Supreme Court Limits Scope Of The Computer Fraud And Abuse Act
The Consumer Fraud and Abuse Act, 18 U.S.C. §1030 (CFAA) is a federal statute that imposes criminal penalties and provides for a civil cause of action against individuals who obtain information from a computer by intentionally accessing the computer without authorization or by exceeding authorized access. The statute has been used to criminally prosecute and bring civil actions for damages and losses against employees who have misappropriated their employers’ trade secrets or other confidential information. Those damages and losses may include attorneys’ fees expended by the employer to investigate violations of the statute.
In its recent opinion in Van Buren v. United States, the United States Supreme Court resolved a disagreement among the lower federal courts over the scope of the CFAA’s “exceeds authorized access” clause. Does an employee with authorized access to his employer’s computers “exceed authorized access” only when accessing specific computer files the employee has not been authorized to access, or does the employee also “exceed authorized access” when accessing files for which the employee has authorization, but uses the information for an unauthorized purpose? In Van Buren, the Supreme Court ruled in favor of the more limited scope of the “exceeds authorized access” clause.
When employed as a police officer in Georgia, Nathan Van Buren was the target of an FBI sting operation. He agreed to accept $5,000 from one Albo in exchange for providing Albo with license plate information about a woman in whom Albo was ostensibly interested. In fact, Albo was working for the FBI. Van Buren accessed the license plate information through the computer in his patrol car. He knew that by providing the information to Albo he was violating his employer’s policies concerning the proper use of such information. The FBI promptly arrested Van Buren and charged him with violating the CFAA. A jury convicted Van Buren and the Eleventh Circuit Court of Appeals affirmed his conviction. That court ruled that Van Buren had violated the CFAA’s “exceeds authorized access” clause because he had accessed the police department’s database for “an inappropriate reason.”
The Supreme Court’s Opinion
In an opinion authored by Justice Barrett, and by a vote of 6 to 3, the Supreme Court reversed Van Buren’s conviction, holding that the CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend [but] [i]t does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”
In so holding, the Court, in large part, relied on the definition of “exceeds authorized access” expressly set forth in the statute: “The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” (Emphasis added.) The Court reasoned that, under this definition, information one is not entitled “‘so”’ to obtain refers “to information one is not allowed to obtain by using a computer that he is authorized to access.” (Emphasis in original.) In other words, the CFAA is concerned only with whether the individual was authorized to access the information at issue. And, given it was undisputed Van Buren was authorized to obtain the license plate information in question, by obtaining that information he did not “exceed authorized access” as the CFAA defines that phrase, even though he obtained the information for an improper purpose.
The Court expressed several additional reasons to reject the argument that an employers’ policies on use of computerized information can provide the basis for a CFAA violation. The Court noted that the Government did not contend that purpose based limits on access are relevant to someone who uses a computer without any authorization and that the Government could not explain why the statute would impose purpose based restrictions on someone who used a computer with authorized access. The Court also noted that the CFAA’s damages provisions for civil liability cases were concerned only with allowing recovery for “any impairment to the integrity or availability of data, a program, a system,” or “for harm to computer data, programs, systems, or information services,” “injuries that are “technological” in nature and typically the result of “hacking.” The Court reasoned that these damages provisions were “ill fitted . . . to remediating ‘misuse’ of sensitive information” by someone with authorized access. “Van Buren’s situation is illustrative,” the Court noted. “His run of the license plate did not impair the ‘integrity or availability of data, nor did it otherwise harm the database system itself’.”.
The Court was also concerned that an expansive interpretation of “exceeds authorized access” would open the door to a wide range of problematic potential statutory violations. The Court opined: “If [the CFAA] criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide ‘information’ from ‘protected computers’ . . . authorize a user’s access only upon his agreement to follow specified terms of service. If the [CFAA] encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.”
Finally, the Court indicated it was deciding only that the CFAA is not available to enforce employer policies protecting the use of computerized information. It was not addressing the issue of whether the statute can be used to enforce employer policies or agreements restricting access to computerized information when the employer has provided technological access to that information. Nevertheless, given the Court’s view of the CFAA as essentially an anti-hacking statute, it is certainly not unlikely that the Court would not impose liability under the statute in such circumstances.
As a result of then Van Buren decision, the CFAA is no longer available to employers to pursue employees who have used authorized access to an employer’s computerized information for purposes prohibited by the employer by policy or agreement. Employers, of course, remain free to pursue such employees under federal and state trade secret protection laws and through enforcement of confidentiality agreements. Employers should review their confidentiality agreements to ensure they provide sufficient protection of confidential information and should make sure authorized access to computerized information is limited to employees who truly require such access.
If you have questions about any of the above, feel free to contact an attorney in the Gibbons Employment & Labor Law Department.