In its first substantive ruling on the 35-year-old Computer Fraud and Abuse Act (CFAA), the Supreme Court held yesterday that a person does not “exceed authorized access” to a “protected computer” under the CFAA when using information obtained from accessing that computer for an unauthorized purpose. The decision in Van Buren v. United States resolves a deep circuit split on the issue and will severely limit both criminal and civil liability under the CFAA. Most notably, the decision will largely gut the CFAA as a tool for addressing insider data theft.
Enacted in its relevant form in 1986, Title 18, United States Code, Section 1030 creates criminal and civil liability for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” virtually any type of information stored on any computer connected to the Internet.
In Van Buren, a Georgia police sergeant used his authorized username and password to obtain information from a law enforcement database with the intent to sell it to an FBI confidential informant for $6,000. As part of the FBI sting operation, the informant requested the information for the ostensible purpose of confirming that a woman of romantic interest to him was not an undercover police officer. Van Buren was authorized to use the database for law-enforcement purposes only. The jury convicted Van Buren of violating the CFAA and the wire fraud statute.
The Eleventh Circuit affirmed Van Buren’s conviction under Section 1030(a)(2)(C), finding sufficient evidence that Van Buren “intentionally . . . exceed[ed] authorized access [to a computer] and thereby obtain[ed] . . . information from any protected computer” when he accessed the database and obtained information for an unauthorized purpose (ie, to sell it to a third person). The Eleventh Circuit’s interpretation of the “exceeds authorized access” prong of Section 1030(a)(2) was in accord with decisions of the First, Fifth and Seventh Circuits.
The Supreme Court reversed in a 6-3 decision, with Justice Amy Coney Barrett writing for a majority that included Justices Brett Kavanaugh and Neil Gorsuch and the Court’s liberal bloc. The majority held that Van Buren did not violate the CFAA when he accessed his employer’s database and obtained sensitive and confidential information for the purpose of selling it for his own profit. This ruling is consistent with prior decisions issued by the Second, Fourth, Sixth and Ninth Circuits.
The majority’s reasoning was rooted deeply in its textual analysis of Section 1030(e)(6), which defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The majority focused heavily on the word “so” in the italicized clause as limiting the “exceeds authorized access” prong to situations in which a person “accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him.” The majority announced a new bright line rule that determining whether one accesses a computer “without authorization” or “exceeds authorized access” is a “gates-up-or-down inquiry – one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”
Justice Clarence Thomas, who was joined by Chief Justice John Roberts and Justice Samuel Alito in dissent, pointed out that the majority’s new rule and rationale ignore the plain statutory text, long-settled principles of property law, and the CFAA’s statutory history. The dissent focused on the statutory term “entitle” in arguing that Van Buren’s entitlement to accessing the license plate database was limited by the scope and policies of his employment. Under “basic principles of property law,” any entitlement to use another’s property (including computer equipment and data) is “circumstance specific.”
The dissent went on to offer its own ‘parade of horribles’ under the majority’s rule – including a car rental employee who is authorized to access a computer containing the GPS location history of a rental car to track stolen vehicles, but who instead does so to stalk his ex-girlfriend, or a nuclear scientist who is authorized to access blueprints for an atomic weapon within the scope of his employment, but would be insulated from CFAA liability even if he did so to “help[ ] an unfriendly nation build a nuclear arsenal.”
The implications of the Court’s decision are staggering. Below are a few that immediately come to mind:
- Insider data theft and misuse: The CFAA is unlikely to provide criminal or civil redress to organizations against malicious insiders – those who are authorized to access computerized information for work-related or other limited purposes, but who exceed such authorization by accessing information for an improper purpose. On the facts of Van Buren alone, an employee who is authorized to access data in a work computer could not be prosecuted or civilly sued under the CFAA for obtaining confidential and sensitive data to sell to a competitor or a hostile nation, or to leak to a media outlet.
- The “exceeds authorized access” prong appears to require circumvention of technological barriers: It is not clear what level of evidentiary support is now needed to prevail on the “exceeds authorized access” prong of Section 1030(a)(2).The Court’s opinion strongly suggests that a technological barrier (i.e., “access control”) must be implemented to preclude an authorized user from accessing data and then circumvented by that user. Yet, the Court then muddles that position by writing in a footnote: “we need not address whether this inquiry turns only on technological limitations on access, or instead also looks to limits contained in contracts or policies.” This statement is perplexing when viewed in light of the bright line rule the Court articulates and the policy and contractual limits that the Court found insufficient to limit Van Buren’s authorization to access the database in question. Whether any policy or contractual limitation will satisfy the “exceeds authorized access” prong is unclear, but seems highly unlikely.
Some immediate steps for organizations to consider in light of the ruling include:
- Implement technological access controls to highly sensitive data: Organizations should strongly consider implementing technological access controls within their network environments where feasible to ensure that only employees with an actual business need are able to access highly sensitive and confidential information on networks.
- Internal and external policies: Organizations should review and revise their internal information security and acceptable use policies to prohibit access to data that is outside of the scope of a user’s duties or areas of responsibility. This policy position can be coupled with technical controls that enforce a “least privilege” principle in access and data loss prevention controls.
Learn more about the implications of this decision by contacting us via Contact our data privacy team via PrivacyGroup@dlapiper.com.