The scenario is familiar, and frustrating, to employers: an employee, preparing to leave to join a competitor, accesses sensitive product, customer, and sales data using his or her own credentials, copies it to a flash drive, and takes it to a competing firm. Employers have had a variety of legal tools available to take action in response, but one previously potent tool is now seemingly off the table due to a June 3, 2021 opinion by the United States Supreme Court. That decision, Van Buren v. United States, reminds employers that litigation, even under expansive anti-hacking statutes such as the Computer Fraud and Abuse Act (CFAA), is no substitute for strong preventative actions to protect sensitive competitive information.
The Case Background
Although Van Buren was a criminal case, its facts will be familiar to many employers. Nathan Van Buren was a police sergeant in the Cumming, Georgia Police Department. His job provided him access to the state law enforcement computer database, which contained license plate information that Van Buren was authorized to use “for law-enforcement purposes.” When an acquaintance offered Van Buren $5,000 to access the database to determine whether another individual was actually an undercover police officer, Van Buren agreed. As it turned out, however, the acquaintance was cooperating with an FBI investigation.
The Government subsequently charged Van Buren with a felony violation of the CFAA, which imposes both civil and criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The Department of Justice’s position was similar to that many employers take in civil CFAA claims: the CFAA prohibits any computer access that violates or exceeds the user’s authorization to use the information accessed. Notwithstanding Van Buren’s authorization to access the database, the Government claimed that, because he did not have permission to access the database for non-job related purposes, he “exceeded” his authorized access. Based on this reading of the law, Van Buren was convicted.
On appeal, Van Buren argued that the “exceeds authorized access” language of the CFAA only applied to individuals who obtained information to which their computer access did not extend, not to those who access the information for an improper reason. The federal Eleventh Circuit Court of Appeals, however, agreed with the Government that Van Buren “exceed[ed] his authorized access” by obtaining the information for a nonbusiness reason, and affirmed his conviction.
But the Supreme Court agreed with Van Buren. Writing for a 6-3 majority, Justice Amy Coney Barrett adopted the narrower reading of the CFAA that users do not violate the Act by using their authorized access for unauthorized purposes. Instead, the prohibition on “exceed[ing] authorized access” only applies to users who access a computer, or areas of a computer system, they have not been authorized to access. The Supreme Court’s opinion focused on the statute’s scope, noting that the Government’s broad interpretation would criminalize a “breathtaking amount of commonplace computer activity,” including using a work computer to send personal e-mails or read the news, presumably in violation of employment policies that only allow computer use for business purposes. The Supreme Court thus found that Van Buren did not “exceed authorized access” to the Georgia law enforcement database.
Further, in explaining its interpretation of the statute, the majority further explained the meaning of “damage” and “loss” within the civil provisions of CFAA. The Court explained that those terms, as defined within the CFAA, are limited to “technological harms,” and are “ill fitted . . . to remediating ‘misuse’ of sensitive information that employees may access using their computers.” While the scope of civil remedies was not before the Court in Van Buren, this reasoning indicates clear hostility toward using the CFAA to respond to employees misappropriating data they are otherwise authorized to access.
Implications for Employers
Because the CFAA also provides civil remedies for various computer crimes, the CFAA once presented an important tool for employers seeking to prevent their employees from misappropriating sensitive business data. Particularly in cases where the data at issue could not be easily proven to be protected trade secrets, employers would assert claims under the CFAA against their employees simply for exceeding their authorized access to company information on company equipment (often spelled out in computer use policies). Van Buren has now taken that tool away; employers can only pursue a claim under the CFAA with a showing that the employee was not authorized to access the data entirely.
Van Buren is an important reminder to employers to take steps they should already be taking to ensure the security of their business data. Proactive preventative steps are a far better means of protecting the business than trying to claw back data through litigation after it has already fallen into the hands of a competitor. Monitoring remote employees’ access and use of business data poses additional challenges that employers must also address.
Below are several measures that employers can implement to stay vigilant on this front:
Taking measures now to secure sensitive business information will be the best defense against employees who may plan to take that data to your competitors.