Anne Bucher  |  May 23, 2022

Category: Data Breach

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Photo of the Department of Justice (DOJ) building in Washington, DC.
(Photo Credit: MDart10/Shutterstock)

DOJ Cybersecurity Policy Overview:

  • Who: The DOJ notified government attorneys that they should not prosecute security researchers who act in “good faith” to detect and/or correct organizations’ security flaws.
  • Why: The government says it wants to provide clarity for security researchers who detect cybersecurity vulnerabilities for the common good.
  • Where: The policy directive applies nationwide.

On May 19, the U.S. Department of Justice (DOJ) sent a policy directive to government attorneys announcing that it would not prosecute security researchers who access organizations’ networks in “good faith” to investigate and/or correct security flaws as long as they do not cause harm to individuals or the public.

Cybersecurity researchers have reported incidents in which organizations who learn about security flaws on their networks threaten to report the researchers instead of fixing the flaws. This policy shift will reassure those researchers who investigate networks for vulnerabilities and protect those who report cybersecurity flaws in good faith from being charged with breaching the Computer Fraud and Abuse Act (CFAA), the DOJ says.

“The department has never been interested in prosecuting good-faith computer security research as a crime,” Deputy Attorney General Lisa Monaco says in a press release. “Today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The DOJ’s policy does not apply to situations in which a purported researcher discovers a vulnerability to extort a payment from an organization. This extortion is separate from “bug bounties” the U.S. Department of Defense has adopted, which allow security researchers to report security vulnerabilities in exchange for payment.

Bug bounty programs can pose significant issues for organizations, and cybersecurity lawyers have advised companies to establish clear rules to protect their information from individuals who may seek to exploit the program.

U.S. Government Urges Orgs to View It As Cybersecurity Partner

Government officials previously encouraged private companies to view the federal government as a partner against cyber attacks, promising not to use reports of cyber breaches against the companies.

“At the end of the day, we are not here to name, to shame, to blame, to kill anybody’s reputation, to stab the wounded, right? We are actually here to help,” says Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA).

CISA and FBI representatives say that their agencies will not share information about cybersecurity breaches with the Federal Trade Commission or the U.S. Securities and Exchange Commission. Instead, they say the data will be used to help the breach victims and protect other potential victims from cybersecurity threats.

Despite these protections, companies are still expected to implement cybersecurity measures to protect their sensitive data.

Do you think cybersecurity researchers who access organizations’ networks in good faith should be protected from prosecution? Join the discussion in the comments section below!


Don’t Miss Out!

Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!


Read About More Class Action Lawsuits & Class Action Settlements:

We tell you about cash you can claim EVERY WEEK! Sign up for our free newsletter.

2 thoughts onDOJ Won’t Prosecute ‘Good Faith’ Cybersecurity Researchers Who Report System Flaws

  1. LANITASHA HINTON says:

    Please add me

  2. Aileen K. Douglas says:

    No they should Not be protected!!!

Leave a Reply

Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *

Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.