US Supreme Court Narrows Application of Computer Fraud and Abuse Act

Bilzin Sumberg
Contact

Bilzin Sumberg

On Thursday, June 3, 2021, the United States Supreme Court, in a 6-3 opinion, narrowed the scope of the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030. In Van Buren v. United States, the Supreme Court reversed the United States Court of Appeals for the Eleventh Circuit’s ruling affirming the conviction of a former Georgia police officer for violating the CFAA.

Nathan Van Buren asked the Supreme Court to interpret two provisions of the CFAA. The first, 18 U.S.C. § 1030(a)(2)(C) prohibits users of computers owned by others from “exceed[ing] authorized access” to those computers. The second, § 1030(e)(6), defines “exceeds authorized access” to mean accessing a computer “without authorization,” and “using such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Mr. Van Buren had been authorized to search computer license plate records for law enforcement purposes. During an FBI sting operation, he unwittingly ran a license plate search for an FBI informant in exchange for money. The Department of Justice charged Mr. Van Buren, among other counts, with computer fraud under the CFAA. The Eleventh Circuit upheld his conviction, citing its earlier precedent holding that a person “exceed[s] unauthorized access” to data when accesses it for a prohibited use, even if he is authorized to access it for other purposes.

Mr. Van Buren argued to the Supreme Court that the CFAA only applies if a defendant obtains information that he was not under any circumstances entitled to obtain. In other words, the CFAA does not prohibit misuse of authorized access. Any other reading, Mr. Van Buren argued, could criminalize everyday activities that might violate purpose-based restrictions. For example, taking Mr. Van Buren’s analysis to its logical conclusion, an employee who obtains data for personal use from a work computer in violation of company policy might face liability under the CFAA.

By contrast, the United States government argued that the plain meaning of “obtain[ing] information in the computer that the accesser is not entitled so to obtain” includes obtaining information for an unauthorized purpose. The government argued that to be “entitled so to obtain” information, the person must have been “granted a right to do it in a particular matter or circumstance.”

The Supreme Court, in a 6-3 opinion authored by newest Justice Amy Coney Barrett, sided with Mr. Van Buren, holding that the CFAA only prohibits only access to areas in a computer, such as file folders or databases, that users are not authorized to access. “It does not cover those who … have improper motives for obtaining information that is otherwise unavailable to them.” Rather than focus on the policy arguments, majority, which included the three recently appointed Justices, and the three most liberal justices, focused on the text of the CFAA. In her opinion, Justice Barrett noted that an overly broad interpretation of the CFAA would penalize every-day computer activity such as employees sending personal emails or checking sports scores on work devices. In other words, if the law “criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” Justice Barrett wrote.

The opinion is consistent with briefs of amici curiae from a cross-section of cybersecurity experts, free press advocates, and libertarians that argued that upholding Mr. Van Buren’s conviction would create precedent that criminalizes innocuous or even innocent computer activity. The opinion ensures that, at least as it relates to the CFAA, mundane behavior won’t rise to the level of a federal offense.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bilzin Sumberg | Attorney Advertising

Written by:

Bilzin Sumberg
Contact
more
less

Bilzin Sumberg on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.