Supreme Court Limits Scope Of The Computer Fraud And Abuse Act – Employment and HR | #itsecurity | #infosec

United States:

Supreme Court Limits Scope Of The Computer Fraud And Abuse Act

To print this article, all you need is to be registered or login on

The Consumer Fraud and Abuse Act, 18 U.S.C. §1030 (CFAA) is
a federal statute that imposes criminal penalties and provides for
a civil cause of action against individuals who obtain information
from a computer by intentionally accessing the computer without
authorization or by exceeding authorized access. The statute has
been used to criminally prosecute and bring civil actions for
damages and losses against employees who have misappropriated their
employers’ trade secrets or other confidential information.
Those damages and losses may include attorneys’ fees expended
by the employer to investigate violations of the statute.

In its recent opinion in Van Buren v. United States,
the United States Supreme Court resolved a disagreement among the
lower federal courts over the scope of the CFAA’s “exceeds
authorized access” clause. Does an employee with authorized
access to his employer’s computers “exceed authorized
access” only when accessing specific computer files the
employee has not been authorized to access, or does the employee
also “exceed authorized access” when accessing files for
which the employee has authorization, but uses the information for
an unauthorized purpose? In Van Buren, the Supreme Court
ruled in favor of the more limited scope of the “exceeds
authorized access” clause.


When employed as a police officer in Georgia, Nathan Van Buren
was the target of an FBI sting operation. He agreed to accept
$5,000 from one Albo in exchange for providing Albo with license
plate information about a woman in whom Albo was ostensibly
interested. In fact, Albo was working for the FBI. Van Buren
accessed the license plate information through the computer in his
patrol car. He knew that by providing the information to Albo he
was violating his employer’s policies concerning the proper use
of such information. The FBI promptly arrested Van Buren and
charged him with violating the CFAA. A jury convicted Van Buren and
the Eleventh Circuit Court of Appeals affirmed his conviction. That
court ruled that Van Buren had violated the CFAA’s
“exceeds authorized access” clause because he had
accessed the police department’s database for “an
inappropriate reason.”

The Supreme Court’s Opinion

In an opinion authored by Justice Barrett, and by a vote of 6 to
3, the Supreme Court reversed Van Buren’s conviction, holding
that the CFAA “covers those who obtain information from
particular areas in the computer—such as files, folders, or
databases—to which their computer access does not extend
[but] [i]t does not cover those who, like Van Buren, have improper
motives for obtaining information that is otherwise available to

In so holding, the Court, in large part, relied on the
definition of “exceeds authorized access” expressly set
forth in the statute: “The term “exceeds authorized
access” means to access a computer with authorization and to
use such access to obtain or alter information in the computer that
the accesser is not entitled so to obtain or
.” (Emphasis added.) The Court reasoned
that, under this definition, information one is not entitled
“‘so”‘ to obtain refers “to information one
is not allowed to obtain by using a computer that he is
authorized to access
.” (Emphasis in original.) In other
words, the CFAA is concerned only with whether the individual was
authorized to access the information at issue. And, given it was
undisputed Van Buren was authorized to obtain the license plate
information in question, by obtaining that information he did not
“exceed authorized access” as the CFAA defines that
phrase, even though he obtained the information for an improper

The Court expressed several additional reasons to reject the
argument that an employers’ policies on use of computerized
information can provide the basis for a CFAA violation. The Court
noted that the Government did not contend that purpose based limits
on access are relevant to someone who uses a computer without any
authorization and that the Government could not explain why the
statute would impose purpose based restrictions on someone who used
a computer with authorized access. The Court also noted that the
CFAA’s damages provisions for civil liability cases were
concerned only with allowing recovery for “any impairment to
the integrity or availability of data, a program, a system,”
or “for harm to computer data, programs, systems, or
information services,” “injuries that are
“technological” in nature and typically the result of
“hacking.” The Court reasoned that these damages
provisions were “ill fitted . . . to remediating
‘misuse’ of sensitive information” by someone with
authorized access. “Van Buren’s situation is
illustrative,” the Court noted. “His run of the license
plate did not impair the ‘integrity or availability of data,
nor did it otherwise harm the database system

The Court was also concerned that an expansive interpretation of
“exceeds authorized access” would open the door to a wide
range of problematic potential statutory violations. The Court
opined: “If [the CFAA] criminalizes every violation of a
computer-use policy, then millions of otherwise law-abiding
citizens are criminals. Take the workplace. Employers commonly
state that computers and electronic devices can be used only for
business purposes. So on the Government’s reading of the
statute, an employee who sends a personal e-mail or reads the news
using her work computer has violated the CFAA. Or consider the
Internet. Many websites, services, and databases—which
provide ‘information’ from ‘protected computers’ .
. . authorize a user’s access only upon his agreement to follow
specified terms of service. If the [CFAA] encompasses violations of
circumstance-based access restrictions on employers’ computers,
it is difficult to see why it would not also encompass violations
of such restrictions on website providers’ computers.”

Finally, the Court indicated it was deciding only that the CFAA
is not available to enforce employer policies protecting the
use of computerized information. It was
not addressing the issue of whether the statute can be used to
enforce employer policies or agreements restricting
access to computerized information when
the employer has provided technological access to that information.
Nevertheless, given the Court’s view of the CFAA as essentially
an anti-hacking statute, it is certainly not unlikely that the
Court would not impose liability under the statute in such


As a result of then Van Buren decision, the CFAA is no
longer available to employers to pursue employees who have used
authorized access to an employer’s
computerized information for purposes prohibited by the employer by
policy or agreement. Employers, of course, remain free to pursue
such employees under federal and state trade secret protection laws
and through enforcement of confidentiality agreements. Employers
should review their confidentiality agreements to ensure they
provide sufficient protection of confidential information and
should make sure authorized access to computerized information is
limited to employees who truly require such access.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Employment and HR from United States

Biden To Ban Non-Competes?

Seyfarth Shaw LLP

The Biden Administration plans to issue an executive order calling on the Federal Trade Commission (FTC) to adopt rules to limit the use of noncompete clauses in employment agreements.

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

ninety one − eighty four =