Understanding the Bounds of the Computer Fraud and Abuse Act in the Wake of Van Buren
The Computer Fraud and Abuse Act, 18 U.S.C. §1030 (the CFAA), imposes criminal and civil liability on individuals who access a computer without authorization or exceed authorized access. Until recently, there was a circuit split among the federal courts of appeal regarding the meaning of “exceeds authorized access” in the CFAA and whether an employee, with authorization to access information on a computer, violates the CFAA by using the information for an improper purpose. The U.S. Supreme Court resolved this circuit split in Van Buren v. U.S., 141 S. Ct. 1648 (2021), providing clarity to prosecutors, employers, and other organizations with sensitive data. This article provides historical background on the CFAA and an overview of the CFAA’s legal framework. It then provides a detailed account of the circuit split, including a summary of key cases. Finally, this article explains the Supreme Court’s ruling in Van Buren and the implications of this ruling for entities that want to protect their data from unauthorized use.
Historical Background
When computers and electronic databases began proliferating in American workplaces, concerns about hacking were not far behind. As the U.S. Supreme Court noted in Van Buren, Congress enacted the first computer crime statutes in the early 1980s “[a]fter a series of highly publicized hackings captured the public’s attention” and highlighted the fact that “traditional theft and trespass statutes were ill suited to address cybercrimes that did not deprive computer owners of property in the traditional sense.”[1] In response to these high-profile data breaches by outside hackers, Congress enacted the first federal computer crime statute as part of the Comprehensive Crime Control Act of 1984.[2] Two years later, in 1986, Congress passed the CFAA to impose criminal liability on anyone who obtains information from a computer by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.”[3] In addition to criminal liability, the CFAA provides a civil cause of action, in certain circumstances.[4]
The U.S. Court of Appeals for the Ninth Circuit has noted that Congress enacted the CFAA “primarily to address the growing problem of computer hacking, recognizing that, ‘[i]n intentionally trespassing into someone else’s computer files, the offender obtains at the very least information as to how to break into the computer system.’”[5] The House report on the CFAA analogized the conduct prohibited by the law to breaking and entering into a dwelling, and the legislative history makes clear that the CFAA was “designed to prevent unlawful intrusion into otherwise inaccessible computers.”[6]
The CFAA originally prohibited accessing certain financial information from computers, but “has since expanded to cover any information from any computer ‘used in or affecting interstate or foreign commerce or communication.’”[7] Accordingly, the statute “now applies — at a minimum — to all information from all computers that connect to the [i]nternet.”[8]
Overview of the CFAA’s Legal Framework
The CFAA broadly prohibits unauthorized access to nearly all computers connected to the internet. The law imposes both criminal and civil penalties on anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer,” or who conspires or attempts to do so.[9] The law broadly defines “computer” to include any electronic device “performing logical, arithmetic, or storage functions,” excluding only typewriters, handheld calculators, and similarly simple devices.[10] In other words, a “computer” includes not just a desktop or laptop computer, but also a “smart-phone, iPad, Kindle, Nook, X-box, Blu–Ray player or any other [i]nternet-enabled device.”[11]
The CFAA grants the Federal Bureau of Investigation (FBI) and the Secret Service authority to investigate offenses under the CFAA in accordance with an agreement entered into by the secretary of the treasury and the attorney general.[12]
The criminal penalties imposed by the CFAA for obtaining information from a protected computer without authorization or by exceeding authorized access are as follows: 1) a fine or imprisonment for not more than one year, or both, for a violation that does not occur after a conviction for another violation of the CFAA;[13] 2) a fine or imprisonment for not more than five years, or both, if “the offense was committed for purposes of commercial advantage of private financial gain,” “the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any [s]tate,” or “the value of the information exceeds $5,000”;[14] 3) a fine or imprisonment for not more than 10 years, or both, in the case of a violation that occurs after a conviction for another violation of the CFAA.[15]
In imposing a sentence, courts shall order that the perpetrator forfeits to the United States their “interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation,” and “any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.”[16]
In addition to imposing criminal penalties, the CFAA provides a private, civil cause of action for persons or entities harmed by a perpetrator’s unauthorized access. As a jurisdictional prerequisite to bringing such an action, a plaintiff must show one of the following four factors: 1) “loss to [one] or more persons during any 1-year period…aggregating at least $5,000 in value”; 2) “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of [one] or more individuals”; 3) “physical injury to any person”; or 4) “a threat to public health or safety.”[17]
The statute states, “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive or equitable relief.”[18] However, damages for a violation involving only the first factor (losses aggregating at least $5,000 in value) are limited to economic damages.[19] The statute of limitations for bringing a civil action is two years from the later of the date of the unauthorized access or the date of the discovery of the breach.[20]
The Circuit Split Over the Meaning of “Exceeds Authorized Access”
To successfully litigate a civil CFAA claim, a plaintiff must prove that the defendant “intentionally accesse[d] a computer without authorization or exceed[ed] authorized access, and thereby obtain[ed]…information from any protected computer.”[21] The question of what it means to “exceed authorized access” has been the subject of much debate in recent years, as well as a split of authority between the courts of appeal. The CFAA defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[22]
Until recently, there was a circuit split among the federal courts of appeal over whether “exceeds authorized access” applies only to individuals who access portions of a computer or database that they are not permitted to access, or whether the phrase also applies to individuals who misuse information obtained from databases they are allowed to access.
In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), the U.S. Court of Appeals for the Ninth Circuit acknowledged that the CFAA’s definition of “exceeds authorized access” could be interpreted two different ways:
First…it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files — what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed authorized access” if he looks at the customer lists. Second…the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.[23]
Until recently, the First, Fifth, and 11th circuits took the position that an individual violated the CFAA by using, for an improper purpose, data to which the individual had authorized access. On the other hand, the Second, Fourth, and Ninth circuits held that the phrase “exceeds authorized access” applies only to access restrictions, not use restrictions, and that an individual violates the CFAA only by accessing information that the individual is not authorized to access.
The Position of the First, Fifth, and 11th Circuits: The CFAA Prohibits Improper Use of Data
• The First Circuit: EF Cultural Tours v. Explorica, Inc. — In 2001, the First Circuit was one of the first courts to decide whether an employee violates the CFAA by using his employer’s computerized information in a way that is contrary to the employer’s policies. EF Cultural Tours (EF) had been in the business of providing international travel tours for teenagers for more than 35 years.[24] A new competing business, Explorica, sought to gain a competitive advantage over EF by undercutting EF’s prices.[25] Explorica’s vice president, Philip Gormley, who was the former vice president of information strategy at EF, engaged an outside consultant to design a computer program called a “scraper” to obtain pricing information from EF’s publicly available website.[26] The scraper obtained thousands of tour codes from EF’s website and matched these tour codes with prices for the tours.[27] The First Circuit noted that the scraper “sent more than 30,000 inquiries to EF’s website and recorded the pricing information into a spreadsheet,” which ultimately resulted in “60,000 lines of data, the equivalent of eight telephone directories of information.”[28] The spreadsheet listed each tour code, the dates of travel, and the price for the tour.[29] The court explained, “An uninformed reader would regard the tour codes as nothing but gibberish. Although the codes can be correlated to the actual tours and destination points, the codes standing alone need to be ‘translated’ to be meaningful.”[30] Once Gormley translated the information from the tour codes, Explorica then “systematically undercut EF’s prices,” “printed its own brochures,” and “began competing in EF’s tour market.”[31]
The main issue on appeal was whether Explorica’s actions were “without authorization” or “exceed[ed] authorized access” under the CFAA.[32] Ultimately, the court concluded that Explorica had violated the CFAA because Gormley’s actions exceeded authorized access under his confidentiality agreement with EF, his former employer.[33] Gormley’s confidentiality agreement provided:
Employee agrees to maintain in strict confidence and not to disclose to any third party, either orally or in writing, any Confidential or Proprietary Information…and never to at any time (i) directly or indirectly publish, disseminate or otherwise disclose, deliver or make available to anybody any Confidential or Proprietary Information or (ii) use such Confidential or [P]roprietary Information for Employee’s own benefit or for the benefit of any other person or business entity other than EF.[34]
The agreement broadly defined “Confidential or Proprietary Information” to include “any trade or business secrets or confidential information of EF,” as well as “any technical, business, or financial information, the use or disclosure of which might reasonably be construed to be contrary to the interests of EF.”[35]
Although the information that Explorica had obtained was freely available on EF’s public website, the First Circuit relied on three facts when determining that Gormley breached his confidentiality agreement and, thus, exceeded authorized access. First, Gormley offered to work with the outside consultant to design the specifications for the scraper.[36] Second, Gormley directed the outside consultant to the exact places on EF’s website where pricing information could be found.[37] Finally, Gormley “translated” the tour codes so that Explorica could understand which specific tours correlated with which prices.[38]
The court concluded that, given the broad confidentiality agreement prohibiting the disclosure of any information, “which might reasonably be construed to be contrary to the interests of EF,” Explorica would “face an uphill battle trying to argue that it was not against EF’s interests for appellants to use the tour codes to mine EF’s pricing data.”[39] Ultimately, the First Circuit held that “whatever authorization Explorica had to navigate around EF’s site (even in a competitive vein), it exceeded that authorization by providing proprietary information and know-how to [the third-party consultant] to create the scraper.”[40] Therefore, the First Circuit concluded that Gormley “exceeded authorized access” under the CFAA by accessing public information and then using it for purposes that violated the confidentiality agreement with his former employer.
• The Fifth Circuit: U.S. v. John — In 2010, the U.S. Court of Appeals for the Fifth Circuit followed the First Circuit’s lead. The criminal defendant in that case, Dimetriace Eva-Lavon John, had worked as an account manager for Citigroup, where she had access to customer account information through Citigroup’s internal computer system.[41] In 2005, John provided her half-brother with customer account information for more than 75 customer accounts, which allowed her half-brother to incur fraudulent charges on four of those accounts.[42] A jury found John guilty of exceeding authorized access to a protected computer in violation of the CFAA.[43] The court noted that John’s conviction on the CFAA charges was contingent upon the court’s interpretation of “exceeds authorized access.”[44]
In her defense, John argued that “she was authorized to use Citigroup’s computers and to view and print information regarding accounts in the course of her official duties.”[45] John further argued that “her mental state or motive at the time she accessed or printed account information” that she was authorized to access as part of her job should be immaterial to the court’s analysis under the CFAA. John argued that the CFAA “does not prohibit unlawful use of material that she was authorized to access through authorized use of a computer”; rather, the statute “only prohibits using authorized access to obtain information that she is not entitled to obtain.”[46]
Noting that the CFAA does not define “without authorization,” the Fifth Circuit stated:
The question before us is whether “authorized access” or “authorization” may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system. We conclude that it may, at least where the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to permit a crime.[47]
Citing EF Cultural Travel, the Fifth Circuit noted that John’s use of Citigroup’s computer system violated Citigroup’s employee policies.[48] Thus, the Fifth Circuit concluded that John had exceeded authorized access in violation of the CFAA by using her employer’s computer system, which she could freely access as part of her job duties, in furtherance of a crime and in violation of her employer’s policies.
• The 11th Circuit: U.S. v. Rodriguez — Later that same year, the U.S. Court of Appeals for the 11th Circuit followed the First and Fifth circuits in holding that an employee exceeded authorized access in violation of the CFAA by using his employer’s database for improper purposes in violation of his employer’s policies.[49] The criminal defendant in that case, Roberto Rodriguez, worked as a TeleService Representative for the Social Security Administration (SSA).[50] Rodriguez’s job duties included “answering questions of the general public about Social Security benefits over the telephone.”[51] As part of his job, Rodriguez had access to SSA databases containing every person’s Social Security number, home address, date of birth, parents’ names, annual income, and the amount and type of any Social Security benefits received.[52] SSA policies prohibited employees from obtaining information from these sensitive databases without a business-related reason.[53] In 2008, the SSA flagged Rodriguez’s account for suspicious activity and discovered that he had accessed the personal records of 17 different individuals for non-business reasons, including discovering how much money these people earned.[54] These individuals included Rodriguez’s ex-wife, an ex-girlfriend, a former coworker, and several acquaintances.[55] In 2009, a jury convicted Rodriguez of exceeding authorized access to the SSA’s computer system in violation of the CFAA.[56]
Unsurprisingly, on appeal, Rodriguez argued that he did not violate the CFAA “because he accessed only databases that he was authorized to use as a TeleService Representative.”[57] Following the lead of the First and Fifth circuits, the 11th Circuit held that Rodriguez “exceeded his authorized access and violated the [a]ct when he obtained personal information for a nonbusiness reason” in violation of SSA policy.[58]
The Position of the Second, Fourth, and Ninth Circuits: The CFAA Applies Only to Improper Access to Data
• The Ninth Circuit: U.S. v. Nosal and hiQ Labs v. LinkedIn — While the First, Fifth, and 11th circuits held that an individual exceeds authorized access by using information in a way that is illegal or contrary to an agreement or employment policy, the U.S. Court of Appeals for the Ninth Circuit held that the phrase “exceeds authorized access” is limited to access restrictions, not use restrictions.
The lively opinion in U.S. v. Nosal, drafted by Chief Judge Kozinski, begins as follows:
Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030.[59]
The criminal defendant in that case, David Nosal, had worked for the executive search firm Korn/Ferry until he left to start a competing business.[60] Nosal convinced some of his former coworkers who still worked at Korn/Ferry to use their log-in credentials to “download source lists, names and contact information from a confidential database on the company’s computer” and transfer that information to Nosal.[61] While the employees were “authorized to access the database” by virtue of their employment, “Korn/Ferry had a policy that forbade disclosing confidential information.”[62] As a result of his involvement in convincing the current employees to provide this information, the government indicted Nosal on 20 counts, including violations of the CFAA, for “aiding and abetting the Korn/Ferry employees in ‘exceed[ing their] authorized access with intent to defraud.’”[63]
The court’s opinion focused on the fact that the broad interpretation of “exceeds authorized access” endorsed by the First, Fifth, and 11th circuits would expand the CFAA’s scope “far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer,” which “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”[64] The court emphasized that the interpretation adopted by sister circuits would potentially criminalize any computer use in violation of an employer’s policy or a website’s terms and conditions. As the court stated:
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by G-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.[65]
Chief Judge Kozinski used tongue-in-cheek examples to illustrate his point, stating that “sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars,” and “describing yourself as ‘tall dark and handsome,’” on a dating site that prohibits misleading statements “when you’re actually short and homely, will earn you a handsome orange jumpsuit.”[66] Such an interpretation of “exceeds authorized access” would criminalize conduct in violation of terms of use and other “private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.”[67]
Noting that the CFAA was enacted as an anti-hacking statute, the court stated, “we can be properly skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.”[68] Ultimately, the Ninth Circuit concluded, “[i]f Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.”[69] The court also noted that the rule of lenity requires criminal laws to be construed strictly, and that Congress has passed other laws to deal with misappropriation of trade secrets.[70] Finally, the court dismissed the government’s argument that it would not prosecute minor and inconsequential violations of the CFAA: “[W]e shouldn’t have to live at the mercy of our local prosecutor….By giving that much power to prosecutors, we’re inviting discriminatory and arbitrary enforcement.”[71] Ultimately, the Ninth Circuit concluded that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.”[72]
In 2019, seven years after the Nosal opinion, the Ninth Circuit reaffirmed its position that “exceeds authorized access” is an access restriction, not a use restriction. In hiQ Labs, Inc. v. LinkedIn Corporation, 938 F.3d 985 (9th Cir. 2019), the Ninth Circuit addressed whether hiQ, a competitor of the professional networking website LinkedIn, violated the CFAA when it gathered information from LinkedIn users’ public profiles after LinkedIn had sent a cease and desist letter telling hiQ that LinkedIn did not authorize this use of information from its public platform.[73] The pivotal question in that case was “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus in violation of the statute.”[74]
The court answered this question in the negative. It stated that the CFAA’s legislative history, which analogized heavily to breaking and entering, “makes clear that the prohibition on unauthorized access is properly understood to apply only to private information — information delineated as private through use of a permission requirement of some sort,” such as information hidden behind password protections.[75] The court noted that there are three kinds of computer information:
(1) information for which access is open to the general public and permission is not required, (2) information for which authorization is required and has been given, and (3) information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed).[76]
Information that is publicly available to anyone with an internet connection, like the LinkedIn profiles at issue in this case, fall into the first category, and the concept of accessing such information “without authorization” does not apply.[77] The court also pointed out that because the CFAA is a criminal statute, the rule of lenity applies regardless of whether the statute is being applied in a criminal or civil context because courts must interpret the statute consistently.[78] Therefore, the Ninth Circuit required a narrow interpretation of the CFAA “so as not to turn a criminal hacking statute into a ‘sweeping [i]nternet-policing mandate.’” [79]
Finally, the court noted that there are other legal vehicles that provide redress for data scraping in certain situations, including trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, and breach of privacy claims. Accordingly, the Ninth Circuit reaffirmed its conclusion from Nosal that “exceeds authorized access” should be narrowly construed as an access restriction rather than a use restriction.
• The Fourth Circuit: WEC Carolina Energy Solutions v. Miller —In 2012, the Fourth Circuit followed the Ninth Circuit in holding that “exceeds authorized access” is not a use restriction. In WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012), the Fourth Circuit was tasked with deciding whether an employee of WEC Carolina Energy (WEC), Mike Miller, violated the CFAA when he downloaded WEC’s proprietary information, resigned from his position, and then used the proprietary information to convince a potential WEC customer to do business with Miller’s new employer.[80] In support of its civil CFAA claim, WEC argued that Miller exceeded authorized access when he downloaded WEC’s data to his personal computer in violation of WEC’s employment policies “prohibiting the use of any confidential information and trade secrets unless authorized,” and prohibiting the “download[ing] [of] confidential and proprietary information to a personal computer.”[81] WEC admitted, however, that Miller “had access to WEC’s intranet and computer servers” and to “numerous confidential and trade secret documents stored on these computers and servers.”[82] Thus, the Fourth Circuit held that while Miller and his assistant “may have misappropriated information, they did not access a computer without authorization or exceed their authorized access.”[83] The court concluded that an employee “exceeds authorized access” when “he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”[84] The court stated plainly, “we adopt a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”[85] It observed:
Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.[86]
• The Second Circuit: U.S. v. Valle — In 2015, in a case with a disturbing fact pattern, the U.S. Court of Appeals for the Second Circuit joined the Ninth and Fourth circuits in holding that “exceeds authorized access” is an access restriction rather than a use restriction. In that case, a New York City Police Department (NYPD) officer, Gilberto Valle (dubbed the “Cannibal Cop” by the media), was charged with improperly accessing a government computer to search restricted databases for the home addresses of women whom he fantasized about kidnapping, torturing, killing, and cannibalizing in an internet sex fetish community.[87] Valle searched for these women’s private information with no law enforcement purpose, in violation of department policy.[88] The question posed to the Second Circuit was “whether an individual ‘exceeds authorized access’ to a computer when, with an improper purpose, he accesses a computer to obtain or alter information that he is otherwise authorized to access, or if he ‘exceeds authorized access’ only when he obtains or alters information that he does not have authorization to access for any purpose which is located on a computer that he is otherwise authorized to access.”[89]
The Second Circuit concluded that both interpretations were plausible, and, therefore, adopted the narrow interpretation endorsed by the Ninth and Fourth circuits because the rule of lenity requires narrow interpretation of ambiguous criminal statutes.[90] The court stated, “We do not think it too much to ask that Congress define criminal conduct with precision and clarity.”[91] “Whatever the apparent merits of imposing criminal liability may seem to be in this case, we must construe the statute knowing that our interpretation of ‘exceeds authorized access’ will govern many other situations.”[92] The court concluded:
While the [g]overnment might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the [g]overnment promises to use it responsibly. [93]
Accordingly, the Second Circuit held that the CFAA is not violated by improper use of information to which access was authorized.
The Supreme Court’s Resolution of the Circuit Split
In Van Buren, the Supreme Court resolved this nearly decade-long circuit split by holding that “exceeds authorized access” is an access restriction rather than a use restriction.[94] In so holding, the Supreme Court sided with the Second, Fourth, and Ninth circuits, and overturned precedent in the First, Fifth, and 11th circuits. Therefore, this holding has a major impact on Florida attorneys who argue CFAA claims in the 11th Circuit and Florida federal courts.
In Van Buren, the court considered whether a former police sergeant, Nathan Van Buren, had exceeded authorized access when he ran a license-plate search in a law enforcement computer database in exchange for payment in violation of police department policy.[95] In answer to the question of whether Van Buren had exceeded authorized access, the Court answered simply:
He did not. This provision covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.[96]
Relying heavily on statutory interpretation and the interplay between the two phrases “without authorization” and “exceeds authorized access,” the court explained: “First, an individual violates the provision when he ‘accesses a computer without authorization.’…Second, an individual violates the provision when he ‘exceeds authorized access’ by accessing a computer ‘with authorization’ and then obtaining information he is ‘not entitled so to obtain.’”[97]
The court succinctly concluded:
In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.[98]
Implications for Employers, Corporations, and Other Organizations
Now that the Supreme Court has settled the question of what it means to “exceed authorized access,” attorneys and organizations — especially those in places like Florida that previously followed the opposite approach — should consider the implications of the Van Buren decision.
Of primary importance, employers should understand that confidentiality agreements and employment policies are insufficient to sustain a cause of action under the CFAA — unless they expressly restrict access to electronically stored information — and that employers will have no recourse under the CFAA if employees misuse information they were permitted to access. Employers should consider tightening security controls and safeguarding sensitive information behind passwords so that only those employees with a need-to-know have access to such information. Employers should also consider drafting (and effectively disseminating) computer use policies that delineate the computer systems, databases, and files to which each job title or level has permitted access. Employers may also consider including a description of computer access permissions in employee job descriptions. Such documents may help prove that employees “exceeded authorized access” by accessing files that are off-limits, even if such files are not password protected.
Finally, it is important to remember that even though some previously viable CFAA claims are now off the table, organizations may have other legal avenues for protecting against misuse of their information and for taking action against employees or others who misappropriate an organization’s trade secrets or other sensitive information, potentially to include state or federal statutes protecting trade secrets, trespass to chattels, copyright infringement, unjust enrichment, conversion, breach of restrictive covenants and other contracts, breach of fiduciary duty or duty of loyalty, and invasion of privacy claims. As the Fourth Circuit stated when commenting on its holding in WEC Carolina Energy Solutions, limiting the CFAA to improper access claims “likely will disappoint employers hoping for a means to rein in rogue employees.”[99] However, the holding in Van Buren brings the CFAA back to its roots as an anti-hacking statute and simplifies the law. The rule now is simple: If you would not want someone to use information available on your computer system for an improper purpose, then do not grant access to sensitive information, obtain copyrights and trademarks as appropriate, and, as a condition of access, require a restrictive covenants agreement that prohibits misuse of the information.
[1] Van Buren, 141 S. Ct. at 1652.
[2] Id. (citing §2102(a), 98 Stat. 2190-2192).
[3] Id. (quoting 18 U.S.C. §1030(a)(2)).
[4] 18 U.S.C. §1030(g).
[5] U.S. v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (quoting the legislative record).
[6] hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1000 (9th Cir. 2019) (extensively citing the legislative record); see also U.S. v. Valle, 807 F.3d 508, 525 (2d Cir. 2015) (citing the legislative record and noting that “Congress enacted the CFAA in 1984 to address ‘computer crime,’ which was then principally understood as ‘hacking’ or trespassing into computer systems or data.”).
[7] Van Buren, 141 S. Ct. at 1652 (citing 18 U.S.C. §1030(e)(2)(B)).
[8] Id. (citing 18 U.S.C. §§1030(a)(2)(C), (e)(2)(B)).
[9] 18 U.S.C. §1030(a)(2)(C); §1030(b); §1030(g).
[10] 18 U.S.C. §1030(e)(1).
[11] Nosal, 676 F.3d at 861.
[12] 18 U.S.C. §1030(d).
[13] 18 U.S.C. §1030(c)(2)(A).
[14] 18 U.S.C. §1030(c)(2)(B).
[15] 18 U.S.C. §1030(c)(2)(C).
[16] 18 U.S.C. §1030(i)(1).
[17] 18 U.S.C. §1030(g); 18 U.S.C. §1030(c)(4)(a)(i).
[18] 18 U.S.C. §1030(g).
[19] Id.
[20] Id.
[21] 18 U.S.C. §1030(a)(2)(C); §1030(b).
[22] 18 U.S.C. §1030(e)(6).
[23] U.S. v. Nosal, 676 F.3d at 856-57.
[24] EF Cultural Travel BV v. Explorica, Inc., 274 F.3d. 577, 579 (1st Cir. 2001).
[25] Id.
[26] Id.
[27] Id.
[28] Id. at 580.
[29] Id. at 583.
[30] Id.
[31] Id. at 580.
[32] Id. at 581.
[33] Id. at 582.
[34] Id.
[35] Id.
[36] Id.
[37] Id.
[38] Id. at 583.
[39] Id.
[40] Id. at 583-84.
[41] U.S. v. John, 597 F.3d 263, 269 (5th Cir. 2010).
[42] Id.
[43] Id. at 269-70.
[44] Id. at 270.
[45] Id. at 271.
[46] Id.
[47] Id.
[48] Id. at 272.
[49] U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
[50] Id. at 1260.
[51] Id.
[52] Id.
[53] Id.
[54] Id.
[55] Id. at 1260-61.
[56] Id. at 1262.
[57] Id. at 1263.
[58] Id.
[59] U.S. v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012).
[60] Id.
[61] Id.
[62] Id.
[63] Id.
[64] Id. at 859.
[65] Id. at 860.
[66] Id. at 860, 862.
[67] Id. at 861.
[68] Id. at 859.
[69] Id. at 863.
[70] Id.
[71] Id. at 862.
[72] Id. at 863-64.
[73] hiQ Labs, 938 F.3d at 989-90, 992.
[74] Id. at 999.
[75] Id. at 1000.
[76] Id. at 1001-02.
[77] Id. at 1002.
[78] Id. (citing Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004) (“Because we must interpret the statute consistently, whether we encounter its application in a criminal or noncriminal context, the rule of lenity applies.”)).
[79] Id. (quoting Nosal, 676 F.3d at 858).
[80] WEC Carolina Energy Solutions, 687 F.3d at 201.
[81] Id. at 206-07.
[82] Id. at 207.
[83] Id.
[84] Id. at 204.
[85] Id. at 206.
[86] Id. at 207.
[87] U.S. v. Valle, 807 F.3d 508, 512-13 (2d Cir. 2015).
[88] Id. at 523-24.
[89] Id. at 511.
[90] Id. at 511-12, 523 (citing U.S. v. Santos, 553 U.S. 507, 515 (2008) (“As Justice Scalia has emphasized, ‘[w]hen interpreting a criminal statute, we do not play the part of a mindreader.’”)).
[91] Id. at 526-27.
[92] Id. at 528 (emphasis in original).
[93] Id. at 528.
[94] Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021).
[95] Id. at 1652.
[96] Id.
[97] Id. at 1658.
[98] Id. at 1662.
[99] WEC Carolina Energy Solutions, 687 F.3d at 201.
This column is submitted on behalf of the Labor and Employment Law Section, Robyn Sue Hankins, chair, and Robert Eschenfelder, editor.