U.S. Supreme Court Says Criminal Anti-Hacking Law Does Not Apply to Employee Misuse of Information Systems

Parker Poe Adams & Bernstein LLP

Parker Poe Adams & Bernstein LLP

The federal Computer Fraud and Abuse Act of 1986 (CFAA) put into place criminal and civil remedies to counter what was then the new phenomenon of computer hacking. While directed toward outside agents, over the years prosecutors have attempted to use CFAA’s criminal provisions to pursue employees accused of improper access and misuse of their employer’s information systems. Yesterday, the U.S. Supreme Court reversed a guilty verdict reached in a case involving sale of information from the employer’s database.

In Van Buren v. U.S., the Justice Department prosecuted a Georgia police officer accused of selling information obtained from the department’s license plate database. (You can find additional background on the case here.) The officer was charged and convicted of criminal violation of the CFAA’s prohibition against anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The defendant appealed the verdict on the basis that the CFAA does not apply to employees with authorized access who violate their employers’ restrictions on such use.

In a 6-3 decision, the Supreme Court agreed, vacating the verdict. The court’s decision relied on a technical interpretation of the use of the word “so” in the CFAA. The majority concluded that the CFAA’s authorized use provision “applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.” In other words, if the employee has access to the information system, his or her misuse of information does not constitute criminal violation of the CFAA.

This decision narrows potential remedies available to employers against employees who steal or destroy electronic data. If employees have access to the system, misuse of the data entrusted to them will not constitute a criminal violation of the CFAA. Employers have a range of additional criminal and civil remedies available to them, but this anti-hacking law will not apply. Employers may want to review their electronic information policies to limit employee access to the portions of their systems needed to do their jobs.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Parker Poe Adams & Bernstein LLP | Attorney Advertising

Written by:

Parker Poe Adams & Bernstein LLP

Parker Poe Adams & Bernstein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.