The U.S. Supreme Court recently ruled 6-3 in favor of a narrow reading of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to criminal liability and potential civil liability from persons suffering damage or loss as a result. The CFAA defines the term “exceeds authorized access” to mean “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The case, Van Buren v. United States, involved a police sergeant who used his patrol car’s computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. The officer was authorized to run license plate checks, but a department policy prohibited obtaining database information for non-law-enforcement purposes. The officer was convicted of a felony violation of the CFAA but appealed, arguing that the “exceeds authorized access” clause of the CFAA applies only to those who obtain information to which their computer access does not extend, not to those who misuse access they otherwise have.
Justice Amy Coney Barrett, writing for the majority, wrote that the CFAA “covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” This holding rejected the government’s broader reading of the statute:
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the government’s reading of the statute, an employee who sends a personal email or reads the news using her work computer has violated the CFAA.
While the Van Buren decision reduces the ability of employers to impose criminal and civil liability when employees use their access to the employer’s computer systems for an improper purpose, employers may still rely on common law and contractual protections for proprietary/confidential information, company policy and, if applicable, the Defense of Trade Secrets Act. Employers should continue to ensure their computer usage policies, contractual agreements, and access to certain areas of their computer systems reflect appropriate use restrictions.