On June 3, 2021, the U.S. Supreme Court issued a ruling that significantly limits the “exceeds authorized access” clause of the Federal anti-hacking statute called the Computer Fraud and Abuse Act of 1986 (CFAA). Here is a copy of the opinion (Van Buren v U.S.)
Why the CFAA Opinion Matters:
Without proper planning, this ruling will drastically limit remedies and strategies employed by companies against former employees accused of wrongfully accessing information stored on company networks.
Going Deeper – Understanding the CFAA.
The CFAA is the main federal anti-hacking law. The CFAA imposes liability in two situations: any one (1) who “intentionally accesses a computer without authorization; or (2) exceeds authorized access.” 18 U. S. C. §1030(a)(2). The Supreme Court addressed the second situation in its ruling on Thursday.
The CFAA is often the go-to claim prosecutors use when someone “hacks” into computer networks covered by the CFAA. But over the years, the CFAA became a favorite tool for businesses to use against former employees accused of wrongfully accessing company data for personal gain. Or in other instances, CFAA claims were brought against employees with authorized access to company data, but exceed that authorization by misappropriating the employer’s trade secrets or other confidential information before leaving to work for a competitor.
By adding a CFAA claim, a business could easily sue in federal court and gain significant leverage using the CFAA’s provisions for damages and recovery of attorneys’ fees.
Exceeding Authorization to Access the Computer Data.
Van Buren is a former Georgia police sergeant. He used his police account to access a law enforcement database to retrieve information about a license plate number in exchange for $6,000.00. But the money, however, came as part of an FBI sting operation.
So Van Buren had the authority to access the database for police purposes and he used his valid log-in credentials to perform the search. But his access was for personal use and gain. This conduct violated a department policy against obtaining database information for non-law-enforcement purposes.
For this, he was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA) and later convicted. The Eleventh Circuit upheld the conviction in 2019. But in a 6-3 split opinion, the Supreme Court Justices reversed the CFAA conviction.
Limits to “Exceeding Authorization” Claims?
Van Buren was not a sympathetic defendant. But much of the majority opinion, in excruciating detail, focused on the language of the CFAA statute (I lost count of how many times various dictionaries were cited). And the majority of the Supreme Court Justices were troubled about how easily “exceed authorization claims,” could be weaponized against fairly standard, everyday conduct.
In fact, much of the majority opinion’s concern over the broad scope of the CFAA advocated by the Government came from everyday employment situations. Here’s how Justice Barrett (the author of the majority opinion) explained this concern:
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal email or reads the news using her work computer has violated the CFAA.
The other concern involved the “terms and conditions” on websites or social media platforms (those things that no one pays attention to, but everyone accepts). Here’s what Justice Barrett had to say on this topic:
Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.
I’ve represented parties pursuing and defending civil CFAA claims. Those lawsuits involved fact patterns remarkably similar to both scenarios Justice Barrett described. Based on this experience, the CFAA can be an appropriate tool to protect businesses from unscrupulous employees exploiting their employer’s digital assets. But it is equally (if not more so) a tool inappropriately used by overly aggressive lawyers asserting questionable claims on behalf of their clients.
With this insight, the Supreme Court ruling should be mostly a welcome limit for when exceeding authorized access suits can be pursued.
And it is important to note that such claims can still be pursued under this ruling. But to do so, employers will likely need to revise workplace policies and how company information is stored and accessed. This will require access control or other technological barriers around confidential and trade secret information with an emphasis on making such information accessible only on a “need to use” basis. But such limits should already be in place. And those limits are already needed to pursue traditional trade secret misappropriation claims. If not, employers now have a good excuse to make their company information more secure from internal and external threats.
Use this link to contact Michigan attorney Jason Shinn if you have questions about this article. Since 2001, Mr. Shinn has represented companies and individuals concerning the issues discussed above and other employment matters under federal and Michigan employment laws.