In Van Buren v. United States, the Supreme Court resolved a circuit split as to whether a provision of the Computer Fraud and Abuse Act (CFAA) applies only to those who obtain information to which their computer access does not extend, or more broadly to also encompass those who misuse access that they otherwise have. By way of background, the CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U.S.C. 1030(a)(2). The term “exceeds authorized accessed” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. 1030(a)(2).

The case involved a police sergeant that used his patrol-car computer to access a law enforcement database with his valid credentials in order to obtain license plate number records in exchange for money. The sergeant’s use of the database violated the department’s policy against using the database for non-law enforcement purposes, including personal use. At trial, the Government told the jury that the sergeant’s access of the database for non-law enforcement purposes violated the CFAA concept against using a computer network in a way contrary to what your job or policy prohibits. The jury convicted the sergeant, and the District Court sentenced him to 18 months in prison. The Eleventh Circuit affirmed, consistent with its precedent adopting the broader view of the CFAA.

The parties agreed that the sergeant accessed a computer with authorization when he used his valid credentials to log in to the law enforcement database, and that he obtained information when he acquired the license-plate records, but the dispute was whether the sergeant was “entitled so to obtain” the record. After analyzing the language of the statute and the policy behind the CFAA, the Court held that an individual “exceeds authorized access” under the CFAA when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him. Because the sergeant could use his credentials to obtain the license plate information, he did not exceed authorized access to the database under the terms of the CFAA.

In reaching its holding, the Court noted if “the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” Accordingly, with the narrowing of the CFAA, the decision is a good reminder to ensure that policies and agreements, including terms of use, that govern access to sensitive electronic resources are both enforceable and crafted with sufficient terms to cover insider threats and prohibit individuals with access to the electronic resource from using the resource in a damaging manner.