United States Supreme Court Adopts Narrow Interpretation of Scope of Liability Under the Computer Fraud and Abuse Act
On June 3, 2021, the U.S. Supreme Court in Van Buren v. United States reversed the U.S. Court of Appeals for the Eleventh Circuit’s decision to uphold the conviction of Nathan Van Buren, a former Georgia police sergeant alleged to have violated the Computer Fraud and Abuse Act of 1986 (“CFAA”) when accessing a law enforcement database for a non-law-enforcement purpose against his department’s policy. Van Buren, the target of an FBI sting operation, had accessed the database to look up license plate information in exchange for money. The Court addressed a split in authority among the circuits regarding the scope of liability under the CFAA.
The question before the Court was whether Van Buren’s actions – accessing a computer with authorization (using valid credentials to log into the database) but for an unauthorized purpose – violated the CFAA’s “exceeds authorized access” clause, which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Specifically, the dispute hinged on whether Van Buren was “entitled so to obtain” the license plate number information at issue.
In an opinion emphasizing textual interpretation, including the significance of the word “so,” Justice Barrett, writing for the majority, found that Van Buren’s conduct was not covered by the relevant provision of the CFAA, which is best read to prohibit obtaining information from areas of a computer to which one’s access does not extend, not obtaining information that is otherwise available to an individual but with an improper motive. Justice Thomas, writing for the dissent, contended that by focusing “on the word ‘so,’ the majority largely avoids analyzing the word ‘entitled,’” which “compels the opposite conclusion.”
Ultimately, the Court held that an individual “exceeds authorized access” when accessing a computer with authorization but then obtaining information located in a particular area of the computer, such as files or folders, that are “off limits” to the individual. The majority noted that embracing the government’s interpretation of the CFAA would “attach criminal penalties to a breathtaking amount of commonplace computer activity,” such as an employee sending a personal email or reading the news on a work computer for a non-business purpose against an employer policy.