Following an FBI sting, police sergeant Nathan Van Buren was convicted under the federal Computer Fraud and Abuse Act (“CFAA”) for selling license plate information obtained from a police database. The Eleventh Circuit upheld his conviction. In April, the Supreme Court granted certiorari in Van Buren v. United States, No. 19-783, to address a circuit split more than a decade in the making. At issue in Van Buren is the scope of the CFAA, specifically, whether a person who is authorized to access information on a computer violates the CFAA if he accesses that information for an improper purpose or misappropriates the information. The Court’s holding will have broad implications on both criminal and civil computer fraud liability.
Computers are ever-present today. And it’s hard to imagine conducting our business or personal affairs without them. That was not so true when Congress enacted the CFAA in 1986. Designed as an anti-hacking measure, the statute was intended “to provide additional penalties for fraud and related activities in connection with . . . computers.” Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213. As relevant in Van Buren, the CFAA makes it a criminal offense to “intentionally access a computer without authorization or exceed authorized access, and thereby obtain. . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). A private right of action also exists for parties that are damaged by a violation of this section. Id. § 1030(g). The statute defines “exceeds authorized access” as “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6). This is not particularly clear. Perhaps more troubling, section 1030(a)(2)(C) lacks any intent requirement, like “the intent to defraud” found in other parts of the CFAA.
On appeal, Van Buren argued that his conduct did not violate the CFAA because he was authorized to access the license plate information in the police database by virtue of his position as a police officer. Even if his purpose for accessing the information was inappropriate, he did not exceed his authorized access within the meaning of the statute. The Eleventh Circuit rejected this argument. Relying on the court’s prior decision in United States v. Rodriguez, it held that misusing a database that the defendant may lawfully access can still constitute computer fraud. Van Buren, 940 F.3d 1192, 1208 (11th Cir. 2019) (citing Rodriguez, 628 F.3d 1258 (11th Cir. 2010)).
In upholding Van Buren’s conviction, the Eleventh Circuit acknowledged the federal circuit split over the proper scope of the CFAA. The First, Fifth, Seventh and Eleventh Circuits have each adopted a broad interpretation of the statute. An individual authorized to access a computer for certain purposes violates the CFAA by using information gained for an improper purpose. In other words, the purpose of the access and the use of the information control. In United States v. John, for instance, the Fifth Circuit found that a bank employee entitled to access customer account information violated the CFAA when she provided that account information to third parties to incur fraudulent charges. The court reasoned that the bank employee exceeded her authorized access because her use of the account information was not a permitted use and was contrary to the bank’s policies. 597 F.3d 263, 270-273 (5th Cir. 2010).
In contrast, the Second, Fourth and Ninth Circuits do not consider mere misuse of information that an individual is authorized to access a violation of the statute. In adopting this narrower interpretation, the Ninth Circuit relied on the history of the CFAA as an “anti-hacking statute” while also noting the vast expansion of federal criminal law that would accompany a broader interpretation and the parade of horribles that could follow. Specifically, the court noted that “the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.” United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012).
The Supreme Court has not previously addressed the CFAA. However, over the past decade, the Court has narrowed federal fraud jurisdiction on multiple occasions overturning high profile convictions in the process. In Skilling v. United States, the Court cabined the federal honest services fraud statute to schemes involving bribery or kickbacks. 130 S. Ct. 2896 (2010). As justification for this limiting construction, the Court cited vagueness concerns and the rule that “ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity.” Id. at 2932 (quoting Cleveland v. United States, 121 S. Ct. 365, 373 (2000)). Notably, the rule of lenity was relied upon by all three circuits that have adopted a narrow construction of the CFAA.
Later, in McDonnell v. United States, the Court limited what qualifies as an “official act” under the federal bribery statute. 136 S. Ct. 2355 (2016). And most recently, the Court overturned the Bridgegate convictions holding that “a property fraud conviction cannot stand when the loss to the victim is only an incidental byproduct of the scheme.” Kelly v. United States, 140 S. Ct. 1565, 1573 (2020). It remains to be seen whether the apparent ambiguity in the CFAA will receive a similar fate.