The federal Computer Fraud and Abuse Act of 1986 (CFAA) put into place criminal and civil remedies to counter what was then the new phenomenon of computer hacking. While directed toward outside agents, over the years prosecutors have attempted to use CFAA’s criminal provisions to pursue employees accused of improper access and misuse of their employer’s information systems. Yesterday, the U.S. Supreme Court reversed a guilty verdict reached in a case involving sale of information from the employer’s database.
In Van Buren v. U.S., the Justice Department prosecuted a Georgia police officer accused of selling information obtained from the department’s license plate database. (You can find additional background on the case here.) The officer was charged and convicted of criminal violation of the CFAA’s prohibition against anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The defendant appealed the verdict on the basis that the CFAA does not apply to employees with authorized access who violate their employers’ restrictions on such use.
In a 6-3 decision, the Supreme Court agreed, vacating the verdict. The court’s decision relied on a technical interpretation of the use of the word “so” in the CFAA. The majority concluded that the CFAA’s authorized use provision “applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.” In other words, if the employee has access to the information system, his or her misuse of information does not constitute criminal violation of the CFAA.
This decision narrows potential remedies available to employers against employees who steal or destroy electronic data. If employees have access to the system, misuse of the data entrusted to them will not constitute a criminal violation of the CFAA. Employers have a range of additional criminal and civil remedies available to them, but this anti-hacking law will not apply. Employers may want to review their electronic information policies to limit employee access to the portions of their systems needed to do their jobs.