Supreme Court significantly limits the scope of the Computer Fraud and Abuse Act

Abstract Building Tax

Data Protection, Privacy and Security Alert

By:

In its first substantive ruling on the 35-year-old Computer Fraud and Abuse Act (CFAA), the Supreme Court held yesterday that a person does not “exceed authorized access” to a “protected computer” under the CFAA when using information obtained from accessing that computer for an unauthorized purpose. The decision in Van Buren v. United States resolves a deep circuit split on the issue and will severely limit both criminal and civil liability under the CFAA.  Most notably, the decision will largely gut the CFAA as a tool for addressing insider data theft.

Enacted in its relevant form in 1986, Title 18, United States Code, Section 1030 creates criminal and civil liability for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” virtually any type of information stored on any computer connected to the Internet.

In Van Buren, a Georgia police sergeant used his authorized username and password to obtain information from a law enforcement database with the intent to sell it to an FBI confidential informant for $6,000.  As part of the FBI sting operation, the informant requested the information for the ostensible purpose of confirming that a woman of romantic interest to him was not an undercover police officer.  Van Buren was authorized to use the database for law-enforcement purposes only.  The jury convicted Van Buren of violating the CFAA and the wire fraud statute.    

The Eleventh Circuit affirmed Van Buren’s conviction under Section 1030(a)(2)(C), finding sufficient evidence that Van Buren “intentionally . . . exceed[ed] authorized access [to a computer] and thereby obtain[ed] . . . information from any protected computer” when he accessed the database and obtained information for an unauthorized purpose (ie, to sell it to a third person).  The Eleventh Circuit’s interpretation of the “exceeds authorized access” prong of Section 1030(a)(2) was in accord with decisions of the First, Fifth and Seventh Circuits.

The Supreme Court reversed in a 6-3 decision, with Justice Amy Coney Barrett writing for a majority that included Justices Brett Kavanaugh and Neil Gorsuch and the Court’s liberal bloc.  The majority held that Van Buren did not violate the CFAA when he accessed his employer’s database and obtained sensitive and confidential information for the purpose of selling it for his own profit. This ruling is consistent with prior decisions issued by the Second, Fourth, Sixth and Ninth Circuits.

The majority’s reasoning was rooted deeply in its textual analysis of Section 1030(e)(6), which defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  The majority focused heavily on the word “so” in the italicized clause as limiting the “exceeds authorized access” prong to situations in which a person “accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him.”  The majority announced a new bright line rule that determining whether one accesses a computer  “without authorization” or “exceeds authorized access” is a “gates-up-or-down inquiry – one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” 

Because Van Buren was authorized to access the computer for law enforcement purposes, the Court dismissed as irrelevant his improper purpose in accessing the data.  Any limits that his employer placed on his authorization to access the computer by policy, terms of use, or contract would require a “circumstance-dependent” analysis that the majority viewed as unsupported by the statutory text. Such an approach also would “inject arbitrariness into the assessment of criminal liability.”  Pointing to a ‘parade of horribles’ stretching well beyond the facts of any insider data misuse case, the Court also reasoned that a broader interpretation of Section 1030 would criminalize every violation of policy, terms of use, or contract imposed by an employer, computer owner, or Internet platform. 

Justice Clarence Thomas, who was joined by Chief Justice John Roberts and Justice Samuel Alito in dissent, pointed out that the majority’s new rule and rationale ignore the plain statutory text, long-settled principles of property law, and the CFAA’s statutory history. The dissent focused on the statutory term “entitle” in arguing that Van Buren’s entitlement to accessing the license plate database was limited by the scope and policies of his employment.  Under “basic principles of property law,” any entitlement to use another’s property (including computer equipment and data) is “circumstance specific.” 

The dissent went on to offer its own ‘parade of horribles’ under the majority’s rule – including a car rental employee who is authorized to access a computer containing the GPS location history of a rental car to track stolen vehicles, but who instead does so to stalk his ex-girlfriend, or a nuclear scientist who is authorized to access blueprints for an atomic weapon within the scope of his employment, but would be insulated from CFAA liability even if he did so to “help[ ] an unfriendly nation build a nuclear arsenal.”   

Implications

The implications of the Court’s decision are staggering.  Below are a few that immediately come to mind:

  • Insider data theft and misuse: The CFAA is unlikely to provide criminal or civil redress to organizations against malicious insiders – those who are authorized to access computerized information for work-related or other limited purposes, but who exceed such authorization by accessing information for an improper purpose.  On the facts of Van Buren alone, an employee who is authorized to access data in a work computer could not be prosecuted or civilly sued under the CFAA for obtaining confidential and sensitive data to sell to a competitor or a hostile nation, or to leak to a media outlet.
  • The “exceeds authorized access” prong appears to require circumvention of technological barriers:  It is not clear what level of evidentiary support is now needed to prevail on the “exceeds authorized access” prong of Section 1030(a)(2).The Court’s opinion strongly suggests that a technological barrier (i.e., “access control”) must be implemented to preclude an authorized user from accessing data and then circumvented by that user.  Yet, the Court then muddles that position by writing in a footnote:  “we need not address whether this inquiry turns only on technological limitations on access, or instead also looks to limits contained in contracts or policies.”  This statement is perplexing when viewed in light of the bright line rule the Court articulates and the policy and contractual limits that the Court found insufficient to limit Van Buren’s authorization to access the database in question. Whether any policy or contractual limitation will satisfy the “exceeds authorized access” prong is unclear, but seems highly unlikely.
  • Terms of use violations: Violating an entity’s terms of use for a network, website, or other Internet platform – standing alone – will not violate the CFAA’s “exceeds authorized access” prong.Digital platforms will need to consider technical access controls or explicit access prohibitions as a means of falling within the ambit of the CFAA.
  • Data scraping: The Court’s holding further solidifies the view that data scraping of publicly facing websites does not violate the CFAA, at least where no technological access barrier is circumvented. Van Buren leaves open the question whether the CFAA proscribes the scraping of data that is behind a pay wall or other authentication/access control in violation of a company’s terms of use.

Action steps

Some immediate steps for organizations to consider in light of the ruling include:

  • Implement technological access controls to highly sensitive data: Organizations should strongly consider implementing technological access controls within their network environments where feasible to ensure that only employees with an actual business need are able to access highly sensitive and confidential information on networks.
  • Internal and external policies: Organizations should review and revise their internal information security and acceptable use policies to prohibit access to data that is outside of the scope of a user’s duties or areas of responsibility.  This policy position can be coupled with technical controls that enforce a “least privilege” principle in access and data loss prevention controls.
  • Evaluate alternative legal theories to address malicious insider activity: Although Van Buren significantly limits the CFAA, organizations still may have a variety of alternative legal theories to redress malicious insider activity, as well as policy, terms of use, and contractual violations.  A number of state computer crime statutes – with corollary civil provisions – are broader than the CFAA.  For example, Section 205 of the California Penal Code prohibits any person from knowingly accessing and without permission altering, damaging, deleting, destroying or otherwise using “any data, computer, computer system or computer network . . . [to] wrongfully control or obtain money, property or data.”  In addition, intellectual property laws, contract, employment, tort and property theories may be used to seek civil redress against malicious insider activity.

Learn more about the implications of this decision by contacting us via   Contact our data privacy team via PrivacyGroup@dlapiper.com.