The U.S. Supreme Court recent decision in Van Buren v. United States significantly impacts the scope of the Computer Fraud & Abuse Act (“CFAA”). The case carries implications for computer fraud prosecutions, employee abuse of computer databases, and a host of other areas, particularly given that the CFAA provides a civil cause of action that has become increasingly prevalent. The Van Buren decision narrowed the scope of the meaning of “exceed[ing] authorized access” to a computer.
In 2011, an FBI sting in Georgia resulted in police officer Nathan Van Buren being charged with violating the Computer Fraud and Abuse Act (CFAA). The sting operation was initiated after an individual complained that Van Buren had tried to shake them down by soliciting a loan.
During the sting, the complainant, at the FBI’s instruction, offered to pay Van Buren to run the license plate number of the complainant’s acquaintance through a Georgia police database in order to find out if the acquaintance was an undercover police officer.
Van Buren was convicted at trial of, among other things, violating the CFAA, which makes it a crime for anyone to intentionally gain unauthorized access to a computer or to exceed authorized access. Van Buren then appealed that conviction on the basis that his conduct did not violate the statute.
Van Buren’s Arguments on Appeal
On appeal, Van Buren argued that he had not violated the CFAA provision that applies when someone exceeds authorized access because he actually was authorized to access that police database, even if he accessed it for an unauthorized purpose. The United States Court of Appeals for the Eleventh Circuit disagreed, relying on its precedent to uphold Van Buren’s conviction. Van Buren then asked the Supreme Court to review the Eleventh Circuit’s decision.
In support of the Eleventh Circuit’s decision upholding Van Buren’s conviction, the government argued to the court that because Van Buren was only allowed to use the police database for valid law enforcement purposes, he had violated the CFAA by exceeding his authorized access to that database when he used it to identify an undercover police officer in exchange for money. But the Supreme Court rejected the government’s view, reversing the Eleventh Circuit’s decision and overturning Van Buren’s conviction. It held that the CFAA does not criminalize individuals who have improper motives for accessing information that is otherwise available to them.
What Conduct Now Qualifies as Exceeding Authorized Access Under the CFAA?
The Supreme Court held that an individual exceeds authorized access “when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him”. In other words, if an individual is authorized to access a particular area of a computer, for any purpose, they cannot violate the CFAA by simply accessing that area, even if the purpose for which the individual accessed that area is improper. In this case, for example, the government needed to show that Van Buren had no authority whatsoever to access the police database for any purpose, but it was unable to do so.
Why is the Van Buren Decision Important?
The Van Buren decision is important for both prosecutors and law enforcement and employers. This is because the CFAA, which provides for both civil and criminal liability, has previously been viewed as a simpler enforcement mechanism than other options available to prosecutors and employers.
Though misusing information to which an individual has access could violate other statutes, violations of the CFAA had generally been easier to establish. For example, while an employer could pursue a theft of trade secrets case against an employee who misused access to a company database to steal proprietary information, doing so would require the employer to establish that the information qualified as a trade secret, which could be more difficult than simply pointing to the individual’s motives.
With the Van Buren Decision, it is no longer enough to simply show that an employee violated an employer’s policies by accessing information within the database without an appropriate reason for doing so. It is also noteworthy that in support of the narrower reading of the CFAA, the Supreme Court specifically cited the fact that the government’s reading of the statute would effectively criminalize all sorts of everyday workplace activity.
What Can Employers Do Now to Police Unauthorized Computer Access and Misuse of Information?
To begin with, employers may still be able to file civil actions under the CFAA in certain situations. For instance, a run-of-the-mill hack by an outsider who has no authorization to access a company’s computer system still constitutes a violation of the CFAA. Likewise, an employee who is authorized to access certain areas of a company’s computer system, but is barred from accessing information in other areas for any purpose, may violate the CFAA if he or she accesses information in those restricted areas.
What Should Employers Do In Light of the Van Buren Decision?
In light of the Van Buren decision, employers should consider reviewing their computer system and policies, with a focus on identifying what information employees should be allowed to access and, where appropriate, implementing technical controls that are designed to limit access when not necessary for an employee’s job. Furthermore, because an employer can no longer prove that an employee exceeded authorized access simply by reference to the employee’s motives, employers should now implement mechanisms to demonstrate that an employee had no authority to access certain sensitive information.