Supreme Court Narrows Scope of the Computer Fraud and Abuse Act

Orrick - Trade Secrets Group
Contact

Orrick - Trade Secrets Group

The U.S. Supreme Court recently resolved a circuit split regarding the federal Computer Fraud and Abuse Act (CFAA), specifically weighing in on the “exceeds authorized access” provision of the statute.  The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” In Van Buren v. United States, the Court rejected a broader reading of the criminal statute and held in a 6-3 opinion that a police officer, Nathan Van Buren, did not violate the CFAA when he accessed a law enforcement database with his valid credentials to retrieve information about a license plate number in exchange for money.

In a majority decision authored by Justice Barrett, the Supreme Court reversed the Eleventh Circuit’s affirmance of Van Buren’s conviction. Concerned that the reading of the CFAA urged by the government would impose criminal penalties to a “breathtaking amount of commonplace computer activity” and make criminals out of millions of otherwise law-abiding citizens, the Court held that under a proper reading of the CFAA, an individual “exceeds authorized access” if he accesses a computer that he is authorized to access but then accesses information on that computer that he is not authorized or entitled to access. Because the information Van Buren accessed was “otherwise available” to him within the scope of his work and based on his valid credentials, even though he accessed the information with “improper motives,” he could not be held criminally liable under the CFAA.

This holding resolves a long-standing and significant circuit split on the CFAA (that we’ve followed avidly and discussed here), with the Second, Fourth, and Ninth Circuits having read the statute narrowly, in contrast with the First, Fifth, and Eleventh Circuits, which previously held that the statute may also cover unauthorized use of information, even if the defendant was authorized to access it.  In light of the Supreme Court’s ruling and clarification in this area of the law, employers may wish to take this opportunity to review and refresh how they protect their confidential, proprietary digital information.  First, analyze and consider adding internal authentication points to restricted areas on your computer systems, files, and databases to segregate and limit access to sensitive and confidential data on a need-to-know basis.  (This is a best practice to protect your trade secrets as well, from both practical and legal standpoints.)  Second, even as the holding in Van Buren confirmed a narrower reading of the CFAA, contractual and other remedies remain unaffected. Consider reviewing and refreshing any confidentiality, data security, and computer terms of use agreements with your employees and vendors to ensure protections are in place.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Trade Secrets Group | Attorney Advertising

Written by:

Orrick - Trade Secrets Group
Contact
more
less

Orrick - Trade Secrets Group on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.