How the Supreme Court’s Decision in Van Buren Impacts Mobile Employees and Computer Data Theft in Florida
Computer data theft at the federal level is generally addressed under the Computer Fraud and Abuse Act, 18 U.S.C. §1030 (CFAA), although Florida’s Computer Abuse and Data Recovery Act, F.S. §668.801 (CADRA), enables business owners to protect computer data in a similar manner to the CFAA.[1]
In June 2021, the U. S. Supreme Court in Van Buren v. U.S., 141 S. Ct. 1648 (2021), resolved a significant circuit court split regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.[2] The Court held that “[t]his [CFAA] provision covers those who obtain information from particular areas in the computer — such as files, folders or databases — to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”[3] The result being that if an employee has password access to sensitive business information and he or she makes a copy of that information while employed, and then later transfers that data to a competitor, this nefarious act does not trigger liability under the CFAA. This is a dramatic change in the scope and breadth of the CFAA. For decades, the 11th Circuit Court of Appeals took a broader view of the CFAA and such behavior would have resulted in both civil and criminal liability.
The facts in Van Buren highlight the narrowed scope of the CFAA. In an FBI sting operation, police sergeant Van Buren used his valid law enforcement credentials to access Georgia’s Crime Center database. He ran a license plate search at the request of an informant who offered to pay Van Buren to determine if a woman was an undercover officer. Van Buren was convicted based upon the informant’s testimony, and the 11th Circuit upheld the conviction.[4]
Before the Supreme Court, the parties agreed that Van Buren 1) accessed a computer with authorization when he used his patrol-car computer and valid password credentials to log into the law enforcement database; and 2) “obtain[ed]…information in the computer” when he acquired the license-plate record for the FBI informant.[5] “The dispute [was] whether Van Buren was ‘entitled so to obtain’ the [computer data] record.”[6]
The Supreme Court acknowledged a split in authority between circuits on the scope of liability under the CFAA’s “exceeds authorized access” clause. “While several [c]ircuits see the clause [in] Van Buren’s [narrower] way, the [11th] Circuit is among those that have taken a broader view.”[7] The Second, Fourth, and Ninth[8] circuits had adopted a narrow reading of the CFAA.[9]
Ultimately, the Court adopted the narrower view, and held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him.”[10] Because both parties agreed Van Buren was authorized to access the data, he did not “exceed authorized access” to the database, “even though he obtained information from the database for an improper purpose.”[11]
The majority in Van Buren criticized the dissent and the government’s position that the broader application of the CFAA should be based upon circumstances surrounding the access to computer data.[12] The Court was concerned that the broader interpretation of the CFAA’s “without authorized access” would criminalize[13] every violation of computer-use policy, such as employer policies (written or unwritten) and website terms of service.[14] “If the ‘exceeds authorized access’ clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.”[15] Many website terms of service prohibit copying or scraping data from the site which, under the broader view, would criminalize such copying. As a result, the Court narrowly construed “without authorized access” in both criminal and civil CFAA actions.
The impact of the Van Buren decision also effects the scope of “without authorization” under the Stored Communication Act (SCA), 18 U.S.C. §2701. Since the SCA also refers to “without authority,” Van Buren’s narrow construction applies equally to the SCA.[16]
Although the popular press often highlights data theft by hackers other than employees, in practice, mobile employees and outside contractors are more likely to be engaged in computer data theft than others who have never had credentialed access to the computer. The Court noted this distinction between inside and outside hackers.[17] Businesses often cannot locate and civilly prosecute outside hackers, but the CFAA and Florida’s CADRA[18] provide civil remedies to a wide range of computer theft by inside hackers. Typically, inside hackers are former employees or contractors who take data without authority. Hence, prior to the Van Buren decision, employee mobility was limited by the CFAA if they went to work for an employer’s competitor. Post Van Buren, the CFAA guardrails have been removed if the former employee had password access to the full reach of the employer’s computer. Relative to an inside hacking event, the CFAA is an access-based statute because the violation is not based upon further use or distribution of the hacked data.[19]
Enacted in 2015, CADRA provides statutory guidelines to determine who is without authorization. The holding in Van Buren brings the CFAA in closer alignment with Florida law. CADRA avoids uncertainty regarding authority by defining “authorized user” and “without authorization.”[20] Persons and contractors “given express permission by the [computer] owner” are authorized users. However, “[s]uch permission…is terminated upon revocation by the owner,…or upon cessation of employment, affiliation, or agency with the owner.”[21] In many other respects, CADRA embodies the key elements of the CFAA[22] but limits its effect to civil matters involving business data theft.[23]
In a mobile employee situation, both CADRA and civil actions under the CFAA are “access violations” that require some type of demonstrable economic damage. Addressing a CFAA criminal prosecution, the Court stated, “[t]he Act subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,’ and thereby obtains computer information.”[24]
CADRA creates liability for those who, knowingly and with intent to cause harm or loss, obtain information without authorization and, as a result, cause harm or loss; cause transmission of a program, code, or command to a computer and, as a result, cause harm or loss; and traffic in any technologic access barrier (TAB), such as a password, through which access to the computer may be obtained without authorization.[25]
In assessing legal tools to preserve employer’s computer data, Florida practitioners should continue to apply CADRA and the CFAA because CADRA gives clear statutory guidance as to who has authority to access computer data and when that authority ends. The narrow interpretation of the CFAA by the Van Buren Court is similar to CADRA’s statutory language. Given the similarities between the acts, proof of a CADRA violation should support a CFAA violation.
An injured employer may also consider the federal Defend Trade Secrets Act, 18 U.S.C. §1836 (DTSA), Florida’s Uniform Trade Secrets Act, F.S. §688.001 (FUSTA), and the newly expanded theft of trade secrets act, referred to as Florida’s Corporate Espionage Act, F.S. §812.081. All these acts require proof that the purloined data is a trade secret. The espionage act, effective October 1, 2021, makes it unlawful for a person without authorization, to obtain or use, or endeavor to obtain or use, a trade secret with the intent to either temporarily or permanently: 1) deprive or withhold from the owner the benefit of the trade secret; or 2) appropriate the trade secret.[26] It is uncertain whether CADRA’s distinction between who is and who is not authorized will be applied to the undefined “without authorization” element in the espionage act.
[1] Grow Fin. Fed. Credit Union v. GTE Fed. Credit Union, 2017 U.S. Dist. LEXIS 129612, at *1-2 (M.D. Fla. Aug. 15, 2017) (“Like its federal counterpart [the CFAA], the purpose of the Florida Computer Abuse and Data Recovery Act is to safeguard computer systems against unauthorized access. See Fla. Stat. §668.801.”).
[2] A CFAA violation requires “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and [] obtain[ing]…information from any protected computer.” 18 U.S.C. §1030(a)(2)(C).
[3] Van Buren v. U.S., 141 S. Ct. at 1652.
[4] U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).
[5] Van Buren v. U.S., 141 S. Ct. at 1649.
[6] Id.
[7] Id. at 1653. The 11th Circuit’s broad interpretation is set forth in U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). Other circuits construed the CFAA in a similar manner. See Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 578-79 (1st Cir. 2001); and U.S. v. John, 597 F.3d 263 (5th Cir. 2010); see also Robert C. Kain, Federal Computer Fraud and Abuse Act: Employee Hacking Legal in California and Virginia, but Illegal in Miami, Dallas, Chicago, and Boston, 87 Fla. B. J. 36 (Jan. 2013).
[8] The Ninth Circuit narrowly construed the CFAA in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), finding that the criminal prosecution of defendant Nosal, an ex-employee, who convinced current employees who had authorized access, to obtain and transfer employer’s customer data to Nosal, did not violate the CFAA because “exceeds authorized access” does not cover unauthorized disclosure or use of information, contrary to company policy. Id. at 855. The Nosal court applied the rule of lenity which is customarily applied to criminal states. Id. at 862.
[9] U.S. v. Valle, 807 F.3d 508 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
[10] Van Buren v. U.S., 141 S. Ct. at 1662.
[11] Id.
[12] Id. at 1654-55 and 1659.
[13] The CFAA is a criminal statute which includes a private right of action if loss and/or damages exceed $5,000. Losses and damages under CFAA include “loss” to include “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Section 1030(e)(11).
[14] Van Buren v. U.S., 141 S. Ct. at 1661-62.
[15] Id. at 1661.
[16] See Anzaldua v. Ne. Ambulance & Fire Prot. Dist., 793 F.3d 822, 838 (8th Cir. 2015); and Sartori v. Schrodt, 424 F. Supp. 3d 1121, 1126-27 (N.D. Fla. 2019). The SCA provides a civil cause of action against anyone who “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.” 18 U.S.C. §2701; see Anzaldua, 793 F.3d at 838.
[17] Van Buren v. U.S., 141 S. Ct. at 1658.
[18] Computer Abuse and Data Recovery Act (CADRA), Fla. Stat. §668.801.
[19] The CFAA criminalizes a large group of actions, including: knowingly accessing, without authorization, a U.S. government computer, 18 U.S.C. §1030 (a)(1) and (a)(3); intentionally accessing a computer without authorization or exceeding authorized access, and obtaining government or private financial data, §1030(a)(2); knowingly and with intent to defraud, accessing a protected computer without authorization, or exceeding authorized access, and obtaining anything of value or extorting money, §1030(a)(4) and (7); transmitting malware, §1030(a)(5)(A); intentionally accessing a protected computer without authorization, and causing damage and loss, §1030(a)(5)(B) and (5)(C); and trafficking in passwords or other access controls, §1030(a)(6). Civil actions are based upon §1030(g), which refers back to the §1030(a)(4)(A)(i) violations.
[20] Section 668.802(1) and (9). An “authorized user” under CADRA is a director, officer, employee, third-party agent, contractor, or consultant of the computer owner “if the director, officer, employee, third-party agent, contractor, or consultant is given express permission by the owner” and if “access [is provided to] the protected computer through a technological access barrier.” Section 668.802(1). A technological access barrier or TAB is a password, security code, token, key fob, access device, or similar measure, but a CADRA violation does not arise if the TAB “does not effectively control access to the protected computer or the information stored in the protected computer.” See §668.802(9), definition of “without authorization.” See Compulife Software Inc. v. Newman, 959 F.3d 1288, 1317-18 (11th Cir. 2020) (affirmed dismissal of a CADRA claim because plaintiff did not prove that computer system had a technological access barrier and did not argue that the defendants penetrated the TAB to gain access to the computer).
[21] Section 668.802(1). See Properties of the Villages, Inc. v. Kranz, 2021 WL 494649, at *7 (M.D. Fla. Jan. 25, 2021), report and recommendation adopted, 2021 WL 489636 (M.D. Fla. Feb. 10, 2021) (denying summary judgment in light of a factual dispute over when the contractor’s computer authorization ended); see also My Energy Monster, Inc. v. Gawrych, 2020 WL 8224616, at *12 (M.D. Fla. Dec. 18, 2020), report and recommendation adopted, 2021 WL 199280 (M.D. Fla. Jan. 11, 2021) (preliminary injunction denied due to authorization issue).
[22] Florida Atl. Univ. Bd. of Trustees v. Parsont, 465 F. Supp. 3d 1279, 1289 (S.D. Fla. 2020) (CADRA and the CFAA have similar elements).
[23] The owner can collect CADRA damages only if the owner “uses the information in connection with the operation of a business.” Section 668.802.
[24] Van Buren v. U.S., 141 S. Ct. at 1652, quoting the CFAA, 18 U.S.C. §1030(a)(2).
[25] Fla. Stat. §668.802(1), (2), and (3).
[26] The espionage act provides a safe harbor from prosecution if the disclosure of the trade secret was made confidentially to an attorney, law enforcement officer, or other federal, state, or local government official for the purpose of reporting or investigating a suspected violation of law or made in a complaint or other document filed under seal in a lawsuit or other proceeding. Fla. Stat. §812.081(8).
Robert Kain is a partner at Concept Law Group in Ft. Lauderdale. He is board certified in I.P., co-vice chair of the Bar’s Blockchain and Cryptocurrency Task Force, and former chair of the Computer Law Committee. Kain drafted Florida’s Computer Abuse and Data Recovery Act (CADRA) and authored articles on the federal Computer Fraud and Abuse Act (CFAA).
This column is submitted on behalf of the Business Law Section, Kacy Donlon, chair, and Andrew Layden, editor.
