Corporate Matters, Noncompete & Trade Secrets, | Jul 30, 2021

Supreme Court Rules on Computer Fraud and Abuse Act: What Should Employers Do Now?

The United States Supreme Court recently overturned an Eleventh Circuit decision in Van Buren v. United States, 141 S. Ct. 1648, 1649 (2021). It ruled that a police officer did not violate the Computer Fraud and Abuse Act (“CFAA”) when he obtained information from a law enforcement database that he was generally authorized to access, but which he accessed for an improper purpose.

In doing so, the Court resolved a long-standing split between federal appellate courts. This decision has significant implications for employers, as, although the CFAA originally targeted hackers, some employers have been able to use the CFAA’s civil remedy provisions to assert CFAA claims in unfair competition lawsuits against former employees who misappropriate information using a computer.

Computer Fraud and Abuse Act: Background
The Computer Fraud and Abuse Act provides a civil cause of action against anyone who “intentionally accesses a computer without authorization or exceeds authorized access” and obtains or misuses certain information obtained from the computer.[1] 18 U.S.C. § 1030. 

While the CFAA defines the phrase “exceeds authorized access,” it has proven to be an ambiguous term in application.[2] Adding to the confusion, the CFAA does not define “with authorization” or “without authorization.” As a result, the CFAA has been interpreted differently by the various circuits, causing the reach of the CFAA to vary by jurisdiction.

Prior to Van Buren, some federal appellate courts analyzed the CFAA through an agency lens. Under this analysis, the CFAA was found to apply when an employee was granted access to the employer’s computer systems, but then used that access for a purpose that was inconsistent with the employer’s interest.[3]

Stated otherwise, if the employee accessed his or her employer’s computers to download information to use in the future at a competitor, the employee was acting contrary to his or her agency to the current employer and could be found to be in violation of the CFAA. Appellate courts in other circuits construed the CFAA more narrowly, holding that an employer must show that the employee engaged in misconduct within a computer, database, or server that the employee did not have authority to access in the first place, or whose authority had clearly been terminated.[4]

Case Background
Van Buren was a sergeant with the Cumming, Georgia, Police Department. As part of his job, Van Buren had authorization to use the Georgia Crime Information Center (“GCIC”) database for criminal investigations. Van Buren was charged with violating the CFAA after he used his patrol-car computer to access the GCIC to retrieve information about a particular license plate number in exchange for money. A jury convicted Van Buren and sentenced him to 18 months in prison.

On appeal, Van Buren argued (consistent with some courts outside the Eleventh Circuit) that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.[5] However, consistent with Eleventh Circuit precedent, the panel held that Van Buren had violated the CFAA and affirmed his conviction. Van Buren thereafter successfully petitioned the Supreme Court to hear the case.

The Supreme Court’s Decision
The Supreme Court reversed the Eleventh Circuit’s ruling. It determined that a person only “exceeds authorized access” within the meaning of the CFAA when they use a computer with authorization but then acquire information located from a restricted area of that computer — be it from a file, folder, etc.—that is off limits.

Accordingly, the Court held, Van Buren did not violate the CFAA by obtaining information from the GCIC database for an improper purpose since he was authorized to access that database as part of his job duties.

The Supreme Court focused on the text and structure of the CFAA, agreeing with Van Buren that “without authorization” and “exceeds authorized access” should be understood as a “gates-up-or-down inquiry — one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”[6]

The parties agreed that Van Buren had authority to access the GCIC database by virtue of his job. Because the “gates were down”, that Van Buren accessed the GCIC for an improper reason was insufficient to establish a violation of the CFAA.

The Supreme Court further observed “the interplay between the ‘without authorization’ and ‘exceeds authorized access’ clauses” of the CFAA, preferring Van Buren’s interpretation because it would “place the provision’s parts into a harmonious whole.”[7]

  • “Without authorization” and “exceeds authorized access” refer to two distinct ways of unlawfully obtaining data.

  • The “without authorization” clause protects computers from “so-called outside hackers — those who access a computer without any permission at all.”[8]
    Whereas the “exceeds authorized access clause” provides complementary protection to information within computers, “by targeting so-called inside hackers—those who access a computer with permission, but then ‘exceed the parameters of authorized access by entering an area of the computer to which [that] authorization does not extend.’”[9]

Finally, the Court observed that the Government’s interpretation — which was consistent with Eleventh Circuit precedent, is impractical because it would “attach criminal penalties to a breathtaking amount of commonplace computer activity.”[10] “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens may be criminals.”[11]

Impact of the Supreme Court’s Decision
In short, the Supreme Court ruled that the CFAA criminalizes computer hacking but may not reach violations of “purpose-based limits contained in contracts and workplace policies.”[12] A person may still be liable under the CFAA if they access a part of a particular system that they are not authorized to access.

Below are examples of conduct that likely does or does not violate the CFAA following the Van Buren decision:

Action Criminal Under the CFAA?
Shopping on Amazon during work hours on a work computer or work-issued cellphone No!
Violating a website’s terms of service No!
Engaging in personal chats during work hours on a work computer via Google Hangouts or other web-based communication tools No!
Accessing a database that one is authorized to access but for an unauthorized purpose No!
Accessing a database that one is not authorized to use for any purpose Yes!
Accessing a portion of a company’s Intranet system to which one has not been granted access Yes!
Hacking into an area of a company’s system to which one has not been granted access Yes!

Of course, even as to those activities which may not be criminal under the CFAA, many may still technically violate provisions in an employment agreement or a company’s policies or restrictions on computer use.

Notably, the Georgia Supreme Court recently cited Van Buren in a decision that narrowly construed a portion of the Georgia Computer Systems Protection Act — Georgia’s state law computer misconduct statute.[13]

What this Means to Employers
Employers concerned about potential employee misuse of information stored on company computers should reassess their security policies in light of Van Buren.

For example, companies should limit each employee’s computer access to only those files, folders, and/or databases necessary to carry out the employee’s individual job responsibilities. Of course, employers may (and should) continue utilizing purpose-based computer use policies with the understanding that a violation of such policies may not implicate the CFAA, unless the employee enters an area of the computer or system beyond that to which their computer authorization extends.

[1] 18 U.S.C. § 1030(a)(2).

[2] See 18 U.S.C. § 1030(e)(6).

[3] See, e.g., International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

[4] See, e.g., United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012)

[5] United States v. Van Buren, 940 F.3d 1192, 1207-08 (11th Cir. 2019), cert. granted, 140 S. Ct. 2667, 206 L. Ed. 2d 822 (2020), and rev’d and remanded, 141 S. Ct. 1648 (2021).

[6] Van Buren, 141 S. Ct. at 1658.

[7] Id.

[8] Id.

[9] Id.

[10] Id. at 1661.

[11] Id.

[12] Id. at 1662.

[13] Kinslow v. State, S20G1001, 2021 WL 2518617, at *6 n.6 (Ga. June 21, 2021).

Corporate Matters, Noncompete & Trade Secrets, | Jul 30, 2021