Criminal and Civil Impact on the Computer Fraud and Abuse Act post-Van Buren
In June 2021, the United State Supreme Court released Van Buren v. United States, 593 U.S. __ (2021), a case out of the Eleventh Circuit. The majority opinion authored by Justice Barrett in a 6-3 decision clarifies the scope of the Computer Fraud and Abuse Act of 1986 (CFAA), a statute that imposes criminal and civil penalties for computer hacking. The Court embraced a narrow interpretation of the term “unauthorized access” as it pertains to computer information. In practice, Van Buren should significantly limit criminal and civil liability under the CFAA.
Notably, the Supreme Court’s decision resolves a circuit split and generally adheres to the precedent followed by the Fourth Circuit Court of Appeals. See WEC Carolina Energy Solutions LLC v. Miller, 687 F. 3d 199 (4th Cir. 2021).
Van Buren, a former Georgia police officer, was caught in an undercover FBI operation when an acquaintance offered him $5,000 to search a law enforcement database for license plate information belonging to a particular individual. The acquaintance, working under the direction of the FBI, told Van Buren that he wanted to ensure that the individual was not an undercover officer. Van Buren used his patrol car to access the police database using his valid login credentials, obtained the requested information, and reported back to his would-be accomplice that he had information to share.
Van Buren was charged with felony violation of the CFAA. At trial, evidence showed that pursuant to police department policy, Van Buren had been trained not to use the computer database for any “improper purpose” which included “personal use.” On this basis, Van Buren was convicted and sentenced to 18 months in prison.
On appeal to the Eleventh Circuit, Van Buren argued that although his conduct violated department policy, he used valid login credentials and accessed only information to which he was entitled to access and, therefore, did not violate the CFAA. The Eleventh Circuit rejected Van Buren’s interpretation of the CFAA and upheld his conviction. On review, the Supreme Court reversed and found that even though Van Buren misused his login under employment policies, because he used his own login credentials and accessed only information to which he was authorized to view, his conduct was not in violation of the CFAA.
What Constitutes Violation of the Computer Fraud and Abuse Act?
Van Buren significantly scales back the potential criminalization of CFAA. The Supreme Court held that under 18 U.S.C. § 1030, CFAA violations can occur in two ways. First, when an individual “accesses a computer without authorization,” § 1030(a)(2). This type of violation is intended to protect systems from outside hackers who access a computer without any permission at all. The second type of violation occurs when an individual “exceeds authorized access” by accessing a computer with authorization but then obtains information he is not entitled to obtain. §§ 1030 (a)(2), (e)(6). This second type of violation targets inside hackers who access a computer with permission but then exceed the parameters of their authorized access by entering an area of the computer to which their authorization does not extend. Van Buren, 593 U.S. __, *13(2021), citing United States. V. Valle, 807 F. 3d 508, 524 (2nd Cir. 2015). Van Buren relies on what the Supreme Court referred to as a “gates-up-or-down inquiry” in identifying violations: one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.
While Van Buren clearly misused the database in the context of workplace policies, by utilizing his valid login credentials to access information he was otherwise entitled to view, there was not a violation of the CFAA. The Court rejected CFAA criminalization of mere computer-use policy violations. The Court noted the problem of criminalizing commonplace workplace computer activity like sending personal emails, reading the news, or use of social media that may violate employer policies that restrict computer use to business purposes only. While this type of computer use may still be a violation of workplace rules, otherwise law abiding employees will be relieved to know that such conduct is not actionable under the CFAA.
As a result, Van Buren takes the ball out of the hands of U.S. Attorney’s Offices and eliminates the discretion that could be unevenly or unfairly weaponized by prosecutors around the country. The clarity provided by Van Buren should eliminate arbitrary prosecutions under the CFAA and confidently give defense counsel bright lines when advising clients regarding criminal exposure.
Impact on Civil Liability
Although some of the impact on the civil side is yet to be seen, it is apparent that the CFAA will no longer provide a cause of action against individuals (most commonly contractors, employees or former employees) that use their valid login credentials to access information they are entitled to obtain but use such access for an improper purpose. As such, alternate methods for enforcing computer use policies will need to be utilized and entities will want to readdress their contracts and business agreements that may have previously relied on the CFAA for protection.
Finally, Van Buren provides guidance regarding civil damages. The Court clarified that in instances of civil liability under the CFAA, recovery is limited to costs associated with technological damages associated with to harm to the integrity or availability of data, programs, systems, or information. Unless specific costs can be associated with technological loss, the CFAA is not the mechanism for recovering damages merely for access, misuse, or improper dissemination of digital information.