On June 3, 2021, the United States Supreme Court issued a long-awaited decision on the scope of the Computer Fraud and Abuse Act (“CFAA”). Van Buren v. United States, _ U.S. __, 141 S. Ct. 1648, 2021 WL 2229206, 2021 U.S. Lexis 2843. The Court held that the CFAA prohibited only the gathering of information from sources to which access was not permitted. The Court held that the CFAA did not cover the gathering of information from databases to which access was authorized, even if the information gathering had an improper purpose.
Congress enacted the CFAA in 1986. The original law provided criminal sanctions for computer hacking. The law created criminal liability for (1) obtaining information from intentional access to a computer without authorization and (2) exceeding authorized access and thereby obtaining information. The law defined “exceeds authorized access” as access to a computer with authorization and using such access to obtain or alter information in the computer. Civil remedies for CFAA violations were enacted in 1994, allowing victims of CFAA violations to recover money damages and obtain equitable relief in federal court.
The CFAA’s civil remedies led to increased use of the federal courts for litigation that had previously been confined to state courts. One such example was employee mobility litigation where the ex-employer and ex-employee resided in the same state (precluding diversity jurisdiction). If an employee accessed client information and then used the information to solicit business for a new employer, the CFAA before Van Buren enabled the ex-employer to claim in federal court that the employee exceeded authorized access to a business computer. The CFAA’s low damage thresholds did very little to limit federal suits. The expansive view of “exceeds authorized access” even allowed state court staples such as family law cases to find their way into federal court. The fact that the CFAA had criminal as well as civil sanctions attached an additional stigma to any parties accused of CFAA violations.
Conflicts arose between various federal circuit courts on what actions exceeded authorized access. Some circuits adopted a more restrictive view of the CFAA, holding that an individual with permitted access to data did not violate the CFAA by using the data for an improper purpose, such as misappropriation of confidential information for a new employer. Other circuits took a less restrictive view that an employee who accessed a computer for the purpose of misusing information violated CFAA by exceeding authorized access.
It was in this context that Van Buren, a criminal CFAA case, reached the Supreme Court. Van Buren, a Georgia police officer, had authority to access vehicle registration data through his patrol car computer. But Van Buren accepted payment from a citizen for turning over registration data about a stripper whom the citizen suspected of being an undercover police officer. After Van Buren and the citizen completed the transaction, the FBI arrested Van Buren in a sting operation. The United States charged Van Buren with violating the CFAA for “exceeding authorized access” to a computer by using the computer for personal use. A District Court jury convicted Van Buren, and the Eleventh Circuit upheld the conviction. The Supreme Court accepted review of the case, given the conflict between four federal circuits that upheld the more restrictive view of the law and four circuits that adopted the broader view of the law. (The Third Circuit had not taken a stand either way but District Court decisions within the circuit were conflicting.)
The Supreme Court, in a 6-3 decision that split the Court’s conservative justices, supported the less expansive view of the CFAA. New Justice Barrett wrote the majority opinion in a tightly reasoned analysis of the statute’s wording. Barrett noted that the parties agreed that Van Buren accessed the computer with authorization when he logged into the law enforcement automobile license database. The parties also agreed that Van Buren obtained information from the computer. The narrow question was whether Van Buren was entitled to obtain the information. Van Buren argued that the CFAA allowed him to obtain the information if he was allowed access to the computer. The prosecution argued that since the officer intended to use the information for personal purposes, authorized access was exceeded and the law was violated. Justice Barrett rejected the broader view. She stated that the broader CFAA interpretation would criminalize a “breathtaking amount of commonplace computer activity”, such as sending a personal email or reading the news on an office computer. Therefore, the term “exceeds authorized access” meant to enter a database that was off limits to the user.
The Supreme Court’s narrow interpretation of the law will have effects in the workplace and the court system. Employers may decide cut back on authorized access to computer data. If fewer employees have authorized access, the CFAA may gain back some teeth. The Van Buren decision will leave parties to state disputes with one less access point to federal court. This effect may be mitigated in the employee mobility area where trade secrets are at issue, given the Federal Defend Trade Secrets Act. And for Supreme Court watchers, the decision provides insight into a possible split between Justices who will rely on the plain meaning of a statute and those who will look beyond the meaning to the purpose of the acts covered by the law. Time will tell.