Supreme Court Limits the Scope of Computer Fraud & Abuse Act

04 June 2021 Blog
Authors: Eileen R. Ridley Matthew D. Krueger Steven M. Millendorf Paige M. Papandrea
Published To: Privacy, Cybersecurity & Technology Law Perspectives Labor & Employment Law Perspectives

On June 3, 2021, the U.S. Supreme Court significantly narrowed the scope of the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States. In this closely watched case, the Court decided when a person “exceeds authorized access” under the Computer Fraud and Abuse Act (18 U.S.C. § 1030(a)(2)), holding that a Georgia police officer did not violate the CFAA when he overstepped his authorized access to government records. Ruling against the government, the Court held 6-3 that an individual who is authorized to access certain areas of a computer does not “exceed authorized access” under the CFAA, even when the individual accessed those areas of the computer for a prohibited purpose. The ruling has important implications not only for law enforcement but also for private plaintiffs who have relied on the CFAA’s private cause of action for alleged improper access to their systems. 

Background

In Van Buren, Mr. Van Buren, a Georgia police officer, accepted $6,000 from an acquaintance to use his access to the Georgia Crime Information Center database to determine if a potential romantic interest was an undercover police officer. Mr. Van Buren only had authorization to access the database for “law enforcement purposes,” but nonetheless accessed the information for his acquaintance. As it turns out, the acquaintance was an FBI informant in a sting operation. Mr. Van Buren was charged and convicted under the CFAA for exceeding his access to the database by using it for an unauthorized purpose. The Eleventh Circuit affirmed Van Buren’s CFAA conviction, rejecting a narrower reading of the CFAA.

The lower courts have been divided as to the meaning of “exceeding authorized access,” which is defined in 18 U.S.C. § 1030(e)(6). The First, Fifth, Seventh, and Eleventh Circuits have interpreted the phrase broadly, reading “exceeding authorized access” to include accessing information on a computer for a purpose prohibited by an employer or terms of use. On the other hand, the Second, Fourth, and Ninth Circuits have adopted a narrower interpretation of “exceeding authorized access” that disregarded whether the use of the information was for an improper purpose. Under these Circuits’ interpretation, CFAA liability could not be imposed on an individual who accessed an area of a computer they were authorized to access, even if they did so for an improper purpose.

Decision and Potential Implications

The Supreme Court adopted the narrower reading, holding that an individual does not “exceed authorized access” to a computer where the person uses that access to obtain or alter information for an unauthorized purpose. The Court cited concerns that the broader reading would allow prosecutors or private entities to pursue claims based on a myriad of relatively harmless activities, such as an employee breaching a workplace policy to use social media on a company device. “The government’s interpretation of the ‘exceeds authorized access’ clause would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett wrote for the majority. Likewise, cybersecurity experts argued that a broader reading of the CFAA could be used to prosecute white hat hackers and others who violate a website’s terms of service during well-intentioned investigations.

The Supreme Court’s decision limits the legal tools and theories available to businesses and other private parties for some types of unauthorized use of their computers, networks, and websites. The CFAA provides a private cause of action to obtain compensatory damages and injunctive relief for the same conduct that may be prosecuted criminally, based on the same statutory definition of when a person “exceeds authorized access.” The Van Buren decision likely prohibits these claims when the alleged excess authorized access is based merely on the access to the information by an individual that was within the scope of that individual’s permission, but nonetheless for an unauthorized purpose.

The decision does not address, however, what security measures will be deemed to sufficiently prohibit an individual’s access to information such that an individual who bypasses those security measures will have “exceeded authorized access” under the CFAA. In that way. the decision provides additional defenses to CFAA claims and will likely spawn additional litigation as to what qualifies as "authorized access." Further to the extent an individual gains access to a computer where they were not authorized to have such access, CFAA claims are still viable. 

In the employment context, the decision suggests that an employer may no longer be able to assert CFAA claims against an insider who misuses company computers to view trade secrets if that insider had authorization to use the computers in question.  In addition, other legal theories may still be available such as the federal Defend Trade Secrets Act (DTSA), or state trade secret, tort, trespass, and contract law. 

Van Buren also has implications for websites. The decision suggests that an individual will not have “exceeded authorized access” under the CFAA when an individual violates a website’s terms of use or other online license agreement. This may affect disputes involving companies that “scrape” data from publicly available websites in violation of the websites’ terms of use. The Supreme Court has been holding a petition for certiorari to review hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), where the Ninth Circuit denied a preliminary injunction motion, holding that “scraping” information from LinkedIn in violation of LinkedIn’s terms of use is likely is not a violation of the CFAA because hiQ only accessed information that was publicly accessible. The decision in Van Buren suggests the Ninth Circuit's holding is likely correct. However, it is unclear if the Supreme Court would come to the same decision when a user bypassed the website operator’s technological measures to prevent further access, such as by blocking the user’s IP address or by restricting access to information through the use of a CAPTCHA. Those questions, too, will likely be litigated further.

Recommendations for Business

Companies that wish to maintain the CFAA in their legal arsenal should consider more strictly limiting access to certain areas of their computer systems, networks, and websites and ensuring that such limited access is enforced. For example, if an employee is granted broad access to certain information on an employer’s computer system, the employer likely will not be able to assert a CFAA claim, even if the company’s policies or terms of use limit the employee’s use of that information only for specified purposes. Instead, businesses should adopt the security measure of “least privilege” and give access to more sensitive information or trade secrets only to those employees who truly need such access. To be sure, more tailored access comes with increased costs and administrative burdens. But, companies that adopt this practice may both preserve a CFAA claim when an employee accesses the information anyway and also increase overall system security consistent with industry best practices. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.