On April 20, 2020, the U.S. Supreme Court agreed to take up a case involving the scope of liability under the federal Computer Fraud and Abuse Act (CFAA), a federal statute that creates criminal penalties and a civil cause of action against individuals that “access a computer without authorization or exceed authorized access, . . . and thereby obtain information from any protected computer.” CFAA, 18 U.S.C. § 1030(a)(2)(C). The CFAA was enacted in 1984 when Congress sought to deter “so-called hackers” and protect public and private computer systems. Courts around the country have disagreed on whether the statute applies to an individual authorized to access information on a computer system for certain purposes, who then accesses the information for an improper purpose.
The case, Van Buren v. United States, involves the prosecution under the CFAA of Van Buren, a police sergeant from Cummings, Georgia. The sergeant was friends with a local man, Aldo, who would hire local prostitutes and then report them to the police for having stolen his money. Fearing retaliation, Aldo would report suspicious license plates to the Cummings Sherriff’s Office. Van Buren had money difficulties and had asked Aldo for a loan; when this request became known to the local police, it was reported to the FBI, which set up a sting whereby Aldo requested that Van Buren run searches of suspicious license plate numbers in exchange for $5,000. Van Buren was ultimately convicted under the CFAA for running the searches even though he was authorized to access the databases since he did so for an improper purpose.
The Supreme Court agreed to hear the case to resolve a division among the courts across the country about whether situations like Van Buren’s violate the CFAA. Although this case involves a criminal prosecution, the decision will implicate the ability of companies to bring civil cases in federal court against employees and former employees that improperly access company data for improper purposes. The CFAA has been an important tool for companies to enforce the confidentiality of data in their computer systems and has become increasingly important as more and more confidential data is electronic.
The Supreme Court is expected to rule on this case next term, which begins in the Fall of 2020.