On June 3, 2021, the United States Supreme Court announced its decision in Van Buren v. United States. While the case did not directly involve a whistleblower issue, the decision nevertheless held profound implications for whistleblowers. At issue in Van Buren was the proper interpretation of the Computer Fraud and Abuse Act of 1986 (“CFAA”), which makes it illegal to “exceed authorized access” of a computer.
While the CFAA, which has both civil and criminal components, was originally enacted as an anti-hacking statute, many court decisions across the country have greatly expanded its reach as technology has become more sophisticated.
A circuit split had emerged regarding the proper scope of the CFAA, with several circuit courts adopting a broad view of the CFAA’s “exceeds authorized access” language such that a CFAA violation occurs whenever an individual that has been properly granted access to computer files for a certain purpose uses those files for a separate and unauthorized purpose.
Conversely, the circuit courts adopting the narrow view of the CFAA have held that a CFAA violation occurs only when an individual accesses computer files they have not been authorized to access for any purpose.
Ultimately the Supreme Court adopted the narrow view and held that “an individual ‘exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him” but the CFAA does not cover impermissible uses of properly accessible files.
While the Van Buren case dealt with criminal charges under the CFAA, the decision has far-reaching effects. As stated by the Court, a broad reading of the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” and would “criminalize every violation of a computer-use policy.” Thus, companies could have instituted “computer-use policies” that would have prevented employees from turning over files they were authorized to access to law enforcement in an effort to report criminal activity.
Such negative implications of a broad interpretation of the CFAA have already been felt by whistleblowers. Specifically, companies had recently begun to weaponize the civil component of the CFAA to attack employee whistleblowers who took computer data from their employees and provided it to the government as evidence in support of qui tam False Claims Act (“FCA”) cases.
In those situations, the only “unauthorized access” at issue was the whistleblower employees merely turning over computer data to the government as evidence of fraud against the United States. This act of attempting to recover taxpayer dollars from fraudsters opened the whistleblowers to costly CFAA actions. However, with the decision by the Court in Van Buren, it appears likely that such retaliatory tactics by FCA defendants will be foreclosed.