The U.S. Supreme Court recently reversed the decision of the Eleventh Circuit Court of Appeals in a 6-3 case that held that the Computer Fraud and Abuse Act of 1986 (CFAA) covered those who obtained information from particular areas in the computer where they didn’t have permission to access. The Act did not cover those who had improper motives for obtaining information that was otherwise available to them. Here, because the parties agreed that a police officer was allowed to use the system to retrieve license plate information, he didn’t exceed authorized access to the database, as the Computer Fraud and Abuse Act of 1986 defined that phrase, even though he had obtained information from the database for an improper purpose.
Nathan Van Buren, a former Georgia police officer, used his patrol car computer to access a law enforcement database to find information about a license plate number. Van Buren was paid for this service. His conduct was in direct violation of department policy which prohibited using the database for personal use.
Van Buren became friends with Andrew Albo, who was known to law enforcement to be “very volatile.” Officers in the department were cautioned to deal with him carefully. Nonetheless, Van Buren asked Albo for a personal loan. Albo secretly recorded that request and took it to the local sheriff’s office where he complained that Van Buren had sought to “shake him down” for cash. The taped conversation was sent to the FBI, who devised an operation to see how far Van Buren would go for money. The sting involved Albo asking Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo told Van Buren that he wanted to be sure that the woman wasn’t an undercover officer. In return for the search, Albo would pay Van Buren $5,000.
Van Buren used his patrol car computer to access the law enforcement database with his valid credentials. He searched the database for the license plate that Albo provided. After obtaining the FBI-created license plate entry, Van Buren told Albo that he had information to share. Van Buren was arrested and charged with a felony violation of the CFAA. Running the license plate violated the “exceeds authorized access” clause of 18 U. S. C. §1030(a)(2). Evidence at trial showed that Van Buren had been trained not to use the law enforcement database for “an improper purpose,” defined as “any personal use.” The Government told the jury that Van Buren’s access of the database “for a non-law enforcement purpose” violated the CFAA “concept” against “using” a computer network in a way contrary to “what your job or policy prohibits.” The jury convicted Van Buren, and he was sentenced to 18 months in prison.
Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, rather than to those who misuse access that they otherwise have. Several Circuits view the clause as Van Buren argued, but the Eleventh Circuit is among those who have taken a broader view. It held that Van Buren violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” The Supreme Court granted certiorari to resolve the split in authority regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.
Supreme Court Analysis
Justice Barrett delivered the opinion of the Court and wrote that the Court was faced with the question of whether Van Buren violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”
The Supreme Court found that he did not, holding that this provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. However, it does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.
The parties agreed that Van Buren “access[ed] a computer with authorization” when he used his patrol car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren “obtain[ed] . . . information in the computer” when he acquired the license plate record for Albo. The dispute was whether Van Buren was “entitled so to obtain” the record.
The interplay between the “without authorization” and “exceeds authorized access” clauses of subsection (a)(2) is particularly probative, Justice Barrett said. “Those clauses specify two distinct ways of obtaining information unlawfully.” First, pursuant to § 1030(a)(2), an individual violates the provision when he “accesses a computer without authorization.” Second, an individual violates the provision when he “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled to obtain,” she wrote quoting §§ 1030(a)(2) and (e)(6). Justice Barrett found that “Van Buren’s reading places the provision’s parts “into a harmonious whole,” quoting a 2012 Supreme Court case. In contrast, the Government’s did not.
Section 1030(e)(8) states that “‘damage,’ means “any impairment to the integrity or availability of data, a program, a system, or information.” Thus, Van Buren’s running of the license plate didn’t impair the “integrity or availability” of data, nor did it otherwise harm the database system itself, Justice Barrett said. Moreover, the Court said that the Government’s interpretation of the statute would attach criminal penalties to a “breathtaking amount of commonplace computer activity.”
“If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” Barrett said. Van Buren v. United States, 2021 U.S. LEXIS 2843 *; 141 S. Ct. 1648; 28 Fla. L. Weekly Fed. S 824; 2021 WL 2229206 (June 3, 2021).
The U.S. Supreme Court held that an individual “exceeds authorized access” when he accesses a computer with authorization, but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.
As a result, the Supreme Court decision doesn’t prohibit an employer from terminating an employee who violates an employer’s policies that concern employee use of an employer’s technology. However, if an employer seeks to leverage the additional protections and remedies of the CFAA, it should look at restricting company technology as to employee access to certain portions of its computer systems, digital files, intranets, software, and networks. The Van Buren opinion demonstrates that company policies by themselves may no longer trigger CFAA coverage. The Van Buren opinion says that both “unauthorized access” and “exceeds authorized access” under the CFAA require evidence that a current or former employee entered a portion of the employer’s computer system that was, in fact, off-limits.
Eanet, PC is a boutique law firm located in Los Angeles, California specializing in business litigation, real estate litigation, labor and employment litigation, and employment advice and counsel. We represent companies in California with issues of sexual harassment, wrongful termination, and retaliation discrimination under California and federal law. Contact us to discuss your employment questions, including this new decision concerning policies and Computer Fraud and Abuse Act Claims.