The U.S. Supreme Court issued a decision today in the case of Van Buren v. United States. At issue was whether or not an employee could be criminally charged with violating the Computer Fraud and Abuse Act of 1986 (CFAA) when he or she “intentionally” accessed “a computer without authorization” or if when accessing the information the employee “exceed(ed) authorized access.”
“The issue before the Court was critically important to whistleblowers,” said Stephen M. Kohn, a whistleblower attorney with the law firm of Kohn, Kohn and Colapinto, and the Chairman of the Board of Directors of the National Whistleblower Center. “Whistleblowers often access computer information and provide it to law enforcement officials, even if those disclosures were not ‘authorized’ by the company. Consequently, a broad reading of the CFAA could have criminalized typical whistleblower behaviors.”
The Supreme Court recognized that a broad reading of the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” and would “criminalize every violation of a computer-use policy.” Had the Court ruled against Mr. Nathan Van Buren, corporations could have instituted “computer-use policies” that would have prevented employees from accessing files in order to report crimes to law enforcement.
The Court’s decision does not give employees the right to rummage computer databases for information. The decision only shields employees from criminal liability when they access computer databases which they already were given clearance to review.
As the Court explained: “In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off-limits to him.”
The six judge majority decision was authored by Justice Barrett. Justice Thomas filed a dissent. The National Whistleblower Center filed an amicus brief in support of Mr. Van Buren.