SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations
For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Enacted in 1986 to combat the perceived growing threat of hackers, the CFAA makes it a federal crime to “access a computer without authorization or exceed authorized access, and thereby obtain information from any protected computer.” In addition to criminal penalties, the CFAA contains a private right of action allowing any person who sustains damages or loss because of a CFAA violation to sue for damages or equitable relief. Our sister blog discusses the existing case law involving CFAA claims in more depth.
While a state-by-state inquiry, data breach notification obligations are generally triggered when there has been unauthorized acquisition or access of personal information. Data breach notification statutes do not define what constitutes authorization, and there is a lack of case law in the data breach notification laws analyzing what “authorization” means. However, case law interpreting CFAA has historically helped provide some guidance to organizations on this point.
For example, if an employee sends files to a personal email containing personal information that she uses in the normal course of her responsibilities, but those files are not otherwise acquired or accessed by anyone else, does that company have data breach notification obligations? Under the narrow view (held by the Second, Fourth, and Ninth Circuits), many would argue no. Under the narrow interpretation, if a person is given access to a computer or network (i.e., an employee) then he or she is authorized to access that computer regardless of his or her intent to misuse information or violate any policies that regulate use of the information. In contrast, the First, Fifth, Seventh, and Eleventh Circuits have held that accessing a computer for an improper purpose violates the CFAA, even if the person was otherwise authorized to access the information.
Putting It Into Practice: How the Supreme Court decides Van Buren will transform the landscape for CFAA claims in trade secrets and employment litigation. Simultaneously, the decision should also bring much needed clarity to the definition of “authorization” in the context of data breach statutes, notification obligations, and ensuing data breach litigation.