“So” What? SCOTUS Adopts Narrow Interpretation of CFAA

It’s not every day the U.S. Supreme Court issues an opinion relevant to this blog, so we are understandably excited when it does.

In a landmark decision, the Court has ruled that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq., does not prohibit improper use of computer information that an individual was authorized to access. Rather, the law prohibits obtaining information from areas of a computer, such as files, folders, or databases, that are outside the limits of the individual’s authorized access. Van Buren v. United States, No. 19-783 (June 3, 2021).

The Court reached its conclusion through an exercise in statutory construction fit for a law school exam, dissecting competing interpretations of the word “so.” You can read more about the Court’s interpretive analysis and the implications for employers in our article here.

The upshot is that this decision will have a significant impact on “departing employee” cases. Improper use of information that an employee was authorized to access (a common fact pattern) will not trigger CFAA liability, removing one pathway into federal court. Without the CFAA’s protection for such conduct, employers have even greater reason to protect their information from misuse through enforceable contracts and thoughtful security protocols, among other methods. And although no longer in violation of the CFAA, improper acquisition or use of information to which an employee has authorized access may still trigger liability under a host of other laws, including the federal Defend Trade Secrets Act.