Supreme Court Rules CFAA Does Not Criminalize Every Violation of a Computer-Use Policy

Rothwell, Figg, Ernst & Manbeck, P.C.

In Van Buren v. United States, the Supreme Court resolved a circuit split as to whether a provision of the Computer Fraud and Abuse Act (CFAA) applies only to those who obtain information to which their computer access does not extend, or more broadly to also encompass those who misuse access that they otherwise have. By way of background, the CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U.S.C. 1030(a)(2). The term “exceeds authorized accessed” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. 1030(a)(2).

The case involved a police sergeant that used his patrol-car computer to access a law enforcement database with his valid credentials in order to obtain license plate number records in exchange for money. The sergeant’s use of the database violated the department’s policy against using the database for non-law enforcement purposes, including personal use. At trial, the Government told the jury that the sergeant’s access of the database for non-law enforcement purposes violated the CFAA concept against using a computer network in a way contrary to what your job or policy prohibits. The jury convicted the sergeant, and the District Court sentenced him to 18 months in prison. The Eleventh Circuit affirmed, consistent with its precedent adopting the broader view of the CFAA.

The parties agreed that the sergeant accessed a computer with authorization when he used his valid credentials to log in to the law enforcement database, and that he obtained information when he acquired the license-plate records, but the dispute was whether the sergeant was “entitled so to obtain” the record. After analyzing the language of the statute and the policy behind the CFAA, the Court held that an individual “exceeds authorized access” under the CFAA when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him. Because the sergeant could use his credentials to obtain the license plate information, he did not exceed authorized access to the database under the terms of the CFAA.

In reaching its holding, the Court noted if “the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” Accordingly, with the narrowing of the CFAA, the decision is a good reminder to ensure that policies and agreements, including terms of use, that govern access to sensitive electronic resources are both enforceable and crafted with sufficient terms to cover insider threats and prohibit individuals with access to the electronic resource from using the resource in a damaging manner.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rothwell, Figg, Ernst & Manbeck, P.C. | Attorney Advertising

Written by:

Rothwell, Figg, Ernst & Manbeck, P.C.

Rothwell, Figg, Ernst & Manbeck, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.