The Supreme Court, in a 6-3 decision which was issued on June 3, 2021, reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the Computer Fraud and Abuse Act of 1986 (CFAA)Section 1030(a)(2). Specifically, the Court ruled that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as certain files, folders, or databases – that are off limits to them. (Van Buren v. United States, No. 19-783, 593 U.S. ___ (June 3, 2021)). The CFAA remains a seemingly underused and underappreciated tool in the arsenal of IP and technology lawyers in the fight against trade secret and confidential business information theft and destruction. With the Supreme Court weighing in, perhaps the CFAA will grow in prominence and use.
Van Buren involved a Georgia Police Sergeant, Nathan Van Buren (“Van Buren”), who used his patrol car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money, rather than for a law enforcement purpose. He was charged criminally under the CFAA and convicted. Van Buren appealed to the Eleventh Circuit, which affirmed, and the Supreme Court then Reversed and Remanded the Decision, ruling that the CFAA does not criminalize the use of areas of a database which the bad actor has authorization to access.
In a civil context, this provision of the CFAA is regularly pled in cases involving former employees that accessed proprietary data from their work computers immediately before leaving their company to join a competitor. This decision suggests that the Court is approaching CFAA violation cases with an overarching question of “did one have authorized access, or not?” Meaning, the intent of the bad actor has little weight in determining liability or culpability under the CFAA; rather, the determination focuses on whether or not the areas of computer which were accessed were restricted to the individual, regardless of intent.
The Court also weighed in on what the limitations of “exceeding authorized access” are. In Van Buren, the Government contended that “exceeds authorized access” meant “exceed[ed] his authorized access to the law enforcement database when he obtained license-plate information for personal purposes.” Van Buren, 141 S.Ct. 1648 at 1649. The Court was unmoved, ruling that this interpretation was inconsistent with the language of the statute and would leave to an exorbitant amount of criminal charges and employees who use their work email for personal matters being subject to liability. Id. Moreover, the Court reasoned that the Government’s approach would “inject arbitrariness into the assessment of criminal [and civil] liability. . .” because whether the conduct violated the CFAA would be subject to how an employer phrased the policy which was violated (i.e. as a “use” restriction or an “access” restriction).
Thus, the Supreme Court has ruled that one “exceeds authorized access” only when one obtains information located in particular areas of the computer that the individual does not have authorized access to.