Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
Industry:
Technology
Corporate TIPS: Supreme Court's Narrow Interpretation of the CFAA and How That Impacts Your Business
By Hailey E. Hillsman, Summer Associate on August 4, 2021
A recent Supreme Court decision narrowed the scope and application of the Computer Fraud and Abuse Act of 1986 (CFAA), which imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”1 In Van Buren v. United States, the Supreme Court reversed the Eleventh Circuit’s broad interpretation of the “exceeds authorized access” clause in the CFAA that was the basis for the conviction of former Georgia police sergeant, Nathan Van Buren.2 Not only did the Supreme Court’s ruling overturn Van Buren’s conviction, but the Court’s narrow interpretation of this CFAA clause could also have implications for businesses that handle protected personal information. Through its Van Buren decision, the Supreme Court ultimately set the stage for a significant shift in how organizations operate and how they maintain data.
Background on the CFAA
The CFAA was enacted by Congress in 1986 as a federal computer trespass statute designed to prohibit computer hacking. It provides both criminal and civil penalties for whoever “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains… information from any protected computer.”3 The CFAA does not define the terms “access” or “authorization,” but it does define the phrase “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”4
Before the Van Buren decision, the courts were split in their interpretation of the definition for the phrase “exceeds authorized access.” Some courts held that the phrase referred to particular files or databases that one it not authorized to access, while other courts construed the law more broadly to refer to the purpose for which one is authorized to access the computer.5 The CFAA and its arbitrary enforcement has led to marketplace confusion, with particular concerns surrounding the statute’s application to alleged terms-of-service violations and similar policies.
Background of the Van Buren Case
During his time as a police sergeant in Georgia, Nathan Van Buren developed a friendly relationship with Andrew Albo, a man regarded as “very volatile” by Van Buren’s police department.6 Despite the warning, Van Buren continued the relationship and eventually asked Albo for a personal loan. Albo secretly recorded the conversation, and the recording ultimately ended up in the possession of the Federal Bureau of Investigation (FBI).
In an attempt to see how far Van Buren would go for money, the FBI created a sting operation where Albo would ask Van Buren to search the state law enforcement database for information concerning a fictious license plate. Albo would tell Van Buren that the license plate belonged to a woman he met at a local strip club and that he wanted to ensure that she was not an undercover officer. Once Van Buren completed the search, Albo would pay him approximately $5,000.
Hook, line, and sinker – Van Buren took the bait and used his patrol-car computer to access the law enforcement database using his credentials. After Van Buren found the FBI-created license plate entry, he reported the information back to Albo. The Federal Government soon charged him with a felony violation of the CFAA on the ground that running the license plate for Albo violated the “exceeds authorized access” clause of the CFAA.
It was revealed at trial that Van Buren knew it was against the police department’s policy to use the database for “an improper purpose,” which included any personal use. The Government used this fact to argue that a violation of the department’s policy also violated the CFAA on the basis that an employee’s use of a computer network in a way contrary to what is permitted by their employer or the employer’s policies is the sort of activity that the Act was designed to prevent and punish. The jury convicted Van Buren, and the District Court sentenced him to 18 months in prison. Van Buren appealed his conviction all the way to the Supreme Court, which then narrowed the District and Appellate Courts’ interpretation of the “exceeds authorized access” clause of the CFAA.
The Court’s Narrow Interpretation of the CFAA
As with most Supreme Court analyses on statutory interpretation, the Court first examined the plain text of the statute to determine the proper interpretation. Based on the language of the statute, the Court determined that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain... information in the computer that the accesser is not entitled so to obtain.”7 Therefore, the main issue in dispute was whether Van Buren was entitled “so” to obtain the record requested by Albo.
Van Buren argued that the “is not entitled so to obtain” language of the statute plainly refers to information one is not allowed to obtain by using a computer one is authorized to access. The Government, however, argued that the phrase refers to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. Under the Government’s more expansive interpretation, people may be punished if they “have improper motives for obtaining information that is otherwise available to them.”8 This would mean that if a state statute, workplace policy (i.e., the police department policy), private agreement, etc. limited the manner or circumstances of the access, a person would be in violation of the CFAA if they exceeded such limitations, even if they accessed information that was otherwise available to them. The Court declined to adopt the Government’s interpretation for several reasons, including that such a broad interpretation could lead to sweeping criminal liability since such a reading would criminalize every violation of a computer-use policy and terms-of-service from online sources.
In its Van Buren opinion, the Court majority makes clear that the CFAA provision criminalizes only those who obtain information from particular areas in the computer to which their computer access does not extend. For clarity, let’s create an image of the Court’s interpretation. Imagine you have been authorized to access multiple folders on a computer, including Folder A. Because you have been given access to Folder A, under the CFAA, you can access any information in that folder for any purpose without being criminally liable. Contrarily, you lack access to and have NOT been authorized to access Folder B. Thus, if you access Folder B for any purpose, you have violated the CFAA and can face criminal liability.
It may seem counterintuitive to not impose criminal liability for accessing someone’s protected information for personal reasons, but where do you draw the line if the Government’s interpretation is adopted? Under the Government’s interpretation, a person could potentially be criminally liable for using a workplace computer for a myriad of innocent personal purposes such as sending a personal email or even making a purchase on Amazon during their lunch break. Therefore, the Court was persuaded not only by the textual argument for its narrow interpretation, but also policy arguments against a broad interpretation.
The Impact of this Case on Your Business
While this decision still means that outside hackers face criminal liability for exceeding authorized access points, that criminal liability does not extend to employees who exceed authorized access to obtain information that is otherwise available to them, even if for personal purposes. For example, if you have an employee who is authorized to conduct searches for medical records on a database, that employee will not be in violation of the CFAA, even if they are using their authorized access to conduct searches for malicious purposes.
Nonetheless, the Van Buren decision does not create a free pass so that one can engage in improper or fraudulent conduct with personal consumer information obtained through valid access points. Conduct like that of Van Buren’s may still constitute a violation of other federal and state laws, including privacy regulations. Such conduct could also constitute a breach of existing computer use and access policies already exercised by employers, service providers, institutions, and other organizations. Therefore, your organization should review its current practices to determine whether its operations or compliance programs should be evaluated. In doing so, you should ensure that your organization has the policies, procedures, control measures, and training in place to limit the scope of employee access to very specific information for specific purposes to ensure that employees are not abusing their authority to access personal consumer information.
How Brouse Can Help
Implementing and enforcing policies to further ensure the protection of personal information can give you and your customers peace of mind. Brouse McDowell’s Cybersecurity and Data Privacy team can assist you in drafting these policies to ensure that your customers’ protected information is safeguarded. Along with drafting effective policies that are compliant with applicable privacy regulations to help govern your organization’s data processing activities, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
1 Van Buren v. United States, 141 S.Ct. 1648 (2021)
2 Id.
3 18 U.S.C. § 1030; https://www.jdsupra.com/legalnews/scotus-decision-significantly-impacts-1583064/.
4 18 U.S.C. § 1030(e)(7).
5 See United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015).
6 https://www.jdsupra.com/legalnews/the-supreme-court-in-van-buren-decision-3512033/.
7 Van Buren, 141 S.Ct. 1648.
8 Id.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2024 Brouse McDowell. All rights reserved.