October 27, 2021

Volume XI, Number 300

Advertisement
Advertisement

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

SCOTUS Ruling Narrows Computer Fraud Law

Highlights

  • The ruling limits types of conduct that can be charged under the Computer Fraud and Abuse Act (CFAA). 

  • The ruling provides much-needed guidance for federal prosecutors but makes it more difficult to prosecute insider hacking and exceeded authorized access cases.

  • The ruling shifts more burden on to the private sector to defend against threats to data. 

A Supreme Court decision handed down this week could narrow the type of claims companies can pursue to deter and defend against insider threats to vital data. In the wake of the decision (Van Buren v. U.S.), businesses should be reviewing compliance policies and procedures to ensure they account for data privacy and trade secret concerns. Companies should also consider restricting employee access to network locations and data unless necessary and include backup procedures and action plans for unauthorized access.

The ruling in Van Buren comes amid ever-heightening threats to corporate data and networks. The FBI received a record number of complaints involving internet crimes in 2020: 791,790 in all – a 69% increase in total complaints from 2019 – with reported losses exceeding $4.1 billion.

In a 6-3 decision, the high court limited the types of conduct that federal prosecutors can charge under the Computer Fraud and Abuse Act (CFAA). At question was the CFAA’s “exceeds authorized access” clause, which has been used frequently to prosecute, among others, company insiders who abused their access to sensitive information in protected databases or confidential trade secrets.

Six years ago, Nathan Van Buren, then a police sergeant in Cumming, Ga., violated department policy when he accepted $5,000 from a local man to search a license plate database in a supposed effort to determine if a stripper was actually an undercover police officer. In reality, the local man was an informant working with the FBI. Van Buren was arrested and in 2017 he was convicted of computer fraud under the CFAA. The conviction was upheld on appeal to the Eleventh Circuit.

The Supreme Court reversed, holding that Van Buren did not violate the CFAA’s “exceeds authorized access” clause because that clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise lawfully have. Van Buren had authorization to access the computer database at issue– even though he misused that access, he did not “exceed authorized access” under the CFAA. Justice Barrett noted that an overly broad reading of the CFAA would criminalize common workplace policy violations like using a company computer to send a personal email or check sports scores online.

While the opinion provides much needed guidance for federal prosecutors, it also cabins prosecutorial power when it comes to charging “inside” hacking or cases involving those who exceed authorized access for personal gain. According to a senior DOJ official, the Department of Justice has already prioritized ransomware attack investigations at the same level as terrorism offenses following the Colonial Pipeline hack and other offenses involving increasing damage by cyber criminals. Departmental guidance sent to US Attorney's Offices last week provided that information about ransomware investigations should be coordinated with a recently created cyber task force in Washington. The Supreme Court’s concerns that the CFAA as used in Van Buren was overbroad were premised on DOJ criminalizing a “breathtaking amount of commonplace computer activity,” but the decision will also make it far more difficult for federal prosecutors to bring inside hacking or exceeded authorized access cases in the future.

The decision shifts even more burden on to the private sector to safeguard vital data from threats both outside of and within their organizations. And given the number of employees currently working from home, this will be a heavy burden indeed. With all that in mind, companies should be taking proactive measures including: 

  1. augmented training protocols in security principles; 

  2. establishing basic security practices and policies for employees; 

  3. updating computers and networks with the latest security software; and 

  4. instituting update patches and firewalls to prevent outsiders from accessing data on private networks.

More importantly, compliance policies can be revised to limit insider access and establish gatekeepers at vulnerable entry points. The policies may also address protocols for interfacing with third-parties, best practices on payment cards, and limiting employee access to data and information and authority to install software or transfer files. With limited exceptions, no single employee should be able to access all data systems. Employees should only be given access to specific data systems that they need for their jobs, and should not be able to install any software without permission.

Universities and research institutions dealing with foreign technology transfers may be particularly vulnerable to state-sponsored intrusion attacks. Information sessions, performing table-top drill sessions to sketch and test responsive measures, and modernizing existing training to educate employees about vulnerabilities are vital to keep abreast of emerging new threats. Post-intrusion investigations can also help identify vulnerable areas and threats, as well as protect against future breaches.

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XI, Number 156
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Luke Cass Corporate Defense Lawyer Womble Bond Dickinson Law Firm
Parter

Luke Cass defends corporations and individuals in connection with a variety of federal criminal allegations, including health care fraud, conspiracy, mail and wire fraud, embezzlement, bank fraud, and money laundering. He also conducts proactive, internal investigations related to bribery, misbranding, and the Foreign Corrupt Practices Act (FCPA). Luke served as a federal prosecutor for over a decade and has significant experience with white collar investigations and has litigated federal appellate and district court cases throughout the United States.

Previously, Luke worked as a...

1 202.857.4426
Ripley Rand Womble Bond Dickinson Law Firm Criminal Defense Attorney
Partner

Ripley Rand brings more than twenty years of federal and state courtroom experience to Womble Carlyle’s White Collar Criminal Defense Team. His practice focuses on white collar criminal defense, health care fraud defense, internal investigations, and regulatory enforcement.

In 2010, Ripley was nominated by President Barack Obama to serve as the United States Attorney for the Middle District of North Carolina. After being unanimously confirmed by the United States Senate, Ripley was the United States Attorney...

919-755-8125
Steven Levitan IP Lawyer Womble Bond Dickinson Law Firm
Partner

Steve Levitan has litigated intellectual property and complex technology cases in courtrooms across the U.S. for more than 30 years. He focuses his practice on patent, trade secret, trademark, and technology contract disputes. He represents companies in Asia and Silicon Valley and is able to quickly identify the legal strategies that will be most effective to achieve his clients' objectives.

Steve has acted as lead counsel in numerous lawsuits. He has first chaired trials and argued appeals, obtaining successful results in actions before federal and state courts, the U.S....

408-341-3045
Claire Rauscher, Attorney, White Collar Crime

Claire Rauscher brings more than 25 years of courtroom experience to Womble Carlyle’s White Collar Criminal Defense team. Claire focuses her practice on complex white collar litigation, and has represented clients in all phases of state and federal proceedings, including pre-indictment investigations, grand jury practice and criminal trials. 

704.331.4961
Advertisement
Advertisement
Advertisement