In a notable decision on June 3, 2021, the Supreme Court resolved a circuit split about the reach of the Computer Fraud and Abuse Act of 1986 (“CFAA”), a statute that allows for potential civil and criminal penalties against those who have “exceed[ed] authorized access” in obtaining and/or using information from company computer systems. The law is sometimes used by employers to pursue claims against employees (or ex-employees) who have misappropriated trade secrets or otherwise misused sensitive information stored on company computers. Writing for an unusual six-justice majority, Justice Barrett — joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh — significantly limited the scope of the statute.
The CFAA prohibits accessing a computer either without authorization or in such a way that “exceeds authorized access.” Prior to last week’s decision in Van Buren v. United States, there was a division among the federal circuit courts of appeals about whether “exceeding authorized access” applied only to the act of accessing files to which an individual did not have proper access, or also to the misuse of files to which an individual had lawful access. For example, Van Buren (a former police officer) accessed his patrol car’s computer and looked up a license plate number, intending to sell the information. There was no dispute that he was authorized to access the license plate database. The question was whether, in using the information within that database for personal use and in violation of department policy, he “exceed[ed] authorized access” under the CFAA.
In an opinion that provided a detailed analysis of the CFAA text, the Supreme Court majority held that he did not. Instead, the Court determined that the CFAA only prohibits obtaining information from computer files that one does not have access to in the first place, and not misusing access that one otherwise properly has. While the majority’s opinion focused on a plain language reading of the statute (and the importance of the word “so” within a particular sentence), it also emphasized the practical implications of its holding, emphasizing that an expansive reading of the law could have resulted in the criminalization of a large amount of behavior, including reading the news on a work computer when an employer has a business-only policy with regard to how those computers may be used.
While the Van Buren ruling does not foreclose employers’ (or the government’s) ability to pursue CFAA claims in some instances, it has overruled the broad reading of the statute that had applied in some circuits (including the Fifth Circuit), and it should result in significantly diminished CFAA-related litigation.
Christina Peterman, 2021 Summer Associate, contributed to this series post.