On June 3, 2021, the U.S. Supreme Court issued its opinion in Van Buren v. U.S. addressing a long-standing circuit split on employee computer access limits under the Computer Fraud and Abuse Act (CFAA). For many years the federal courts struggled with and disagreed over how to interpret the CFAA provisions that impose criminal and civil liability on a person who "intentionally accesses a computer without authorization or exceeds authorized access." 18 U.S.C. §1030(a)(2). The phrase "exceeds authorized access" is defined by the CFAA as follows: "To access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6). Unlike the typical employment scenario, the Van Buren case involved a police officer who used his access to a law enforcement database to search a license plate in exchange for $5,000.00 that was offered to him as part of a planned FBI investigation. The police officer was charged with a felony violation of the CFAA based on the allegation that his license plate search violated the "exceeds authorized access" provision of the CFAA. 18 U.S.C. §1030(a)(2). Specifically, the government's case against the police officer was that he used his authorized access to the license plate database for "an improper purpose" that included "any personal use." Van Buren, p. 4, citing App. 17. After the police officer was convicted by a jury, he was sentenced to 18 months in prison. On appeal the Eleventh Circuit affirmed by holding that the police officer had violated the CFAA by his action in accessing the law enforcement database for an "inappropriate reason." Van Buren v. U.S., 940 F.3d 1192, 1208 (9th Cir. 2019).
The U.S. Supreme Court accepted certiorari because of a split in federal circuits on interpreting the CFAA access language. One group of federal appellate courts view the CFAA as not covering an employee's authorized access of a computer for an improper purpose. Id. at 4 n.2 (citing Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756 (6th Cir. 2020); U.S. v. Valle, 807 F.3d 508 (2nd Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)). Other federal appellate courts read the CFAA as prohibiting a person's authorized access to a computer when done for any improper purpose. Id. (citing U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); U.S. v. John, 597 F.3d 263 (5th Cir. 2010); International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)).
The Supreme Court held that the CFAA did not regulate a person's authorized access to a computer for an improper purpose. Authored by Justice Barrett, the majority opinion sends a warning signal to all government or private employers that they should not solely relying on contractual agreements, HR policies, or industry standards as providing grounds for either seeking a criminal prosecution or filing a private lawsuit for damage or loss under the CFAA. The Court started its analysis with a high-level statutory interpretation of the term "so" in the CFAA provisions related to a person who exceeds their authorized access. The Court reasoned that "so" incorporates the phrase "manner or circumstance" used in the same statutory provision that does not include a broad set of non-technological limitations imposed on an employee's access to portions of an employer's computer networks.
The majority opinion next focuses on the specialized and technological nature of the CFAA. The Court detailed that it reads the CFAA as covering what people can do on a computer and that this interpretation is fairly interpreted as meaning that an employee must lack access privileges to the software, network, or intranet documents or data at issue in order to activate coverage of the CFAA. Id. at 11-12. Examining the interaction between the statutory terms "without authorization" and "exceeds authorized access," the Court underscores that the two provisions read together support using a consistent interpretation of the first term and the second term. The first term—"without authorization"—covers an external hack of an employer's computer systems, and the second term—"exceeds authorized access"—covers an internal hack.
The Court's analysis highlighted the structure of the CFAA and specifically noted that in civil CFAA actions a plaintiff must show "damage," which the CFAA defines as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. §1030(e)(8). In parallel fashion, the CFAA explains that "loss" encompasses the costs arising from harmed computer data, programs, or information systems. 18 U.S.C. §1030(e)(11). As part of its analysis, the Court cited a recent federal appellate court opinion that concluded that such terms mean CFAA coverage is "aimed at preventing the typical consequences of hacking." Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 760 (6th Cir. 2020). In other words, misuse of an employer's computer networks is not the issue addressed by the CFAA.
For example, the police officer had authorized access to the police department database that he was prosecuted for misusing when running a license plate search in exchange for $5,000 offered to him as part of an FBI investigation. But the alleged misuse of the database did not harm or weaken the "integrity or availability" of that data so as to inflict what the CFAA defines as "damage" in 18 U.S.C. §1030(e)(8). Furthermore, the actions by the police officer did not result in any harm to the law enforcement database. The Court also stressed that the statutory history behind the CFAA did not reveal any mention, reference, or use of the concept of improper use of authorized access to an employer's computer networks as grounds for a person to incur criminal or civil liability under the CFAA. Van Buren at 16-17. Finally, the Court also explained that the positions adopted by the dissent would result in both overly broad and arbitrary applications of the CFAA. Under the dissent's reading, violations of non-uniform government and private employer computer use policies would produce inconsistent and varying results under the CFAA that would not hinge on the terms of the statute but instead rely on the policies and private practices of each employer.
The impact of the Van Buren opinion does not prevent an employer from discharging an employee who violates an employer's policies, rules, and practices that regulate employee usage of an employer's computer systems, digital files, intranets, software, or networks. But an employer who wants to qualify for the additional protections and remedies provided by the CFAA should seriously consider using technological limits on employee access to certain portions of its computer systems, digital files, intranets, software, and networks. Employer policies alone may no longer trigger CFAA coverage. The Supreme Court has now ruled that both "unauthorized access" and "exceeds authorized access" under the CFAA require showing that a current or former employee entered a portion of the employer's computer system that was actually off-limits. While the Court said it need not address whether its analysis requires deciding whether an employer has to use a code-based or technological means to limit employee access, it is unrealistic for an employer who seeks CFAA coverage to not implement some coding or technology to limit employee access. Otherwise, an employer risks hearing the same arguments that won the day in Van Buren.
In conclusion, the U.S. Supreme Court read the CFAA in favor of an individual user who had authorized access to an employer database but misused it for an improper purpose. Employers who want CFAA coverage and federal law protections and remedies should consider having their senior managers, IT and HR directors, and in-house and external counsel meet and work together to implement a system of contractual, policy, and technological boundaries and terms that limit or deactivate access by current and former employees to an employer's digital assets, networks, and computer and software systems. Doing so increases the possibility of qualifying for CFAA coverage and promotes overall IT security and risk management objectives.