Supreme Court Restricts Use of Computer Fraud and Abuse Act

September 3, 2021 | Insights

In its recent decision in Van Buren v. United States, the U.S. Supreme Court narrowed the scope of the Computer Fraud and Abuse Act (CFAA) and its potential use by employers to ensure computer security and protection for their trade secrets and confidential information.

The Computer Fraud and Abuse Act

The CFAA was first enacted by Congress in 1984 in response to growing concerns across the country about computer security and the dangers posed by computer hacking or computer theft. The initial version of the statute was solely a federal computer crime statute. It was later expanded to include civil protections as well, and currently allows private lawsuits for those “suffering damage or loss” to sue money and equitable relief.

Employer Use of CFAA’s Civil Protections

In its current form, the CFAA is worded extremely broadly. It now encompasses information from any computer “used in or affecting interstate or foreign commerce or communication.” As the Supreme Court noted, this language now applies to at least “all information from all computers that connect to the Internet.”

Employers have often used the CFAA’s civil protections to sue former employees who have, for example, taken trade secrets or confidential information such as customer lists, prospect information, financial information, or business plans to benefit a future employer or to exploit the information for a profit.

Factual Background of Case

The case in question was a criminal case in which the defendant, a police sergeant in Georgia, was accused of violating the CFAA. The sergeant’s eventual actions that were the subject of his indictment started when he came into contact with an individual who had been identified by the police department as volatile and dangerous. Even so, the sergeant developed a relationship with this individual, and then made the mistake of asking him for a personal loan. This led to a sting effort to persuade the sergeant (in exchange for a money payment) to search a Georgia law enforcement database for a license plate belonging to a woman to determine if she was an undercover officer.

The sergeant used his patrol car computer to access the database with his valid credentials. He then searched the database for the license plate in question, and notified the individual (who set him up) that he had located the requested information. The FBI then arrested the sergeant and charged him with a violation of the “exceeding authorized access” clause of the CFAA.

At the trial, it was shown that the sergeant knew that he was not supposed to use the law enforcement database for an “improper purpose,” which included “any personal use.” He was convicted of violating the CFAA because he had accessed the database for an “inappropriate reason.”

Supreme Court Focus on CFAA Terms

In the decision, the first by the Supreme Court to analyze the CFAA, the Court focused its attention on the statutory phrase “exceeds authorized access,” which is defined as “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled to obtain.”

As a result of this focus, the Court majority determined that when the sergeant had accessed the law enforcement database, he did so with authorization, using his valid credentials. Focusing upon several dictionary sources, the Court analyzed this language and decided that the CFAA did not criminalize the sergeant’s conduct.

Supreme Court Ruling

The Court concluded that the statute barred only improper access to certain information, rather than valid access to information for an improper purpose. It explained this distinction by giving the following example:

If a person has access to information stored in a computer— e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.

The result of the Supreme Court’s decision is that under the CFAA’s current wording, a person does not violate the statute by accessing a computer which he or she is entitled to access, regardless of the purpose for doing so.

Recommendation for Employers

Presuming Congress does not amend the CFAA to eliminate this loophole, employers will now be well-advised to develop additional in-house computer protections in their personnel handbooks, and particularly utilize specific access policies and confidentiality agreements to restrict information that employees are “authorized” to access. Members of Jackson Walker’s Labor & Employment practice group can assist in this effort to ensure that employers maximize protection for their valuable computer information.

Lionel SchoolerMeet Lonnie

Lionel M. Schooler is a management-side employment lawyer and recognized authority on employment law, federal appellate practice, and arbitration. Lonnie’s employment practice focuses on counseling clients and litigating, on a nationwide basis, claims under all employment laws, workers’ compensation coverage issues, wage and hour claims, and investigations by the Equal Employment Opportunity Commission, the U.S. Department of Labor, and the Texas Workforce Commission. Lonnie is also experienced as an arbitrator on the Commercial and Employment Panels of the American Arbitration Association and as an advocate.

The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for informational purposes only and does not constitute legal advice.