The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 in order to curb unauthorized access to information stored on computers.
What Is the Computer Fraud and Abuse Act?
The CFAA imposes criminal or civil liability on any person who “intentionally accesses a computer without authorization” or “exceeds unauthorized access” in obtaining information from a protected computer. The Act is intended to protect against theft of trade secrets, data breaches, hacking, and anticompetitive behavior.
In order to plead a claim under the CFAA, a claimant must allege that an individual:
- Intentionally accessed a computer
- Lacked authority or exceeded granted authority to access the computer
- Obtained data from the computer
- Caused a loss of $5,000.00 or more during a one-year period
The CFAA covers a broad range of relationships involving access to computer systems, including employment relationships, third-party business relationships, and individual access to web-based platforms.
How Did Courts Previously Interpret the CFAA?
The CFAA defines “exceeds authorized access” as follows: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The statute does not explain what it means to “obtain or alter information . . . that the accesser is not entitled so to obtain or alter.” After the enactment of the CFAA, a split emerged among federal circuit courts with regard to the interpretation of the above prohibition against exceeding authorized access to a computer. Specifically, federal courts were split over whether the CFAA covers a person who diverts or misuses information to which the individual had access as part of his or her duties.
While some circuits interpreted the phrase broadly in holding that a person’s use of a computer for an improper purpose prohibited by policies exceeded authorized access and thus violated the CFAA, other circuits, including the Fourth Circuit, adopted a narrower approach, holding that no liability should be imposed on an individual who accesses information for an improper purpose if the person has access to the computer. Under the narrow interpretation, a person’s motives for accessing a computer are not relevant as the primary consideration is whether the person had the authority to access the information in the first place.
How Did SCOTUS Resolve the Circuit Split?
On June 3, 2021, the Supreme Court of the United States (SCOTUS) resolved this circuit split in the case of Van Buren v. United States. In a 6-3 decision penned by Justice Amy Coney Barrett, the Court held that a police officer did not violate the CFAA when he took a cash payment in exchange for searching the Georgia Crime Information Center database because the police officer had access to the database for work purposes and utilized his valid credentials to obtain license plate information for a personal purpose. In so holding, SCOTUS determined that the CFAA protects against those who access a computer with authorization but who then exceed authorized access by obtaining information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to them but does not protect against those who “have improper motives for obtaining information that is otherwise available to them.” In reaching this conclusion, the Court noted that a broad interpretation of the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” including the sending of personal emails on a work computer in violation of an employer’s policies, the reading of news content in breach of a website’s terms and conditions, or an individual who embellishes an online dating profile.
Practical Impact of Van Buren on the Employment Relationship
SCOTUS’s ruling in Van Buren serves to limit the scope of the CFAA as it limits the ability to prosecute individuals who might overreach their access to company data or digital information. Previously, a broad interpretation of the CFAA meant that a website’s terms of service could likely define the scope of appropriate use and thereby criminalize activity that exceeded that scope. Van Buren likely protects individuals from criminal or civil liability for violating a website’s online terms of service. Similarly, prior to Van Buren, a broad interpretation of the CFAA meant that an employer could assert a claim against dishonest employees who accessed employer computer systems for improper purposes. The holding in Van Buren limits this right as an employee’s mere right to access an employer’s computer system may shield the employee from liability despite improper use of the computer system. The employer must now demonstrate that the employee obtained the information from a file, folder, or database to which the employee’s computer access did not extend.
Key Takeaways for Employers
It is anticipated that Van Buren will be cited as a landmark opinion in the years to come. The case has particular significance for employers in those circuits that had previously interpreted the CFAA broadly. Following Van Buren, it is no longer relevant for purposes of CFAA liability that an employee obtains computer information for an unauthorized purpose. The employer must demonstrate that in obtaining the computer information, the employee accessed a computer or a file, folder, or database that was off-limits to the employee. In light of the Court’s narrow interpretation of the CFAA, it is recommended that employers:
- Establish internal firewalls on their computer systems and consider heightened screening measures in order to protect sensitive data and to prevent employees and third-party users from accessing data to which they are not otherwise entitled or otherwise need not access.
- In addition to creating internal technological barriers to address threats posed by employee access, consider limiting the amount of information they make available to the public by password-protecting certain information available on their website.
- Update workplace policies clarifying what is and what is not accessible by employees.
- Keep in mind that in defending against theft of trade secrets, the Defend Trade Secrets Act of 2016 and comparable state laws remain effective tools if the employee had access to the database in which the data was stored.