CFAA Update: The Supreme Court Provides Guidance in Computer Fraud and Abuse Act (CFAA) Cases

Houston Harbaugh, P.C.
Contact

The Supreme Court, in a 6-3 decision which was issued on June 3, 2021, reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the Computer Fraud and Abuse Act of 1986 (CFAA)Section 1030(a)(2). Specifically, the Court ruled that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as certain files, folders, or databases – that are off limits to them. (Van Buren v. United States, No. 19-783, 593 U.S. ___ (June 3, 2021)). The CFAA remains a seemingly underused and underappreciated tool in the arsenal of IP and technology lawyers in the fight against trade secret and confidential business information theft and destruction. With the Supreme Court weighing in, perhaps the CFAA will grow in prominence and use.

Van Buren involved a Georgia Police Sergeant, Nathan Van Buren (“Van Buren”), who used his patrol car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money, rather than for a law enforcement purpose. He was charged criminally under the CFAA and convicted. Van Buren appealed to the Eleventh Circuit, which affirmed, and the Supreme Court then Reversed and Remanded the Decision, ruling that the CFAA does not criminalize the use of areas of a database which the bad actor has authorization to access.

In a civil context, this provision of the CFAA is regularly pled in cases involving former employees that accessed proprietary data from their work computers immediately before leaving their company to join a competitor. This decision suggests that the Court is approaching CFAA violation cases with an overarching question of “did one have authorized access, or not?” Meaning, the intent of the bad actor has little weight in determining liability or culpability under the CFAA; rather, the determination focuses on whether or not the areas of computer which were accessed were restricted to the individual, regardless of intent.

The Court also weighed in on what the limitations of “exceeding authorized access” are. In Van Buren, the Government contended that “exceeds authorized access” meant “exceed[ed] his authorized access to the law enforcement database when he obtained license-plate information for personal purposes.” Van Buren, 141 S.Ct. 1648 at 1649. The Court was unmoved, ruling that this interpretation was inconsistent with the language of the statute and would leave to an exorbitant amount of criminal charges and employees who use their work email for personal matters being subject to liability. Id. Moreover, the Court reasoned that the Government’s approach would “inject arbitrariness into the assessment of criminal [and civil] liability. . .” because whether the conduct violated the CFAA would be subject to how an employer phrased the policy which was violated (i.e. as a “use” restriction or an “access” restriction).

Thus, the Supreme Court has ruled that one “exceeds authorized access” only when one obtains information located in particular areas of the computer that the individual does not have authorized access to.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Houston Harbaugh, P.C. | Attorney Advertising

Written by:

Houston Harbaugh, P.C.
Contact
more
less

Houston Harbaugh, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.