11/01/2016

Demystifying Department of Justice Charging Decisions for Computer Crimes—the DOJ Releases its Internal Intake and Charging Policies

Federal prosecutors rely on the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to address the growing threat of cyber-based crimes. On September 11, 2014, the U.S. Attorney General issued its internal Intake and Charging Policy for Computer Crime Matters (the “Policy”) to help ensure that federal prosecutors apply the CFAA consistently and limit charging to cases where prosecution would serve a substantial federal interest.

On October 24, 2016, the U.S. Department of Justice (DOJ) released the once private Policy, which offers a glimpse into how the DOJ assesses and prosecutes computer crimes. The Policy sets forth several factors that prosecutors should consider when determining whether to prosecute alleged computer crimes. The factors include:

  • The sensitivity of the affected computer system or the information transmitted by or stored on it, and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information;
  • The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests;
  • The extent to which the activity was in furtherance of a larger criminal endeavor or posed a risk of bodily harm or a threat to national security;
  • The impact of the crime and prosecution on the victim or other third parties;
  • Whether the criminal conduct is based upon exceeding authorized access;
  • The deterrent value of an investigation or prosecution, including whether the need for deterrence is increased because the activity involves:
    • a new or expanding area of criminal activity,
    • a recidivist defendant,
    • use of a novel or sophisticated technique,
    • abuse of a position of trust,
    • an otherwise sensitive level of access,
    • the conduct is particularly egregious or malicious;
  • The nature of the impact that the criminal conduct has on a particular District or community; and
  • Whether any other jurisdiction is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution.

The Policy supplements the Principles of Federal Prosecution of Business Organizations that provides guidance to prosecutors on charging companies and the September 2015 memorandum regarding Individual Accountability for Corporate Wrongdoing (i.e. the “Yates Memorandum”) pertaining to individual liability.

The Policy (similar to other guidance on anti-corruption and environmental crimes) provides in-house counsel and executives with a roadmap for analyzing potential exposure from unauthorized cyber activities by employees or data breaches. The Policy can also can guide companies how to effectively work with law enforcement and security consultants in response to cyber incidents while minimizing legal exposure under the CFAA.

When unauthorized computer access occurs and the personal information of employees, customers, or partners is exposed, a referral to law enforcement may be appropriate. When personal information has not been exposed, but unlawful access to a computer may have occurred, companies may still refer incidents to law enforcement to help prevent future breaches. The Policy may be helpful to counsel when determining whether federal law enforcement would take interest in an incident.

Finally, the CFAA is often cited in computer system logon banners, effectively giving notice to users, both authorized and unauthorized, that they are about to access a private system and that unauthorized access is an offense under 18 U.S.C. § 1030. This notice also may help law enforcement and prosecution efforts and deter prospective attackers.

The government investigations and cybersecurity team at Holland & Hart is well equipped to answer questions about the CFAA and explain how companies can utilize the Policy to guide its compliance efforts, response to potential violations, and explain how companies can assert civil claims against persons who access or take computer data, or destroy computer data or systems without authority.

DISCLAIMER

Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.