Supreme Court To Consider Reach Of Computer Fraud And Abuse Act

Vinson & Elkins LLP

Vinson & Elkins LLP

When a person who is authorized to access information on a computer for certain purposes accesses the information for another, improper purpose, does that amount to a federal crime? The U.S. Supreme Court is set to decide that question after recently granting a petition for certiorari to resolve a circuit split regarding the scope of the Computer Fraud and Abuse Act (“CFAA”).1

In the case before the Court, Van Buren v. United States, a former Georgia police officer was convicted under the CFAA for searching the Georgia Crime Information Center database for the license plate number of an exotic dancer.2 A man had asked the officer, Nathan Van Buren, to run the license plate in exchange for $1000.3 Unbeknownst to Van Buren, the man who requested the search was working with the FBI as part of a sting operation.4

Van Buren had access to the Georgia Crime Information Center database as a law enforcement officer and was authorized to access this database “for law-enforcement purposes.”5 Van Buren conducted the license plate search and texted the man the information he had found.6 The FBI arrested Van Buren after he admitted that he had run the license plate search for his own financial gain.7 In affirming Van Buren’s conviction, the Eleventh Circuit reiterated its view that a person violates Section 1030(a)(2) of the CFAA if he uses a computer to access information that he is otherwise authorized to access but does so for an improper purpose.8

In 1984, Congress passed a law criminalizing computer hacking,9 which became known as the CFAA in 1986.10 The CFAA makes it a crime to exceed authorized access and thereby obtain information from a “protected computer,”11 which is defined as any computer with Internet access.12 To exceed authorized access is “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”13 The statute includes a civil cause of action14 and imposes criminal penalties,15 including a felony if “committed for purposes of commercial advantage or private financial gain.”16

Since its passage, the CFAA has become a popular tool for prosecutors and civil litigants. As a result, commentators have noted that the CFAA has been applied to many scenarios that do not look like traditional hacking.17 Looking past his nefarious intent, Van Buren certainly did not “hack” into the Georgia Crime Information Center.

The courts of appeals are divided four-to-three over whether a person with permission to access information on a computer violates the CFAA when he accesses that information for an improper purpose. The First, Fifth, Seventh, and Eleventh Circuits have taken the expansive view that it is a violation of the CFAA for a person with permission to access information on a computer to access that information for an improper purpose.18 By contrast, the Second, Fourth, and Ninth Circuits have construed the CFAA more narrowly, holding that the CFAA’s “exceeds authorized access” prong does not impose criminal liability on a person with permission to access information on a computer who accesses that information for an improper purpose.19 A person violates the CFAA in those circuits only if he accesses information on a computer that he is prohibited from accessing at all, for any reason.

Regardless of which interpretation the Court adopts, a decision in the present case will clarify the scope of the CFAA and ensure nationwide uniformity as to its application. The decision will be part of the Court’s next term.

1 The case is Van Buren v. United States, No. 19-783 (Apr. 20, 2020), in the U.S. Supreme Court.

2 See United States v. Van Buren, 940 F.3d 1192, 1197-98 (11th Cir. 2019).

3 Id.

4 Id. at 1197.

5 Id. at 1208.

6 Id. at 1198.

7 Id.

8 Id. at 1208.

9 See H.R. Rep. No. 98-894 (1984), at 10.

10 Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213.

11 18 U.S.C. § 1030(a)(2).

12 See United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012) (en banc).

13 18 U.S.C. § 1030(e)(6).

14 Id. § 1030(g).

15 See id. § 1030(c)(2)(A).

16 Id. § 1030(c)(2)(B)(i).

17 Jonathan Mayer, Cybercrime Litigation, 164 U. Penn. L. Rev. 1453, 1456 (2016) (“Read broadly, contemporary cybercrime law does not just address sophisticated hacking. It also imposes worldwide civil and criminal liability that displaces trade secret, property, contract, fraud, and copyright law in the information economy.”).

18 See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010), cert. denied, 568 U.S. 1163 (2013); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).

19 See United States v. Valle, 807 F.3d 508, 524, 527 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012); Nosal, 676 F.3d at 862-63.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Vinson & Elkins LLP | Attorney Advertising

Written by:

Vinson & Elkins LLP

Vinson & Elkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.