On June 3, 2021, the U.S. Supreme Court significantly narrowed the scope of the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States. In this closely watched case, the Court decided when a person “exceeds authorized access” under the Computer Fraud and Abuse Act (18 U.S.C. § 1030(a)(2)), holding that a Georgia police officer did not violate the CFAA when he overstepped his authorized access to government records. Ruling against the government, the Court held 6-3 that an individual who is authorized to access certain areas of a computer does not “exceed authorized access” under the CFAA, even when the individual accessed those areas of the computer for a prohibited purpose. The ruling has important implications not only for law enforcement but also for private plaintiffs who have relied on the CFAA’s private cause of action for alleged improper access to their systems.
In Van Buren, Mr. Van Buren, a Georgia police officer, accepted $6,000 from an acquaintance to use his access to the Georgia Crime Information Center database to determine if a potential romantic interest was an undercover police officer. Mr. Van Buren only had authorization to access the database for “law enforcement purposes,” but nonetheless accessed the information for his acquaintance. As it turns out, the acquaintance was an FBI informant in a sting operation. Mr. Van Buren was charged and convicted under the CFAA for exceeding his access to the database by using it for an unauthorized purpose. The Eleventh Circuit affirmed Van Buren’s CFAA conviction, rejecting a narrower reading of the CFAA.
The Supreme Court adopted the narrower reading, holding that an individual does not “exceed authorized access” to a computer where the person uses that access to obtain or alter information for an unauthorized purpose. The Court cited concerns that the broader reading would allow prosecutors or private entities to pursue claims based on a myriad of relatively harmless activities, such as an employee breaching a workplace policy to use social media on a company device. “The government’s interpretation of the ‘exceeds authorized access’ clause would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett wrote for the majority. Likewise, cybersecurity experts argued that a broader reading of the CFAA could be used to prosecute white hat hackers and others who violate a website’s terms of service during well-intentioned investigations.
The Supreme Court’s decision limits the legal tools and theories available to businesses and other private parties for some types of unauthorized use of their computers, networks, and websites. The CFAA provides a private cause of action to obtain compensatory damages and injunctive relief for the same conduct that may be prosecuted criminally, based on the same statutory definition of when a person “exceeds authorized access.” The Van Buren decision likely prohibits these claims when the alleged excess authorized access is based merely on the access to the information by an individual that was within the scope of that individual’s permission, but nonetheless for an unauthorized purpose.
The decision does not address, however, what security measures will be deemed to sufficiently prohibit an individual’s access to information such that an individual who bypasses those security measures will have “exceeded authorized access” under the CFAA. In that way. the decision provides additional defenses to CFAA claims and will likely spawn additional litigation as to what qualifies as "authorized access." Further to the extent an individual gains access to a computer where they were not authorized to have such access, CFAA claims are still viable.
In the employment context, the decision suggests that an employer may no longer be able to assert CFAA claims against an insider who misuses company computers to view trade secrets if that insider had authorization to use the computers in question. In addition, other legal theories may still be available such as the federal Defend Trade Secrets Act (DTSA), or state trade secret, tort, trespass, and contract law.