The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information. In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose. The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
The CFAA was enacted in 1986 (when Congress likely could not have imagined advancements to technology that would take place over the following 35 years). The CFAA was introduced to address the then-growing concern over of a new type of criminal—the cybercriminal or the hacker—and though technology has evolved rapidly since the CFAA’s enactment, the text of the Act has arguably not evolved alongside it.
Today, Section 1030(a)(2) of the CFAA attaches both criminal and civil liability to those who “access a computer without authorization or exceed authorized access.” 18 U.S.C. § 1030(a)(2). The phrase “exceeds authorized access” is statutorily defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
Van Buren v. United States
Van Buren’s troubles with the CFAA began when, unbeknownst to Van Buren, he was involved in a sting operation pursuant to which an acquaintance, Andrew Albo, asked him to use Van Buren’s credentials to search the state law enforcement computer database for the license plate of a woman whom Albo alleged he had met at a strip club. The search, per Albo, was to ensure that the woman was not an undercover officer. In exchange for information on the woman, Albo would pay Van Buren. Though the search would violate his employer’s policy, Van Buren agreed to Albo’s proposition and received an initial sum of money with more money expected after the search was completed. After Van Buren used his credentials to access the database from his patrol-car computer, however, he was not met with additional funds from Albo. Instead, he was met with an arrest warrant from the federal government.
Van Buren was ultimately convicted on one count of felony computer fraud in violation of Section 1030(a)(2) of the CFAA and sentenced to 18 months in prison. The Eleventh Circuit upheld the conviction following Van Buren’s appeal.
On appeal after the Supreme Court granted certiorari, the only dispute centered on the parties’ differing interpretations of the phrase “is not entitled so to obtain” within the statutory definition of “exceeds authorized access.” 18 U.S.C. § 1030(a)(2), (e)(6).
Van Buren argued that the phrase in dispute should be read narrowly, but the government asserted that a broad reading would be more appropriate. Agreeing with Van Buren, the Supreme Court reversed the Eleventh Circuit’s decision, finding that the phrase “is not entitled so to obtain” is “best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
In line with its reading, the Court found that Van Buren had not violated the CFAA because he had authority (1) to access the state law enforcement computer database and (2) to use the database to search a license plate number and retrieve the corresponding record. Under this reading, the fact that Van Buren had done this search for an improper purpose and in violation of his employer’s policy was entirely irrelevant, according to the Supreme Court.
So, What Now?
The Court’s decision in Van Buren resolves the circuit split by establishing a harmonized—but narrowed—scope of Section 1030(a)(2) of the CFAA. As a result, there are now seemingly only two ways in which criminal or civil liability can attach under Section 1030(a)(2) of the Act.
First, an individual will have violated the “exceeds authorized access” clause when he or she accesses a computer without authorization (e.g., when an individual hacks into a computer system to which he or she would not otherwise have access). See Section 1030(a)(2). Second, an individual will have violated the clause when he or she accesses a computer with authorization and then obtains information within certain parts of the computer (such as certain files or databases) that he or she does not have authorization to access. See 18 U.S.C. § 1030(a)(2), (e)(6).
Van Buren may prompt Congress to update the CFAA to bring it into the 21st century, but in the meantime, the Court’s opinion will almost certainly impact the ways in which the CFAA is utilized to file suit against those who access sensitive data for nefarious purposes. Since its enactment, both federal prosecutors and private companies have filed CFAA claims against those who improperly access their data, whether that be, for example, from hacking into the federal government’s computer network to obtain sensitive information or by accessing and then releasing an employer’s trade secrets to a competitor company. While these lawsuits will continue to be filed under the Van Buren framework, those lawsuits already pending may have to be amended to ensure that they still state a claim under the Act. Van Buren will make the path to victory for some plaintiffs or prosecutors bringing claims or charges under Section 1030(a)(2) more difficult. We will continue to closely monitor new developments under the CFAA.