United States:
Supreme Limits The Scope Of Computer Fraud And Abuse Act
To print this article, all you need is to be registered or login on Mondaq.com.
In a long awaited opinion, the Supreme Court recently resolved a
circuit split regarding the proper interpretation of a statute
implicated in many post-employment disputes. Since its enactment,
federal courts of appeal have been divided over the proper
interpretation of the phrase “exceeds authorized access”
under the Computer Fraud and Abuse Act (“CFAA”), a
primarily criminal statute that also includes a civil cause of
action where an individual accesses a protected computer without
authorization or exceeds authorized access. Some courts have held
that the “exceeds authorized access” requirement only
applies where the individual was authorized to access the computer
itself but not the particular files or information that are the
subject of the dispute.Conversely, the
majority of federal appellate courts have interpreted the phrase to
mean that an individual exceeds authorized access where they are
permitted to access the files or information but only for specified
purposes, typically business purposes. For example, many employers
have instituted computer usage policies that limit an
employee’s authorized access to company documents for the
purpose of performing their employment duties. As a result, a
common CFAA fact pattern involves a so-called disloyal employee
exceeding their authorized access by accessing the company’s
computer system in order to obtain documents or information on the
eve of their resignation for use at their new place of employment.
In other words, the majority of courts held that an individual
exceeds their authorization where they were permitted to access the
information but did so for unauthorized purpose.
In Van Buren v. United States, a former
police officer challenged his conviction under the CFAA where he
had accessed a law enforcement database to obtain information that
he provided to a third-party in exchange for money. The Eleventh
Circuit affirmed the conviction because the police department’s
policy stated that the database could only be accessed for valid
law enforcement purposes. Therefore, the officer had exceeded his
authorization by accessing the database for personal reasons.
Justice Barrett, writing for the majority, largely focused on
the statutory definition of “exceeds authorized access,”
which is “to access a computer with authorization and to use
such access to obtain . . . information in the computer that the
accesser is not entitled to so obtain.” 18 U.S.C.
§1036(e)(6). The majority agreed with Van Buren that the
definition is “best read to refer to information that a person
is not entitled to obtain by using a computer that he is authorized
to access.”
In addition to relying on statutory interpretation, the Court
also reasoned that a contrary interpretation would result in
far-ranging consequences. As the Court reiterated, the CFAA is
primarily a criminal statute and “the Government’s
interpretation of the statute would attach criminal penalties to a
breathtaking amount of commonplace computer activity.” For
example, if a computer-use policy stated that a company computer
could only be used for business purposes, “an employee who
sends a personal e-mail or reads the news using her work computer
has violated the CFAA.” Recognizing the ubiquity of such
conduct, the Court noted that if a violation of a computer-use
policy constituted a CFAA violation, “then millions of
otherwise law-abiding citizens are criminals.” The Court found
it implausible that Congress intended to place the very liberty of
citizens at the mercy of the intricacy of how an employer crafted
its computer-use policy. Thus, the Court held that “an
individual ‘exceeds authorized access’ when he accesses a
computer with authorization but obtains information located in
particular areas of the computer – such as files, folders, or
databases – that are off limits to him.”
The Court’s ruling in Van Buren is likely to limit
certain kinds of computer trespass actions, particularly those
involving departing employees that allegedly copy trade secrets or
other proprietary company information for use in a new job where
the departing employees had authorized access to such files. The
ruling, however, does not place all computer trespass claims
against former employees completely outside the scope of the CFAA.
Claims against former employees who allegedly copy files from
folders or databases that they were not originally authorized to
access may still be permissible. However, the viability of such
claims going forward will be even more fact specific as the
employer now must also show that the employee was not authorized to
access the specific folder, file, or database. As a result,
employers should consider segmenting computer systems where highly
proprietary or trade secret information is kept within specialized
folders and databases that only specific employees are authorized
to access.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
