Resolving a split in lower courts, the U.S. Supreme Court issued a ruling in June limiting the type of conduct that can be prosecuted under the federal Computer Fraud and Abuse Act of 1986 (CFAA), a statute often used by U.S. Attorneys to prosecute hackers. In a 6-3 decision, SCOTUS ruled in Van Buren v. United States that Section 1030(a)(2) of the CFAA does not impose liability on individuals who use a computer to alter or obtain information they otherwise are entitled to obtain, even when they access the information for a prohibited purpose. In so ruling, SCOTUS limited a powerful federal claim against insiders who obtain for purposes of identity theft or other wrongdoing personally identifiable information (PII) that the insiders are allowed to access in their roles. The ruling provides yet another reason why companies should segregate electronically stored PII, trade secrets and other sensitive data in segregated or password protected files, folders and databases and limit access to such information on a strictly need to know basis.
SCOTUS sided with former Georgia police sergeant Nathan Van Buren and reversed a lower court decision that upheld a felony conviction against him. Van Buren was caught in an FBI sting operation when he used his patrol car computer to run a license plate number in a law enforcement database in exchange for money. Federal prosecutors charged him with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The phrase “exceeds authorized access” is defined by the CFAA as “to access a computer with authorization and to use such access to obtain…information in the computer that the accessor is not entitled so to obtain.” The majority’s opinion focused primarily on the definition of the word “so.” It determined that “so” must refer back to its antecedent—here, accessing a computer with authorization. As a result, the purpose for which the person obtained the information is irrelevant if the person was authorized to obtain the information through their computer access.
Van Buren’s purpose in obtaining the database information was clearly against his department’s policy. At issue was whether he also violated the CFAA. Government prosecutors argued—and the lower courts held—that obtaining license plate information for personal purposes meant that Van Buren “exceed[ed] authorized access” as the CFAA defines that phrase. However, SCOTUS reversed, holding that, “[a]n individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” The purpose for the access is irrelevant.
Justice Barrett asserted that any other interpretation would result in overbreadth. "The Government's interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity," wrote Barrett. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”
The dissenting Justices, in an opinion written by Justice Clarence Thomas, said that the majority’s reading is at odds with basic principles of property law that have “long punished those who exceed the scope of consent when using property that belongs to others.”
SCOTUS’s interpretation of “exceeds authorized access” brings clarity to lower court division over its applied meaning. The Second, Fourth, and Ninth Circuits, like SCOTUS, adopted a narrower reading, while the First, Fifth, Seventh, and Eleventh Circuits used a broader interpretation.
Because the CFAA contains a private cause of action that allows for the recovery of compensatory damages and injunctive relief, the CFAA has been used by private companies to protect sensitive information from employees and competitors. Often, CFAA claims are used together with, or in lieu of, a more challenging trade secret claim. With the Supreme Court decision, companies will have a tougher time asserting certain CFAA claims against insiders or website users. But they may be able to assert other legal theories to protect information, and more strictly limiting access to some types of information could help to preserve a CFAA claim.
For questions and specific guidance around the SCOTUS ruling, please contact our Data Security & Privacy team.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.