The Supreme Court Limits Scope of Computer Fraud and Abuse Act
On June 3, the United States Supreme Court issued a 6-3 opinion resolving a circuit split over the meaning of “exceeds authorized access” under the federal Computer Fraud and Abuse Act (“CFAA”). The Court’s decision limits the scope of claims employers can bring against disloyal current and former employees under the CFAA, particularly in jurisdictions that previously applied a broad interpretation to the phrase “exceeds authorized access.” We have previously provided updates on the CFAA generally and on the Fourth Circuit’s decision on the “exceeds authorized access” issue.
Subject to certain limitations, the CFAA creates criminal and civil liability for a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2). Using this and similar provisions in the CFAA, employers have asserted civil claims against employees who misappropriated or misused confidential information obtained from their employers’ computer systems. Prior to the Supreme Court’s decision, however, federal courts were split over whether an employee who was otherwise authorized to access information “exceed[ed] authorized access” by accessing or using such information for a disloyal purpose (e.g., to share that information with a competitor whom the employee intends to join).
The Supreme Court addressed this longstanding circuit split over the CFAA’s prohibition on “exceed[ing] authorized access” in Van Buren v. United States. No. 19-783, slip op. at 4-5 (U.S. June 3, 2021). Like the United States Court of Appeals for the Fourth Circuit, the Supreme Court adopted a narrow interpretation of the phrase, concluding that the law does not cover those who have improper motives for obtaining information that they are otherwise permitted to access. Id. at 1.
Van Buren involved a Georgia police officer, Nathan Van Buren, who used his patrol-car computer to access a law enforcement database and retrieve information about a particular license plate number in exchange for around $5,000. Id. at 1, 3. Unbeknownst to Van Buren, the person who requested the license plate information was participating in an FBI sting operation. Id. at 3. The government charged Van Buren with a felony violation of the CFAA on the ground that running the license plate violated the “exceeds authorized access” clause of the CFAA because Van Buren’s department had a policy forbidding the use of the law enforcement database for “an improper purpose,” which was defined as “any personal use.” Id. at 3-4.
A jury convicted Van Buren, and the Eleventh Circuit affirmed his conviction, finding that Van Buren had violated the CFAA by accessing the law enforcement database for an inappropriate reason. Id. Conversely, the Supreme Court found that Van Buren did not “exceed authorized access” to the database, as defined in the CFAA, even though he obtained information from the database for an improper purpose and in violation of departmental policy. Id. at 20. The Court held that under the CFAA, an individual exceeds authorized access when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him. Id. Since Van Buren was authorized to access the law enforcement database in question, accessing that information did not violate the CFAA.
While the Van Buren decision does not change the law in the Fourth Circuit, it provides a timely reminder that employers should be mindful of whom they give access to confidential information, the scope of the access, and whether such access should be limited to information in particular files, folders, databases, or drives. Employers should also consider the policies and restrictions they use to protect their confidential information and whether they could enforce such policies and restrictions through avenues other than the CFAA, such as state laws.