If an employee uses a work computer to access, for personal reasons, sensitive information that their employer said can only be accessed for work purposes, has the employee violated the federal Computer Fraud and Abuse Act (CFAA)? The US Supreme Court has an opportunity to clarify this issue in Van Buren v. United States. Oral argument is scheduled for November 30, 2020.
Van Buren was a police sergeant in Georgia. In exchange for $15,000 cash, he agreed to use a state database to determine whether a particular woman was an undercover police officer and then inform a man of his findings. The state had authorized and trained Van Buren to access the database for official purposes only, and expressly disallowed access for personal gain. The danger to the woman in this case, and to anyone whose personal information could be compromised in similar situations, is grave. But did Van Buren violate the Computer Fraud and Abuse Act[1] (CFAA)?
The CFAA, which is an analog to the concept of trespass to real property and can be enforced both criminally and civilly, states that whoever “intentionally accesses a computer without authorization or exceeds authorized access” has committed a violation. 18 USC § 1030(a)(2) (emphasis added).
The United States successfully prosecuted Van Buren for exceeding authorized access when he ignored the state’s boundaries and accessed the database for personal use. The US Court of Appeals for the Eleventh Circuit affirmed, as its precedent held that an individual can “exceed authorized access” to a protected computer when he accesses the computer for a prohibited purpose or use. United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
A circuit split exists on this issue, with some courts holding that ignoring the computer system owner’s written or oral instructions or restrictions as to what the authorized user may do is insufficient to trigger the CFAA because the “exceeds authorized access” clause is not that broad and instead contemplates actions more akin to trespass; for example, hacking into a portion of a computer system (e.g., a locked database reserved only for certain personnel, or someone else’s email account) for which the authorized user does not have permission to access. See, e.g., United States v. Valle, 807 F.3d 508, 526-28 (2d Cir. 2015) (reversing CFAA conviction of NYPD officer who accessed federal database for personal use, i.e., to obtain information about a woman he wanted to kidnap).
As numerous amici briefs before the Supreme Court point out, the Van Buren decision might affect situations in which the relationship between an owner and an authorized user of a computer system is far more remote than the relationship between the state and Van Buren and involve behavior far less culpable. For example, is a violation of the terms of service of a consumer website a violation of the CFAA? At least one court says no, in a case now on appeal to the US Court of Appeals for the DC Circuit. Sandvig v. Barr, 451 F. Supp. 3d 73, 76 (D.D.C. 2020) (“the CFAA does not criminalize mere terms-of-service violations on consumer websites”).
Such rulings might be in question if the Court sides with the government in Van Buren to hold that written or oral boundaries established by a computer system’s owner create criminal and civil standards for CFAA purposes. As the Second Circuit said, “Whatever the apparent merits of imposing criminal liability may seem to be in this case, we must construe the statute knowing that our interpretation of ‘exceeds authorized access’ will govern many other situations.” Valle, 807 F.3d at 528.
The Supreme Court’s decision will likely impact employers and could broaden the circumstances in which, among other things, employers may sue employees who exceed their authorized access to an employer’s computers. As the CFAA allows employers to seek compensation or injunctive relief when employees violate that law, employers should pay close attention to the Van Buren case.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following
Houston
Michelle Pector
Jared Wilkerson
Michael P. Jones
Century City
Debra Fischer
Chicago
Stephanie L. Sweitzer
San Francisco
Christopher Banks
[1] The Defend Trade Secrets Act is a somewhat similar law directed at trade secret misappropriation. See 18 U.S.C. §§ 1832, 1836.