to extort a payment from an organization. This extortion is separate from “bug bounties” the U.S. Department of Defense has adopted, which allow security researchers to report security vulnerabilities in exchange for payment.
Bug bounty programs can pose significant issues for organizations, and cybersecurity lawyers have advised companies to establish clear rules to protect their information from individuals who may seek to exploit the program.
U.S. Government Urges Orgs to View It As Cybersecurity Partner
Government officials previously encouraged private companies to view the federal government as a partner against cyber attacks, promising not to use reports of cyber breaches against the companies.
“At the end of the day, we are not here to name, to shame, to blame, to kill anybody’s reputation, to stab the wounded, right? We are actually here to help,” says Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA).
CISA and FBI representatives say that their agencies will not share information about cybersecurity breaches with the Federal Trade Commission or the U.S. Securities and Exchange Commission. Instead, they say the data will be used to help the breach victims and protect other potential victims from cybersecurity threats.
Despite these protections, companies are still expected to implement cybersecurity measures to protect their sensitive data.
Do you think cybersecurity researchers who access organizations’ networks in good faith should be protected from prosecution? Join the discussion in the comments section below!
Don’t Miss Out!
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
2 thoughts onDOJ Won’t Prosecute ‘Good Faith’ Cybersecurity Researchers Who Report System Flaws
Please add me
No they should Not be protected!!!