Last week, in Van Buren v. United States, the United States Supreme Court ruled that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq., is not implicated by improper use of computer systems to which an individual has authorized access. Rather, in a 6-3 decision, the Court ruled that CFAA prohibits obtaining information from areas of a computer system (e.g. files, folders, or databases) that are beyond the limits of the access granted to the individual.
Applied to the real world: Employee A is provided with access to the company’s HR database and uses that access to learn about co-worker salaries in order to negotiate for a raise. Employee B, a computer whiz, only has access to the company’s intranet available to all employees, but uses this access to “hack” into the HR database for a similar purpose. Employee B has violated CFAA, but Employee A has not.
Enacted in 1986, CFAA provides both civil and criminal penalties for computer hacking. An individual improperly accessing a protected computer system for commercial gain faces serious consequences — up to five years of imprisonment and a fine for a first time offense. Prior to the enactment of the federal Defend Trade Secrets Act (DTSA), CFAA was an attractive claim for employers to assert against employees engaged in misappropriation of trade secrets and other tortious acts involving the employer’s computer systems because it provided jurisdiction to federal courts.
Section (a)(2) of CFAA prohibits knowingly accessing a computer “without authorization” or “exceeding authorized access” to a computer, obtaining information, and cause a “loss” under the statute. In Van Buren, a police officer agreed to look up a vehicle license tag for a third-party in return for payment. To do so, he accessed a police license plate database he was authorized to use, but did so for non-law enforcement purposes. He was prosecuted and convicted for violating CFAA as having exceeded his authorized permission to utilize the database. The Eleventh Circuit affirmed the conviction. Van Buren appealed to the Supreme Court seeking review of “[w]hether a person who is authorized to access information on a computer for certain purposes violates [CFAA] if he accesses the same information for an improper purpose.”
Since its enactment in 1986, Van Buren is the first time the high court has interpreted the statute. However, confusion over vague statutory language has been simmering for several years. The text of CFAA does not define “authorization.” Before the Supreme Court’s ruling, a sharp split existed among circuit courts. The First, Fifth, Seventh, and Eleventh Circuits adopted a broad construction of CFAA, allowing claims when an individual misused information they were otherwise permitted to access. The Second, Fourth and Ninth Circuits limited CFAA liability only to instances where an individual accessed information off-limits to them.
The majority opinion, penned by Justice Barrett, relied on textual analysis to reason that the law turns on an individual’s authority to access specific information. In so doing, the majority rejected the government’s argument for a broader interpretation, stating that such an interpretation “attached criminal penalties to a breathtaking amount of commonplace computer activity.” For example, the majority noted, extending the statute to “every violation of a computer-use policy” would criminalize trivial conduct such as “embellishing on online-dating profile” and “using a pseudonym on Facebook” — activities that violate website use restrictions and thus would fall within the government’s understanding of the CFAA.
Justice Thomas’ dissenting opinion argued that an interpretation of Section (a)(2) should include both an individual’s authorization to access and use of the information. Thomas reasoned that the CFAA regulates intellectual property and should therefore be analyzed through established concepts of property law, “which generally protects against both unlawful entry and unlawful use after entry.” Thomas argued this contradicts the majority opinion, which merely outlaws unlawful entry.
The Supreme Court’s holding in Van Buren reduces the ability of employers to impose federal criminal and civil liability in trade secret and employee mobility cases that involve computer fraud. Following Van Buren, there may be an increased reliance on state computer trespass statutes to establish criminal or civil liability when employees utilize their ability to access their employer’s computer systems for an improper purpose. Employers seeking to impose purpose-based restrictions on use of computer systems should ensure that their computer-usage policies incorporate those restrictions and might consider adding those limitations into confidential information agreements.