According to the Computer Fraud and Abuse Act (“CFAA”), is it a federal crime for employees to shop online while in the workplace? In Georgia and other states the answer may be yes.
It goes without saying that computers are instrumental in conducting business. Wise employers naturally put policies in place to govern their employees’ use of company computers and networks. There are also federal and state statutes that govern employees’ computer-related activity. The CFAA is one such statute.
The Computer Fraud and Abuse Act
What does it mean to exceed authorized access of a computer system in violation of the CFAA? Turns out, it depends on where you’re located. A recent Eleventh Circuit Court of Appeals decision highlights just how inconsistently the CFAA has been applied around the country.
The CFAA prohibits accessing a computer system and obtaining information without authorization or by exceeding authorized access. It defines “exceeds authorized access” to mean: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”
In United States v. Van Buren, Van Buren, a sergeant with the Cumming, Georgia, Police Department, was charged with a violation of the CFAA. Van Buren had allegedly used the Georgia Crime Information Center (“GCIC”) database for an improper purpose. As part of his job, Van Buren was authorized to use the GCIC database for criminal investigations. Van Buren had been trained by the police department on the proper and improper uses of the system, which was only supposed to be used for law-enforcement purposes.
During a sting operation, the FBI found that Van Buren was using the GCIC database for a non-law enforcement, illicit purpose. He was convicted of a violation of the CFAA under the theory that his use of the GCIC database for an illicit purpose exceeded the scope of his authorized access of the system.
On appeal, Van Buren argued that he was innocent because “he accessed only databases that he was authorized to use,” even if for inappropriate reasons. Van Buren relied on decisions by other Circuit Courts of Appeals which have held that “exceeds authorized access” must be read more narrowly to mean the access of computer data or files which the user is not permitted to access—“what is colloquially known as ‘hacking.’”
The Eleventh Circuit rejected Van Buren’s argument. The Court found that it was bound by its own precedent, in which it had adopted a broader reading of the CFAA.
Under the Eleventh Circuit’s prior ruling, it held that a computer user “exceeds authorized access” when they use a system beyond the limits imposed by a computer use policy. This means that even if the user has access to a system, use of that system that goes beyond the access rights granted by the system’s owner violates the law.
As Van Buren argued, the Eleventh Circuit’s interpretation of the CFAA is at odds with the interpretation adopted by several other sister Circuit Courts of Appeals. Those other courts have rejected the Eleventh Circuit’s approach. They reason that such a broad interpretation of the rule “would expand its scope beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.”
Common activities such as chatting, playing games, or shopping online are routinely prohibited by employer computer-use policies. Under a broad reading of the CFAA, “such minor dalliances would become federal crimes.”
The Van Buren case reaffirmed the Eleventh
Circuit’s broad reading of the law and the existing split between federal
appeals courts on the issue. Given this split, it may finally be time for the United States Supreme Court
to weigh in on and resolve the issue. Until then, employees that use their
employer’s computer systems should err on the side of carefully complying with
the employer’s computer access and use policies—particularly in Georgia and the
other states within the Eleventh Circuit.
 28 U.S.C. § 1030(e)(6).
 United States v. Van Buren, 940 F.3d 1192, 1198 (11th Cir. 2019).
 United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012).
 See United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).
 Nosal, 676 F.3d at 860.