SCOTUS Resolves Circuit Split Regarding Scope of The Computer Fraud and Abuse Act

Smith Debnam Narron Drake Saintsing & Myers, LLP

The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 in order to curb unauthorized access to information stored on computers.

What Is the Computer Fraud and Abuse Act?

The CFAA imposes criminal or civil liability on any person who “intentionally accesses a computer without authorization” or “exceeds unauthorized access” in obtaining information from a protected computer. The Act is intended to protect against theft of trade secrets, data breaches, hacking, and anticompetitive behavior.

In order to plead a claim under the CFAA, a claimant must allege that an individual:

  1. Intentionally accessed a computer
  2. Lacked authority or exceeded granted authority to access the computer
  3. Obtained data from the computer
  4. Caused a loss of $5,000.00 or more during a one-year period

The CFAA covers a broad range of relationships involving access to computer systems, including employment relationships, third-party business relationships, and individual access to web-based platforms.

How Did Courts Previously Interpret the CFAA?

The CFAA defines “exceeds authorized access” as follows: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The statute does not explain what it means to “obtain or alter information . . . that the accesser is not entitled so to obtain or alter.” After the enactment of the CFAA, a split emerged among federal circuit courts with regard to the interpretation of the above prohibition against exceeding authorized access to a computer.  Specifically, federal courts were split over whether the CFAA covers a person who diverts or misuses information to which the individual had access as part of his or her duties.

While some circuits interpreted the phrase broadly in holding that a person’s use of a computer for an improper purpose prohibited by policies exceeded authorized access and thus violated the CFAA, other circuits, including the Fourth Circuit, adopted a narrower approach, holding that no liability should be imposed on an individual who accesses information for an improper purpose if the person has access to the computer. Under the narrow interpretation, a person’s motives for accessing a computer are not relevant as the primary consideration is whether the person had the authority to access the information in the first place.

How Did SCOTUS Resolve the Circuit Split?

On June 3, 2021, the Supreme Court of the United States (SCOTUS) resolved this circuit split in the case of Van Buren v. United States. In a 6-3 decision penned by Justice Amy Coney Barrett, the Court held that a police officer did not violate the CFAA when he took a cash payment in exchange for searching the Georgia Crime Information Center database because the police officer had access to the database for work purposes and utilized his valid credentials to obtain license plate information for a personal purpose. In so holding, SCOTUS determined that the CFAA protects against those who access a computer with authorization but who then exceed authorized access by obtaining information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to them but does not protect against those who “have improper motives for obtaining information that is otherwise available to them.” In reaching this conclusion, the Court noted that a broad interpretation of the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” including the sending of personal emails on a work computer in violation of an employer’s policies, the reading of news content in breach of a website’s terms and conditions, or an individual who embellishes an online dating profile.

Practical Impact of Van Buren on the Employment Relationship

SCOTUS’s ruling in Van Buren serves to limit the scope of the CFAA as it limits the ability to prosecute individuals who might overreach their access to company data or digital information. Previously, a broad interpretation of the CFAA meant that a website’s terms of service could likely define the scope of appropriate use and thereby criminalize activity that exceeded that scope. Van Buren likely protects individuals from criminal or civil liability for violating a website’s online terms of service. Similarly, prior to Van Buren, a broad interpretation of the CFAA meant that an employer could assert a claim against dishonest employees who accessed employer computer systems for improper purposes. The holding in Van Buren limits this right as an employee’s mere right to access an employer’s computer system may shield the employee from liability despite improper use of the computer system. The employer must now demonstrate that the employee obtained the information from a file, folder, or database to which the employee’s computer access did not extend.

Key Takeaways for Employers

It is anticipated that Van Buren will be cited as a landmark opinion in the years to come. The case has particular significance for employers in those circuits that had previously interpreted the CFAA broadly. Following Van Buren, it is no longer relevant for purposes of CFAA liability that an employee obtains computer information for an unauthorized purpose. The employer must demonstrate that in obtaining the computer information, the employee accessed a computer or a file, folder, or database that was off-limits to the employee. In light of the Court’s narrow interpretation of the CFAA, it is recommended that employers:

  • Establish internal firewalls on their computer systems and consider heightened screening measures in order to protect sensitive data and to prevent employees and third-party users from accessing data to which they are not otherwise entitled or otherwise need not access.
  • In addition to creating internal technological barriers to address threats posed by employee access, consider limiting the amount of information they make available to the public by password-protecting certain information available on their website.
  • Update workplace policies clarifying what is and what is not accessible by employees.
  • Keep in mind that in defending against theft of trade secrets, the Defend Trade Secrets Act of 2016 and comparable state laws remain effective tools if the employee had access to the database in which the data was stored.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Smith Debnam Narron Drake Saintsing & Myers, LLP | Attorney Advertising

Written by:

Smith Debnam Narron Drake Saintsing & Myers, LLP

Smith Debnam Narron Drake Saintsing & Myers, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.