June 16, 2021

Volume XI, Number 167

Advertisement

June 15, 2021

Subscribe to Latest Legal News and Analysis

June 14, 2021

Subscribe to Latest Legal News and Analysis

United States Supreme Court Adopts Narrow Interpretation of Scope of Liability Under the Computer Fraud and Abuse Act

On June 3, 2021, the U.S. Supreme Court in Van Buren v. United States reversed the U.S. Court of Appeals for the Eleventh Circuit’s decision to uphold the conviction of Nathan Van Buren, a former Georgia police sergeant alleged to have violated the Computer Fraud and Abuse Act of 1986 (“CFAA”) when accessing a law enforcement database for a non-law-enforcement purpose against his department’s policy. Van Buren, the target of an FBI sting operation, had accessed the database to look up license plate information in exchange for money. The Court addressed a split in authority among the circuits regarding the scope of liability under the CFAA.

The question before the Court was whether Van Buren’s actions – accessing a computer with authorization (using valid credentials to log into the database) but for an unauthorized purpose – violated the CFAA’s “exceeds authorized access” clause, which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Specifically, the dispute hinged on whether Van Buren was “entitled so to obtain” the license plate number information at issue.

In an opinion emphasizing textual interpretation, including the significance of the word “so,” Justice Barrett, writing for the majority, found that Van Buren’s conduct was not covered by the relevant provision of the CFAA, which is best read to prohibit obtaining information from areas of a computer to which one’s access does not extend, not obtaining information that is otherwise available to an individual but with an improper motive. Justice Thomas, writing for the dissent, contended that by focusing “on the word ‘so,’ the majority largely avoids analyzing the word ‘entitled,’” which “compels the opposite conclusion.”

Ultimately, the Court held that an individual “exceeds authorized access” when accessing a computer with authorization but then obtaining information located in a particular area of the computer, such as files or folders, that are “off limits” to the individual. The majority noted that embracing the government’s interpretation of the CFAA would “attach criminal penalties to a breathtaking amount of commonplace computer activity,” such as an employee sending a personal email or reading the news on a work computer for a non-business purpose against an employer policy.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 159
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement