Supreme Court Limits Scope of Computer Fraud and Abuse Act

It is a common story: An employee who knows he is about to leave his employer for a competitor uses his last days of computer access to download (or email himself) confidential information from his employer’s network. Once his employer discovers the misappropriation, the employee has moved on to his next job, leaving the employer scrambling to protect itself, often through a tangle of state-law tort and trade-secret claims.

One avenue that employers in this situation have used to pursue the former employee in federal court is the Computer Fraud and Abuse Act (CFAA), an antihacking law enacted more than 30 years ago. 18 U.S.C. § 1030. Among other things, the CFAA subjects to criminal penalty anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” Id. at § 1030(a)(2). As relevant to wronged employers, it also allows an entity that “suffers damage or loss” as a result of such conduct to seek damages and injunctive relief from the offending party. Id. at § 1030(g). The CFAA has thus allowed an employer whose employee misappropriates confidential information from a computer to not only sue the employee but also potentially turn to law enforcement for help.

Critically, a circuit split arose as to the “exceeds unauthorized access” prong of Section (a)(2) of the CFAA. Id. § 1030(a)(2). While Section (a)(2) clearly prohibited an employee who lacks any authorization to access a computer network to access that network and take confidential information, the courts of appeals disagreed as to whether an employee who is permitted to access the network for some purposes “exceeds authorized access” by doing so for an unauthorized purpose. See Van Buren v. United States, No. 19-783, at 4 n.2 (June 3, 2021). So, before Van Buren, an employee who was permitted to access a database of customer information to make sales calls but used that access to download customer data for a competitor would have been liable under the CFAA in some circuits but not others.

The Supreme Court resolved that split last week in Van Buren, holding that Section (a)(2) of the CFAA “covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend” but doesn’t cover those who “have improper motives for obtaining information that is otherwise available to them.” Id. at 1. In other words, the employee described above is not liable under the CFAA.

Van Buren was a criminal case but has clear implications for employers because the CFAA creates civil liability for the same conduct. The case arose when Van Buren, a police officer, took money from an acquaintance to use a police database — which Van Buren was permitted to use in the course of his work — to check whether a third party was an undercover officer. Id. at 3. In fact, the acquaintance was an undercover officer, and Van Buren was charged under the “exceed[ing] authorized access” prong of the CFAA for using his database access for an improper purpose. He was convicted, and after his conviction was upheld on appeal, the Supreme Court took the case to resolve the circuit split regarding the CFAA’s scope. Id. at 3–5.

In a nuanced and textualist opinion for a 6–3 majority, Justice Amy Coney Barrett examined the CFAA’s definition of “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain … information in the computer that the accesser is not entitled so to obtain.” 18 U.S.C. § 1030(e)(6). After focusing on the import of the word “so” in that definition, the Court determined that “[t]he phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” Van Buren, No. 19-783, at 6–8. As the Court explained, an employee who is authorized to access Folder Y on a computer but not Folder X would violate the CFAA for taking information from Folder X, but an employee who is authorized to access Folder X for work purposes but takes information from Folder X for nonwork purposes (for instance, to aid a competitor) would not be liable. Id. at 6.

The Court also recognized that adopting the opposite interpretation, which effectively would ask whether an employee’s computer use was for an authorized purpose, would have had sweeping consequences. Most notably, that interpretation would criminalize all violations of employers’ computer-use policies, subjecting millions of people to liability for trivial infractions like sending personal emails or checking sports scores from a work computer. Id. at 17–20. While the Court took pains to make clear that such policy concerns were not the reason it held in Van Buren’s favor — calling such arguments “extra icing on a cake already frosted” — it is clear that the majority had concerns about creating such broad potential liability. Id. at 17.

* * *

What is an employer to do following Van Buren, which significantly narrowed the scope of the CFAA in several jurisdictions? For starters, companies should consider strengthening protections of particularly sensitive information, including password-protecting specific materials on a computer network and providing access only to employees who have a business need for it. And employers should consider narrowing the number of employees who have such access. Finally, companies should re-examine employment policies or agreements and consider revising to make clear the information or areas of a network to which an individual does not have access.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.