In Van Buren v. United States, No. 19-783 (June 3, 2021), the Supreme Court of the United States recently waded into the meaning of the Computer Fraud and Abuse Act’s (CFAA) “exceeds authorized access” prohibition.
The six-justice majority held that a former Georgia police sergeant, Nathan Van Buren, did not violate the CFAA when he violated departmental policy restricting use of a police database for law enforcement purposes by running a license plate search in exchange for money. Van Buren was convicted under the CFAA, which imposes criminal and civil penalties for computer hacking and employee misuse of company computers. Although Van Buren concerned a criminal conviction, the Court’s analysis will also apply to civil claims brought under the CFAA.
The CFAA prohibits an individual from accessing a computer without authorization or exceeding authorized access, and “allows persons suffering ‘damage’ or ‘loss’ from CFAA violations” to recover civil money damages and equitable relief. According to the CFAA, 18 U.S.C. § 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The federal government charged Van Buren with a felony violation of the CFAA, a jury convicted him of the charge, and a district court sentenced Van Buren to 18 months in prison for his use of the law enforcement database for personal purposes, in violation of departmental policy. Van Buren appealed his conviction to the U.S. Court of Appeals for the Eleventh Circuit and ultimately the Supreme Court, arguing that the CFAA’s phrase, “exceeds authorized access,” was meant to apply only to those employees “who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.” The Supreme Court noted that although several circuits had agreed with Van Buren’s interpretation of the CFAA, four, including the Eleventh Circuit Court of Appeals, which upheld his conviction, “ha[d] taken a broader view.”
Justice Amy Coney Barrett, who delivered the opinion of the Court, was joined in the majority by justices Stephen G. Breyer, Sonia Sotomayor, Elena Kagan, Neil M. Gorsuch, and Brett M. Kavanaugh, who largely rejected the government’s interpretation of the statute and focused on the meaning of the statute’s language “is not entitled so to obtain.”
The Court’s Analysis
The ruling focused on the text of the CFAA itself to determine the meaning of “exceeds authorized access” and obtaining information a person “is not entitled so to obtain.” The Court found that the latter phrase “is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” The Court agreed with Van Buren’s “gates-up-or-down inquiry” for analyzing both ways to violate the statute—via “without authorization” or “exceeds authorized access” in 18 U.S.C. § 1030(a)(2)—and concluded as follows: “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”
The Court found that the statute’s bar on exceeding authorized access “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.” The Court acknowledged that Van Buren’s use of the law enforcement database was “for an improper purpose” and violated department policy. But that conduct did not constitute a violation of the CFAA’s prohibition on using authorized access “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” the Court stated.
The Court rejected the government’s broad view of the statute that whether a person is entitled to obtain information is based on the manner or circumstances in which he or she obtained it. The Court noted that that approach applied an “inconsistent” analysis to the two prohibitions within, while Van Buren’s “gates-up-or-down inquiry” treated them consistently. The Court rejected the premise that obtaining information for personal purposes when contrary to a contract or policy constituted a violation of the statute. In particular, the Court noted that such a view “would attach criminal penalties to a breathtaking amount of commonplace computer activity” and that a violation of an employer’s computer-use policy would make “millions of otherwise law-abiding citizens … criminals.” The Court observed that the government’s approach “would inject arbitrariness into the assessment of criminal liability.”
The Court concluded by making clear that a violation of the CFAA occurs and “an individual ‘exceeds authorized access’ when he [or she] accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”
Justice Clarence Thomas dissented, joined by Chief Justice John G. Roberts and Justice Samuel A. Alito, arguing that the ruling was contrary to the plain meaning of the statute and “basic principles of property law,” that “have long punished those who exceed the scope of consent.” In their view, the majority’s interpretation was tantamount to declaring that a valet, who was entitled to drive a patron’s car, could then use his access to the vehicle to “take it for a joyride.”
Following Van Buren, employers may want to carefully consider the decision and evaluate their own computer policies and restrictions on accessing sensitive and confidential business information.