Working from home since the onset of the pandemic, you check your social media on a work laptop, in violation of your company’s Acceptable Use Policy. Have you just committed a federal crime?
Under some circuits’ reading of the Computer Fraud and Abuse Act (CFAA), the answer could theoretically be yes.
On November 30, the Court heard arguments in Van Buren v. United States, 140 S. Ct. 2667, 206 L. Ed. 2d 822 (2020), in an effort to resolve a circuit split on what it means to “exceed authorized access” under the CFAA—a ruling which could have serious ramifications for employers and employees, as well as for cybersecurity researchers looking to warn of potential bad actors and fraud schemes.
The decision could also eliminate potential causes of action in trade secrets and employment litigation.
The CFAA is primarily an anti-hacking statute, but since Congress first passed it in 1986, technological developments have rendered some of its key provisions ambiguous, leading to the situation in which an act is a federal crime in half the country, but not in the other.
Last amended in 2008, the CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to sufficiently define “without authorization” and “exceed authorized access.” 18 U.S.C. § 1030(a)(2). This language has created a circuit split. The First, Fifth, Seventh, and Eleventh Circuits hold that using a computer to access information that you are legitimately authorized to access, but doing so for an improper or unauthorized purpose, is a violation of the CFAA. The Second, Fourth, and Ninth Circuits, however, hold that a violation of the CFAA only occurs if you access information on a computer that you are prohibited from accessing. The Supreme Court granted certiorari to hear Van Buren to finally define the CFAA’s ambiguous language and settle the dispute. 140 S. Ct. 2667.
The case arose from the conviction of a police sergeant from Cumming, Georgia, who abused his authorized access to the Georgia Crime Information Center database by taking money to find out information for a local man. United States v. Van Buren, 940 F.3d 1192, 1197 (11th Cir. 2019). At trial, Van Buren moved for acquittal, arguing he had not exceeded authorized access as meant by § 1030(a)(2) of the CFAA. Id. at 1198. The district court rejected the motion, and the Eleventh Circuit affirmed the conviction. Id. at 1210.
Now, the Supreme Court must decide the issue of whether a person who is authorized to access information on a computer for certain, specific purposes violates § 1030(a)(2) of the CFAA if that person accesses the same information for an improper or unauthorized purpose.
It is possible that the Supreme Court can find a narrow way to rule, in part to incentivize Congress to resolve the issue. For example, they could take the approach the Ninth Circuit took—essentially that given the ambiguity, the benefit of the doubt should go to defendants. Such a ruling could cause the US Department of Justice (DOJ) to submit a legislative proposal clarifying its preferred, broader reading (and other stakeholders to lobby for more restrictive language). Cybersecurity practitioners also prefer the Second, Fourth, and Ninth Circuits’ narrow interpretation of § 1030(a)(2), arguing that this interpretation allows them to better conduct work identifying and resolving security problems without facing potential CFAA prosecution. Security researchers routinely skirt websites’ strict terms of service when they investigate for bugs that cybercriminals could exploit and frequently fear that a security test they run might run afoul of the law.
No matter which way the Supreme Court rules, it remains important for companies to continue to stay abreast of whipsawing developments on data protection. Technology has left many laws and regulations outdated, ambiguous, or otherwise lacking. With as many changes as 2020 has seen in this area, expect more in 2021, including the decision in Van Buren.