-
Supreme Court Resolves Circuit Split On Meaning Of “Exceeding Authorized Access” In The Computer Fraud And Abuse Act
06/08/2021On June 3, 2021, the United States Supreme Court’s decision in Van Buren v. U.S. clarified a controversial provision in the Computer Fraud and Abuse Act (the “CFAA”), which imposes civil and criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U. S. C. §1030(a)(2). The Court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him” and rejected the prosecution’s broader reading of the CFAA. In doing so, the Court resolved a circuit split.
The Court considered the case of Nathan Van Buren, a former Georgia police officer who accessed a police database—which he was authorized to access in connection with his duties as a police officer—in order to obtain and sell information regarding an undercover officer—an explicitly prohibited use of the police database. The key issue before the Court was whether in accessing a system Van Buren was authorized to access for an improper and prohibited purpose Van Buren “exceed[ed] authorized access” under the CFAA.
While commentators have characterized the Van Buren prosecution’s construction as “broad” and civil liberties organizations like the Electronic Frontier Foundation have criticized it as “allowing CFAA charges for any website terms of service violation,” the Eleventh Circuit had previously adopted it in U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). There, the Eleventh Circuit considered the case of a Social Security Administration (“SSA”) employee who, for personal reasons, used the SSA’s computer database to research various people’s personal information and held that even a person with authority to access a computer can be guilty of computer fraud under the CFAA if that person subsequently misuses the computer. Following its Rodriguez precedent, the Eleventh Circuit affirmed Van Buren’s conviction. The Courts of Appeals for the First, Fifth and Seventh Circuits had previously adopted similarly broad constructions.
By contrast, the Courts of Appeals for the Second, Fourth, Sixth, and Ninth Circuits had considered and rejected such a construction. For example, in U.S. v. Valle, the Second Circuit rejected criminal liability under circumstances similar to those the Supreme Court considered. 807 F.3d 508 (2d Cir. 2015). Valle was an NYPD officer who accessed restricted databases to search for personal information about a woman he had discussed kidnapping, and federal prosecutors charged him with violating the CFAA on the basis of this access devoid of law enforcement purpose. Citing the split among its sister circuits, as well as the statute’s text and legislative history, the Second Circuit found the CFAA was ambiguous and applied the rule of lenity to reverse Valle’s conviction under the CFAA. The Second Circuit also noted its agreement with the Fourth and Ninth Circuits—which had considered and rejected cases brought against individuals who violated their private employers’ policies—that adopting the prosecution’s construction “would criminalize the conduct of millions of ordinary computer users.” Valle, 807 F.3d 508, 527 (2d Cir. 2015).
The Supreme Court’s decision has been lauded by various civil liberties groups as a move in the right direction, although several continue to call on Congress to amend the CFAA to provide further clarity and add safe harbor for journalistic activities and white hat hacking. At the same time, it should serve as a reminder to employers to carefully consider access permissions and assess whether access to sensitive or confidential information should be restricted to guard against the possibility of misuse.
