On June 3, 2021, the U.S. Supreme Court significantly narrowed the scope of the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States. In this closely watched case, the Court decided when a person “exceeds authorized access” under the Computer Fraud and Abuse Act (18 U.S.C. § 1030(a)(2)), holding that a Georgia police officer did not violate the CFAA when he overstepped his authorized access to government records. Ruling against the government, the Court held 6-3 that an individual who is authorized to access certain areas of a computer does not “exceed authorized access” under the CFAA, even when the individual accessed those areas of the computer for a prohibited purpose. The ruling has important implications not only for law enforcement but also for private plaintiffs who have relied on the CFAA’s private cause of action for alleged improper access to their systems.
Background
In Van Buren, Mr. Van Buren, a Georgia police officer, accepted $6,000 from an acquaintance to use his access to the Georgia Crime Information Center database to determine if a potential romantic interest was an undercover police officer. Mr. Van Buren only had authorization to access the database for “law enforcement purposes,” but nonetheless accessed the information for his acquaintance. As it turns out, the acquaintance was an FBI informant in a sting operation. Mr. Van Buren was charged and convicted under the CFAA for exceeding his access to the database by using it for an unauthorized purpose. The Eleventh Circuit affirmed Van Buren’s CFAA conviction, rejecting a narrower reading of the CFAA.
The lower courts have been divided as to the meaning of “exceeding authorized access,” which is defined in 18 U.S.C. § 1030(e)(6). The First, Fifth, Seventh, and Eleventh Circuits have interpreted the phrase broadly, reading “exceeding authorized access” to include accessing information on a computer for a purpose prohibited by an employer or terms of use. On the other hand, the Second, Fourth, and Ninth Circuits have adopted a narrower interpretation of “exceeding authorized access” that disregarded whether the use of the information was for an improper purpose. Under these Circuits’ interpretation, CFAA liability could not be imposed on an individual who accessed an area of a computer they were authorized to access, even if they did so for an improper purpose.
Decision and Potential Implications
The Supreme Court adopted the narrower reading, holding that an individual does not “exceed authorized access” to a computer where the person uses that access to obtain or alter information for an unauthorized purpose. The Court cited concerns that the broader reading would allow prosecutors or private entities to pursue claims based on a myriad of relatively harmless activities, such as an employee breaching a workplace policy to use social media on a company device. “The government’s interpretation of the ‘exceeds authorized access’ clause would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett wrote for the majority. Likewise, cybersecurity experts argued that a broader reading of the CFAA could be used to prosecute white hat hackers and others who violate a website’s terms of service during well-intentioned investigations.
The Supreme Court’s decision limits the legal tools and theories available to businesses and other private parties for some types of unauthorized use of their computers, networks, and websites. The CFAA provides a private cause of action to obtain compensatory damages and injunctive relief for the same conduct that may be prosecuted criminally, based on the same statutory definition of when a person “exceeds authorized access.” The Van Buren decision likely prohibits these claims when the alleged excess authorized access is based merely on the access to the information by an individual that was within the scope of that individual’s permission, but nonetheless for an unauthorized purpose.
The decision does not address, however, what security measures will be deemed to sufficiently prohibit an individual’s access to information such that an individual who bypasses those security measures will have “exceeded authorized access” under the CFAA. In that way. the decision provides additional defenses to CFAA claims and will likely spawn additional litigation as to what qualifies as “authorized access.” Further to the extent an individual gains access to a computer where they were not authorized to have such access, CFAA claims are still viable.
In the employment context, the decision suggests that an employer may no longer be able to assert CFAA claims against an insider who misuses company computers to view trade secrets if that insider had authorization to use the computers in question. In addition, other legal theories may still be available such as the federal Defend Trade Secrets Act (DTSA), or state trade secret, tort, trespass, and contract law.
Van Buren also has implications for websites. The decision suggests that an individual will not have “exceeded authorized access” under the CFAA when an individual violates a website’s terms of use or other online license agreement. This may affect disputes involving companies that “scrape” data from publicly available websites in violation of the websites’ terms of use. The Supreme Court has been holding a petition for certiorari to review hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), where the Ninth Circuit denied a preliminary injunction motion, holding that “scraping” information from LinkedIn in violation of LinkedIn’s terms of use is likely is not a violation of the CFAA because hiQ only accessed information that was publicly accessible. The decision in Van Buren suggests the Ninth Circuit’s holding is likely correct. However, it is unclear if the Supreme Court would come to the same decision when a user bypassed the website operator’s technological measures to prevent further access, such as by blocking the user’s IP address or by restricting access to information through the use of a CAPTCHA. Those questions, too, will likely be litigated further.
Recommendations for Business
Companies that wish to maintain the CFAA in their legal arsenal should consider more strictly limiting access to certain areas of their computer systems, networks, and websites and ensuring that such limited access is enforced. For example, if an employee is granted broad access to certain information on an employer’s computer system, the employer likely will not be able to assert a CFAA claim, even if the company’s policies or terms of use limit the employee’s use of that information only for specified purposes. Instead, businesses should adopt the security measure of “least privilege” and give access to more sensitive information or trade secrets only to those employees who truly need such access. To be sure, more tailored access comes with increased costs and administrative burdens. But, companies that adopt this practice may both preserve a CFAA claim when an employee accesses the information anyway and also increase overall system security consistent with industry best practices.