Supreme Court Limits The Reach of the Computer Fraud and Abuse Act
What Does That Mean For Employers Now?
In June 2021, the U.S. Supreme Court issued a 6-3 decision authored by the Court’s newest member, Justice Amy Barrett, in a case involving the coverage of the federal Computer Fraud and Abuse Act (the “CFAA”). See Van Buren v. United States, 141 S. Ct. 1648 (2021). The CFAA imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. See 18 U.S.C. § 1030(a)(2). The statute defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6). There are significant criminal fines and penalties for persons who violate the statute, as well as the potential for civil liability.
In Van Buren, a state officer was charged with violating the CFAA when he used his patrol car computer to access a law enforcement database with the officer’s own credentials. He would obtain license plate information on certain individuals to provide that information to another individual in exchange for cash. The issue in the litigation concerned whether the officer had exceeded authorized use within the meaning of the CFAA when the officer had valid access to the computer database but used the information obtained for an improper purpose, rather than a proper business or law enforcement purpose. Nonetheless, the Supreme Court resolved a circuit split on this topic and held that the officer’s conduct was not violative of the CFAA because he had the authorization to access the law enforcement database even if he ultimately obtained and used information in that database for an improper reason.
The Court’s limitation on the reach of the CFAA should be well-heeded by employers and other organizations who will want to protect the integrity of the information in their computer systems and databases. If an employee has valid access to a company’s systems or databases, the CFAA may not provide protection if the employee accesses those systems, obtains information, and then improper uses that information. Companies should consider carefully limiting access to certain systems and databases to only those employees with a valid business reason to access that part of the system. Stated another way, employees should not be given free rein to access all parts of a company’s systems of record, but should only be given valid credentials for those specific parts of the system that are necessary for that employee’s job responsibilities.
Our firm offers in-person and virtual consults, if you have any questions or concerns about the topic of this Article or any corporate, commercial, employment, family, or construction law issue, please feel free to call our office at 305-460-0145 or to schedule a consult here.