Supreme Court Resolves Circuit Split Regarding Scope of the Computer Fraud and Abuse Act

The Supreme Court has issued a much anticipated opinion on the scope of the Computer Fraud and Abuse Act (the CFAA), holding in Van Buren v. United States that an individual “exceeds authorized access” under the CFAA when he accesses a computer with authorization but then obtains files that are located in areas that are off limits to him.

On

Importantly, however, an individual does not violate the CFAA when he has improper motives for accessing information that is otherwise available to him or where he intends to misuse information to which he has authorized access. The full opinion is available here.

The CFAA

The CFAA was originally passed by Congress in 1986 in response to a rise in the number of “hacking” incidents and other computer-related crimes. Initially, the CFAA covered only certain financial information; however, it has since been expanded to cover any information from any computer used in or affecting interstate commerce or communication. As a result, the CFAA now applies to all information from all computers that connect to the internet.

The CFAA subjects anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to criminal liability. 18 U.S.C. §1030(a)(2). The term “exceeds authorized access” is defined to mean “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or access.” 18 U.S.C. §1030(e)(6). The CFAA also provides for civil liability for plaintiffs who suffer damage or loss in the form of compensatory damages and injunctive or other equitable relief.

Given that most companies now maintain their sensitive and proprietary information in digital format, it is not unusual for trade secret plaintiffs to attempt to assert CFAA claims against individuals who use their access to computer networks to facilitate the misappropriation of trade secrets.  In fact, prior to the enactment of the federal Defend Trade Secrets Act, the assertion of CFAA claims was a common tactic for creating federal court jurisdiction for trade secret misappropriation cases.

Brief Factual Background of Van Buren v. U.S.

A former Georgia police sergeant, Nathan Van Buren, used the computer in his patrol car to retrieve information about a license plate from a law enforcement database in exchange for money. In particular, in the course of his duties, Van Buren developed a friendly relationship with Andrew Albo, a man described by the deputy chief of Van Buren’s department as “very volatile.” Van Buren approached Albo to request a personal loan; however, unbeknownst to Van Buren, Albo recorded the conversation and took it to the local sheriff’s office, where he offered the recording as proof of a “shakedown.” The tape was provided to the FBI, who devised a plan pursuant to which Albo would approach Van Buren and ask him to run an unauthorized license plate search in the law enforcement database in exchange for a payment of $5,000.

Van Buren agreed to the search and used his patrol car computer to access the law enforcement database with his valid credentials. The search violated a department policy and he was charged with a felony violation of the CFAA. Van Buren was convicted by a jury and sentenced to 18 months in prison.

On appeal, Van Buren argued that the CFAA’s “exceeds authorized access” prohibition should apply only to those who obtain information to which their computer access does not extend, not to those who misuse access which they otherwise rightfully have. The Eleventh Circuit denied his appeal, solidifying a split among the Circuit courts on the scope of the CFAA prohibitions. The Supreme Court granted certiorari to resolve the split in authority.

Majority Opinion

Penned by Justice Barrett in a 6-3 opinion, the majority first analyzed the text of the statute, as well as arguments relating to precedent and statutory history, each of which the majority determined either supported a narrow interpretation or had no impact at all on the analysis.

The majority then turned to the policy arguments, which it described as “extra icing on a cake already frosted.” Most critically, the majority noted that the broad interpretation of the statute, as argued by the Government, would “attach criminal penalties to a breathtaking amount of commonplace computer activity.” For example, employees in the workplace who are granted use of computers for business purposes only would be violating a criminal statute by sending a personal email on the device. Likewise, an overbroad construction of the CFAA could criminalize embellishing an online dating profile, or using a pseudonym on Facebook.

In summary, the majority held that “[t]his provision covers those who obtain information from particular areas in the computer – such as files, folders, or databases – to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”  

Dissent

Justices Thomas, Roberts, and Alito dissented from the majority opinion, noting that “both the common law and statutory law have  long punished those who exceed the scope of consent when using property that belongs to others.” The dissent noted that the question should be a simple one: when an ordinary reader of the English language would understand Van Buren to have exceeded his authorized access when he used the law enforcement database for forbidden means.

The dissent argued that the majority reading is at odds with basic principles of property law. A computer is a piece of property, and, as such, entitlement to use it is circumstance specific. Property law generally also protects against both an unlawful entry and an unlawful use after entry. The dissent argues that the same principles should apply here. Moreover, the policy arguments made by the majority are unpersuasive because the intentional motive requirements of the CFAA would limit its application.

Takeaway

The Supreme Court’s opinion narrows the application of the CFAA significantly, such that employers and others who hoped to rely on the statute as a tool for further protection of trade secrets and confidential information may no longer do so in a typical case. Trade secret misappropriation claims most often arise out of a factual scenario in which an employee accesses information for later unauthorized use, such as competing with his or her former employer. These employees display the same motive as Van Buren – taking advantage of authorized access to a computer to use the information contained therein for unscrupulous purposes.

Given the Supreme Court’s ruling, employers can no longer benefit from the deterrent effect of potential criminal charges under the CFAA in these circumstances. Rather, they will be limited to seeking monetary damages and equitable injunctions under the DTSA and state-adopted versions of the UTSA, both of which require a heightened standard of proof as compared to the CFAA.

Contacts

Continue Reading