In its recent decision in Van Buren v. United States, the U.S. Supreme Court narrowed the scope of the Computer Fraud and Abuse Act (CFAA) and its potential use by employers to ensure computer security and protection for their trade secrets and confidential information.
The Computer Fraud and Abuse Act
The CFAA was first enacted by Congress in 1984 in response to growing concerns across the country about computer security and the dangers posed by computer hacking or computer theft. The initial version of the statute was solely a federal computer crime statute. It was later expanded to include civil protections as well, and currently allows private lawsuits for those “suffering damage or loss” to sue money and equitable relief.
Employer Use of CFAA’s Civil Protections
In its current form, the CFAA is worded extremely broadly. It now encompasses information from any computer “used in or affecting interstate or foreign commerce or communication.” As the Supreme Court noted, this language now applies to at least “all information from all computers that connect to the Internet.”
Employers have often used the CFAA’s civil protections to sue former employees who have,for example, taken trade secrets or confidential information such as customer lists, prospect information, financial information, or business plans to benefit a future employer or to exploit the information for a profit.
Factual Background of Case
The case in question was a criminal case in which the defendant, a police sergeant in Georgia, was accused of violating the CFAA. The sergeant’s eventual actions that were the subject of his indictment started when he came into contact with an individual who had been identified by the police department as volatile and dangerous. Even so, the sergeant developed a relationship with this individual, and then made the mistake of asking him for a personal loan. This led to a sting effort to persuade the sergeant (in exchange for a money payment) to search a Georgia law enforcement database for a license plate belonging to a woman to determine if she was an undercover officer.
The sergeant used his patrol car computer to access the database with his valid credentials. He then searched the database for the license plate in question, and notified the individual (who set him up) that he had located the requested information. The FBI then arrested the sergeant and charged him with a violation of the “exceeding authorized access” clause of the CFAA.
At the trial, it was shown that the sergeant knew that he was not supposed to use the law enforcement database for an “improper purpose,” which included “any personal use.” He was convicted of violating the CFAA because he had accessed the database for an “inappropriate reason.”
Supreme Court Focus on CFAA Terms
In the decision, the first by the Supreme Court to analyze the CFAA, the Court focused its attention on the statutory phrase “exceeds authorized access,” which is defined as “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled to obtain.”
As a result of this focus, the Court majority determined that when the sergeant had accessed the law enforcement database, he did so with authorization, using his valid credentials. Focusing upon several dictionary sources, the Court analyzed this language and decided that the CFAA did not criminalize the sergeant’s conduct.
Supreme Court Ruling
The Court concluded that the statute barred only improper access to certain information, rather than valid access to information for an improper purpose. It explained this distinction by giving the following example:
If a person has access to information stored in a computer— e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
The result of the Supreme Court’s decision is that under the CFAA’s current wording, a person does not violate the statute by accessing a computer which he or she is entitled to access, regardless of the purpose for doing so.
Recommendation for Employers
Presuming Congress does not amend the CFAA to eliminate this loophole, employers will now be well-advised to develop additional in-house computer protections in their personnel handbooks, and particularly utilize specific access policies and confidentiality agreements to restrict information that employees are “authorized” to access.