The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 in order to curb unauthorized access to information stored on computers.
The CFAA imposes criminal or civil liability on any person who “intentionally accesses a computer without authorization” or “exceeds unauthorized access” in obtaining information from a protected computer. The Act is intended to protect against theft of trade secrets, data breaches, hacking, and anticompetitive behavior.
In order to plead a claim under the CFAA, a claimant must allege that an individual:
The CFAA covers a broad range of relationships involving access to computer systems, including employment relationships, third-party business relationships, and individual access to web-based platforms.
The CFAA defines “exceeds authorized access” as follows: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The statute does not explain what it means to “obtain or alter information . . . that the accesser is not entitled so to obtain or alter.” After the enactment of the CFAA, a split emerged among federal circuit courts with regard to the interpretation of the above prohibition against exceeding authorized access to a computer. Specifically, federal courts were split over whether the CFAA covers a person who diverts or misuses information to which the individual had access as part of his or her duties.
While some circuits interpreted the phrase broadly in holding that a person’s use of a computer for an improper purpose prohibited by policies exceeded authorized access and thus violated the CFAA, other circuits, including the Fourth Circuit, adopted a narrower approach, holding that no liability should be imposed on an individual who accesses information for an improper purpose if the person has access to the computer. Under the narrow interpretation, a person’s motives for accessing a computer are not relevant as the primary consideration is whether the person had the authority to access the information in the first place.
On June 3, 2021, the Supreme Court of the United States (SCOTUS) resolved this circuit split in the case of Van Buren v. United States. In a 6-3 decision penned by Justice Amy Coney Barrett, the Court held that a police officer did not violate the CFAA when he took a cash payment in exchange for searching the Georgia Crime Information Center database because the police officer had access to the database for work purposes and utilized his valid credentials to obtain license plate information for a personal purpose. In so holding, SCOTUS determined that the CFAA protects against those who access a computer with authorization but who then exceed authorized access by obtaining information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to them but does not protect against those who “have improper motives for obtaining information that is otherwise available to them.” In reaching this conclusion, the Court noted that a broad interpretation of the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” including the sending of personal emails on a work computer in violation of an employer’s policies, the reading of news content in breach of a website’s terms and conditions, or an individual who embellishes an online dating profile.
SCOTUS’s ruling in Van Buren serves to limit the scope of the CFAA as it limits the ability to prosecute individuals who might overreach their access to company data or digital information. Previously, a broad interpretation of the CFAA meant that a website’s terms of service could likely define the scope of appropriate use and thereby criminalize activity that exceeded that scope. Van Buren likely protects individuals from criminal or civil liability for violating a website’s online terms of service. Similarly, prior to Van Buren, a broad interpretation of the CFAA meant that an employer could assert a claim against dishonest employees who accessed employer computer systems for improper purposes. The holding in Van Buren limits this right as an employee’s mere right to access an employer’s computer system may shield the employee from liability despite improper use of the computer system. The employer must now demonstrate that the employee obtained the information from a file, folder, or database to which the employee’s computer access did not extend.
It is anticipated that Van Buren will be cited as a landmark opinion in the years to come. The case has particular significance for employers in those circuits that had previously interpreted the CFAA broadly. Following Van Buren, it is no longer relevant for purposes of CFAA liability that an employee obtains computer information for an unauthorized purpose. The employer must demonstrate that in obtaining the computer information, the employee accessed a computer or a file, folder, or database that was off-limits to the employee. In light of the Court’s narrow interpretation of the CFAA, it is recommended that employers:
If you have questions about this decision or any other employment-related matter, please call Connie Carrigan at (919) 250-2119 or e-mail her at firstname.lastname@example.org.
Connie Elder Carrigan is an accomplished attorney with a passion for helping clients, individuals, employers, and business representatives in planning for their future - from creating initial documents for a new company to advising on compensation, harassment, discrimination, and employment agreements - to estate planning and trusts and estate administration, Connie advises clients with shrewdness and prudence backed by over three decades of experience.