November 29, 2021

Volume XI, Number 333

Advertisement
Advertisement

November 29, 2021

Subscribe to Latest Legal News and Analysis

Supreme Court Narrows The Scope of Liability Under The Computer Fraud and Abuse Act

The Supreme Court’s recent decision in Van Buren v. United States, — S. Ct. —-, 2021 WL 2229206 (2021) resolved a longstanding Circuit split regarding the scope of liability under the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U.S.C. § 1030 et seq. As we previewed last year, Van Buren addressed whether a person “exceeds authorized access” within the meaning of the CFAA when accessing information on a computer for an improper purpose. In an Opinion authored by Justice Barrett, the Supreme Court ruled, 6-3, that the CFAA does not cover those who have improper motives for obtaining computerized information they are otherwise authorized to access.  

The Van Buren case arose out of a federal prosecution against a former Georgia police sergeant who used the state law enforcement computer database to run a license-plate search on behalf of an individual who promised to pay the sergeant around $5,000. Van Buren searched the database using his valid credentials and told the individual he had information to share. But the promise of $5,000 was a ruse devised as part of an FBI sting operation. The federal government charged Van Buren with a felony violation of the CFAA on the ground that running the license plate search in exchange for an illicit payment violated the “exceeds authorized use” clause of 18 U.S.C. § 1030(a)(2). Van Buren was convicted and sentenced to 18 months in prison.

Van Buren appealed to the Eleventh Circuit, which affirmed his conviction and held that he had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” 940 F.3d 1192, 1208 (11th Cir. 2019). The Supreme Court granted Van Buren’s cert. petition and reversed.

To determine the proper interpretation of the “exceeds authorized access” clause, the Supreme Court focused primarily on the statutory text. Under the CFAA, the phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain … information in the computer that the accesser is not entitled so to obtain.” 18 U.S.C. § 1030(e)(6) (emphasis added). The parties agreed that Van Buren accessed a computer “with authorization” when he used his patrol-car computer and credentials to log into the law enforcement database. They also agreed Van Buren obtained information “in the computer” when he pulled the license-plate record. The dispute thus centered on the discrete issue of whether he was “entitled so to obtain” the record.

Van Buren contended that the disputed phrase—“is not entitled so to obtain”—referred only to information a person is not allowed to obtain by using a computer that he is authorized to access. For example, if a person has authorized access to the contents of a computer folder, then he does not violate the CFAA by obtaining information from that folder—even if he pulled the information for a prohibited purpose. In contrast, the government argued the phrase swept more broadly to cover any type of unauthorized activity, including conduct not identified in the CFAA (e.g., pulling a license plate in violation of police department policy). The Supreme Court was troubled that the government’s reading of the statute lacked a limiting principle and could result in almost boundless liability.

Forcefully rejecting the government’s argument as inconsistent with the text and structure of the CFAA, the Supreme Court sided with Van Buren and concluded an individual “exceeds authorized access” only “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Slip Op. at 20. And because Van Buren was authorized to use the law enforcement database to retrieve license-plate information, he did not “excee[d] authorized access” to the database under the CFAA. The fact Van Buren obtained information for an “improper purpose” did not suffice to make him criminally liable.

Although Van Buren was a criminal case, the structure of CFAA strongly suggests that the Supreme Court’s holding will apply in civil cases as well. The Court specifically noted that those who violate Section 1030(a)(2) “also risk civil liability under the CFAA’s private cause of action.” Slip Op. at 2. The Court also found CFAA’s civil penalties “ill fitted” “to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computer,” id. at 15—indicating the Supreme Court was mindful of the ruling’s implications for civil litigation under CFAA. And the same statutory definition of “exceeds authorized access” governs in both criminal and civil cases.

As a result, Van Buren could have wide-ranging implications for employment law and trade secrets litigation. Van Buren effectively abrogates the previously controlling decisions in the First, Fifth, Seventh and Eleventh Circuits that held the “exceeds authorized access” clause applies to those who misuse computer access they already have.

Going forward, plaintiffs and prosecutors in those jurisdictions likely cannot establish a CFAA violation based solely on an individual’s violation of a computer-use policy, violation of a website’s terms of service, or emailing trade secrets the individual already had authorization to access within the scope of employment. The Supreme Court was sensitive to these concerns and refused to adopt an interpretation of the statute that “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Slip Op. at 17.

Post-Van Buren, a person cannot be held criminally liable under the CFAA’s “exceeds authorized access” clause unless the person actually obtains information from a computer that falls outside the bounds of his or her original access. If lower courts apply Van Buren’s holding to criminal and civil cases alike, the “improper purpose” theory of CFAA liability will be totally eliminated.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 159
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kevin M. Cloutier, Labor and Employment Attorney, Sheppard Mullin Law Firm
Partner

Kevin Cloutier is a partner in the Labor and Employment Practice Group and co-chair of the firm's Non-Compete and Trade Secrets Team in the firm's Chicago office. He is also a member of the Firm's Diversity and Inclusion Committee.

Areas of Practice

Mr. Cloutier’s practice focuses on all areas of labor and employment law, with an emphasis on employment-related litigation and proactive counseling of management-side clients. He is an experienced trial lawyer with first-chair trial experience before state and federal trial...

312-499-6304
David M. Poell Business Trial Attorney Sheppard Mullin Chicago, IL
Associate

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.

Areas of Practice

David represents companies in a variety of class actions, multi-district litigations and other complex commercial litigation matters in state and federal courts. He specializes in defending corporate clients in high-stakes litigation matters involving federal consumer-protection statutes, privacy torts, unfair business practices, false advertising claims and large...

312-499-6349
Advertisement
Advertisement
Advertisement