SCOTUS Ruling Narrows Computer Fraud Law
The ruling limits types of conduct that can be charged under the Computer Fraud and Abuse Act (CFAA).
The ruling provides much-needed guidance for federal prosecutors but makes it more difficult to prosecute insider hacking and exceeded authorized access cases.
The ruling shifts more burden on to the private sector to defend against threats to data.
A Supreme Court decision handed down this week could narrow the type of claims companies can pursue to deter and defend against insider threats to vital data. In the wake of the decision (Van Buren v. U.S.), businesses should be reviewing compliance policies and procedures to ensure they account for data privacy and trade secret concerns. Companies should also consider restricting employee access to network locations and data unless necessary and include backup procedures and action plans for unauthorized access.
The ruling in Van Buren comes amid ever-heightening threats to corporate data and networks. The FBI received a record number of complaints involving internet crimes in 2020: 791,790 in all – a 69% increase in total complaints from 2019 – with reported losses exceeding $4.1 billion.
In a 6-3 decision, the high court limited the types of conduct that federal prosecutors can charge under the Computer Fraud and Abuse Act (CFAA). At question was the CFAA’s “exceeds authorized access” clause, which has been used frequently to prosecute, among others, company insiders who abused their access to sensitive information in protected databases or confidential trade secrets.
Six years ago, Nathan Van Buren, then a police sergeant in Cumming, Ga., violated department policy when he accepted $5,000 from a local man to search a license plate database in a supposed effort to determine if a stripper was actually an undercover police officer. In reality, the local man was an informant working with the FBI. Van Buren was arrested and in 2017 he was convicted of computer fraud under the CFAA. The conviction was upheld on appeal to the Eleventh Circuit.
The Supreme Court reversed, holding that Van Buren did not violate the CFAA’s “exceeds authorized access” clause because that clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise lawfully have. Van Buren had authorization to access the computer database at issue– even though he misused that access, he did not “exceed authorized access” under the CFAA. Justice Barrett noted that an overly broad reading of the CFAA would criminalize common workplace policy violations like using a company computer to send a personal email or check sports scores online.
While the opinion provides much needed guidance for federal prosecutors, it also cabins prosecutorial power when it comes to charging “inside” hacking or cases involving those who exceed authorized access for personal gain. According to a senior DOJ official, the Department of Justice has already prioritized ransomware attack investigations at the same level as terrorism offenses following the Colonial Pipeline hack and other offenses involving increasing damage by cyber criminals. Departmental guidance sent to US Attorney's Offices last week provided that information about ransomware investigations should be coordinated with a recently created cyber task force in Washington. The Supreme Court’s concerns that the CFAA as used in Van Buren was overbroad were premised on DOJ criminalizing a “breathtaking amount of commonplace computer activity,” but the decision will also make it far more difficult for federal prosecutors to bring inside hacking or exceeded authorized access cases in the future.
The decision shifts even more burden on to the private sector to safeguard vital data from threats both outside of and within their organizations. And given the number of employees currently working from home, this will be a heavy burden indeed. With all that in mind, companies should be taking proactive measures including:
augmented training protocols in security principles;
establishing basic security practices and policies for employees;
updating computers and networks with the latest security software; and
instituting update patches and firewalls to prevent outsiders from accessing data on private networks.
More importantly, compliance policies can be revised to limit insider access and establish gatekeepers at vulnerable entry points. The policies may also address protocols for interfacing with third-parties, best practices on payment cards, and limiting employee access to data and information and authority to install software or transfer files. With limited exceptions, no single employee should be able to access all data systems. Employees should only be given access to specific data systems that they need for their jobs, and should not be able to install any software without permission.
Universities and research institutions dealing with foreign technology transfers may be particularly vulnerable to state-sponsored intrusion attacks. Information sessions, performing table-top drill sessions to sketch and test responsive measures, and modernizing existing training to educate employees about vulnerabilities are vital to keep abreast of emerging new threats. Post-intrusion investigations can also help identify vulnerable areas and threats, as well as protect against future breaches.