The U.S. Supreme Court recently issued a ruling interpreting the scope of the Computer Fraud and Abuse Act (CFAA), a 1986 federal statute that imposes civil and criminal liability for unauthorized computer access. In short, the Court decided that as long as an individual is authorized to access a computer and data, he doesn’t violate the CFAA’s “exceeds authorized access” clause. In other words, his intended use for the computer and/or the data isn’t relevant to whether he violated the statute. As a result, employers may need to reconsider their employee handbooks, policies, and procedures.
Police officer Nathan Van Buren was accused of computer fraud under the CFAA for accessing the department’s computer database from his patrol car to obtain license plate information in exchange for financial gain.
As an officer, Van Buren was authorized to access the database for law enforcement purposes but not for other reasons. Therefore, he was charged under CFAA Section 1030(a)(2)(c) (and for honest services wire fraud) and convicted by a jury.
The U.S. 11th Circuit Court of Appeals, having previously adopted a “broad interpretation” of the CFAA, affirmed Van Buren’s conviction. He then appealed to the Supreme Court.
Supreme Court’s Analysis
The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the [accessor] is not entitled so to obtain or alter.”
Van Buren argued the CFAA applies only if the accessor wasn’t entitled to obtain the information under any circumstances. Under the narrow interpretation, he claimed access to the database, even if for an improper purpose, wasn’t unauthorized because he had valid credentials to search the license plate information for law enforcement reasons.
The government disagreed, arguing the CFAA criminalizes obtaining information for a particular purpose if the individual wasn’t entitled to get it for that reason. During oral argument in November, the Supreme Court justices seemed to express doubts about the government’s broad interpretation.
Justice Sonia Sotomayor expressed concern that the government’s broad interpretation created ambiguity. Justice Neil Gorsuch said it expanded policing powers, and the other justices acknowledged there are state laws addressing the same conduct and added that exonerating the conduct could remove protections for personal privacy.
As the Supreme Court indicated it might do at oral argument in November, it rejected the government’s broad interpretation of the CFAA. Justice Amy Coney Barrett wrote for the majority and took issue with the Act’s ambiguity and how easily it could be misapplied, finding Van Buren didn’t “exceed authorized access” even though he obtained information from the database for an improper purpose.
Referring to the potential for “a sleight of hand” by the government and “millions of otherwise law-abiding citizens” being criminals, Justice Barrett wrote, “On the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA” and that “everything from embellishing an online-dating profile to using a pseudonym on Facebook” could be a felony.
Justice Barrett’s grasp of the CFAA and its application to everyday settings (“take the work place”) is in contrast to the Act’s history. While intended primarily to thwart hackers by criminalizing their conduct, the statute has rarely been amended since its enactment in 1986. As a result, some states have passed their own unauthorized access statutes. Utah and Florida, for example, have enacted the Computer Abuse and Data Recovery Act to safeguard organizations from unauthorized use and access to computers, platforms, and data.
Now that the Supreme Court has rejected broad interpretation of “exceeds authorized access,” the CFAA can no longer be used against employees who access company information for improper purposes. But as plainly stated in the last paragraph of Justice Barrett’s holding, the Act is violated when an employee “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him” (emphasis added). Van Buren v. United States.
In the past, many employers have relied on the CFAA to pursue current and former employees who misuse computer resources and data, e.g., by copying client databases for use at future employers. To protect the data, however, they must now review their options (including the state-based laws). Here are other ways you can deter misuse of the information:
- Restrict access to certain information either by adding specific contract provisions and/or segmenting or separating the data into different databases.
- Secure restricted data and implement software that warns employees before they enter the restricted areas.
- Revise employee handbooks, policies, and procedures to align with the Van Buren ruling and any state-based cybersecurity and data privacy laws.
- Revise contracts to include limitations on data access.
- Provide training to management and employees that emphasizes the above limitations and restrictions as well as the evolving laws and industry standards.
While the CFAA is still effective for prosecuting hackers, time will tell if the federal government will amend the statute to address the type of situation that “exceeds authorized access.” Given the central importance of data, laws relating to its confidentiality, availability, and integrity will continue to evolve rapidly.