The Computer Fraud and Abuse Act (CFAA) is an anti-hacking statute making it illegal “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.” Violations of the statute may trigger criminal prosecution or civil litigation by private parties. On June 3, 2021, in Van Buren v. United States, a 6-3 majority of the U.S. Supreme Court adopted a restrictive view of the CFAA, making it more difficult for employers to invoke the statute in cases arising from the theft of trade secrets.
Employers typically allege CFAA violations after, for example, an employee downloads or emails confidential information to benefit a competitor. In these types of cases, the employer may file a CFAA claim because the CFAA provides a basis for subject-matter jurisdiction in federal court, triggers the possibility of enhanced sanctions, and arguably provides a means of protecting confidential information that does not rise to the level of a “trade secret.”
An oft-litigated question is whether an employee provided with unlimited access to the employer’s computer system, but who uses that access to use information for purposes beyond the employee’s authority (“ultra vires” purposes), has accessed the employer’s computer “without authorization” or in a manner that “exceed[ed] authorized access” in violation of the CFAA.
Federal appellate courts split into two camps when answering this question. One school of thought, typified by International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), provided an affirmative answer under a cessation-of-agency theory. Courts falling under this school reason that employees access a computer without authorization or “exceed authorized access” whenever they use the employer’s computer to misappropriate the employer’s confidential information or to facilitate another breach of the duty of loyalty. Under this view, breach of the duty of loyalty immediately terminates the agency relationship and with it any authority to access the employer’s computers. The opposing school of thought, exemplified by WEC Carolina Energy Solutions L.L.C. v. Miller, 687 F.3d 199 (4th Cir. 2012), reasoned that the plain meaning of the terms “without authorization” or “exceeds authorized access” does not encompass a scenario where the employer allows the employee access to data, and the employee then uses that information improperly.
In Van Buren, the Supreme Court took a narrow view, holding that the CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who . . . have improper motives for obtaining information that is otherwise available to them.” Van Buren definitively prevents an employer from asserting a CFAA claim against an employee provided with unlimited access to the employer’s computer system, but who uses that access to use information for ultra vires purposes.
As an academic matter, Van Buren is interesting because two originalists, Justices Amy Coney Barrett and Clarence Thomas, wrote the majority and dissenting opinions, respectively. Van Buren thus illustrates how even jurists focusing on the original public meaning of a statute may arrive at diametrically different conclusions.
As a practical matter, Van Buren narrows employers’ ability to use the CFAA as a basis for federal subject-matter jurisdiction and narrows remedies available to employers in the “disloyal employee” scenario. There are, however, two ways employers can limit Van Buren’s impact.
First, employers may craft computer-use policies and procedures expressly forbidding and preventing employees from accessing particular files, folders, and databases. An employee who circumvents such a prohibition likely will have violated the CFAA even under Van Buren’s narrow reading of the statute, and an employer may proceed civilly against that employee under the CFAA. Second, in a “disloyal employee” scenario involving the theft of trade secrets, an employer should consider filing a claim for violation of the Defense of Trade Secrets Act, which will provide a basis for federal subject-matter jurisdiction and lessen the need to rely solely on the CFAA for that purpose.
Employers are also encouraged to work with their employment law counsel to ensure they have proper security protocols and restrictive covenant agreements in place to protect their proprietary information.