In Van Buren v. United States, No. 19-783, 2021 WL 2229206 (U.S. June 3, 2021), the United States Supreme Court issued an opinion drastically limiting the application of the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030 et seq.), holding that the “exceeds authorized access” clause of the Act applies only to those who obtain information from particular areas in the computer—such as files, folders, or databases—to which the individual is not authorized to access under any circumstances. However, the Supreme Court excluded application of the clause to individuals who misuse their access to obtain information otherwise available to them for an unauthorized purpose. The Court’s Van Buren decision resolves a long-standing circuit split over the meaning of this key phase of the CFAA, and simultaneously creates new challenges for employers seeking to hold liable employees who misuse company information to the employer’s detriment.
Van Buren, a former Georgia police sergeant, was charged with honest-services wire fraud and violating the CFAA after using his own, valid credentials to retrieve information about a license plate number in exchange for money, in violation of the department’s policy. The Government alleged that Van Buren knowingly accessed information in the department’s database for an unauthorized purpose, both in violation of the department’s policy and the CFAA. Van Buren argued that, despite his later misuse of the information, he was authorized to access the information and did not violate the CFAA.
A jury convicted Van Buren, and the United States District Court for the Northern District of Georgia sentenced Van Buren to 18 months in prison. The United States Court of Appeals for the Eleventh Circuit affirmed the conviction. The Supreme Court granted certiorari to address the ongoing circuit split surrounding the CFAA’s application to the use of one’s access for an unauthorized purpose.
The Eleventh Circuit, as well as the First, Fifth, and Seventh Circuits, have interpreted the CFAA’s definition of “exceeds authorized access” to include the act of using an individual’s authorized access to obtain information for an unauthorized purpose. Conversely, the Second, Fourth, Sixth, and Ninth Circuits have held that as long as an individual is generally authorized access to the information, later access of that information by that individual for an unauthorized purpose does not violate the CFAA.
In a 6-3 decision, the Court sided with the Second, Fourth, Sixth, and Ninth Circuits, holding that an individual “exceeds authorized access” under the CFAA only when they use their authorization to access information that is entirely off limits. The majority further held that an individual does not violate the CFAA when they access information that they are allowed to access, but later use for an improper purpose.
The Court focused much of its opinion on the semantics of the CFAA’s definition of “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Justice Barrett, writing for the majority, agreed with the parties that Van Buren was entitled to obtain the information he had accessed and was authorized to retrieve information about the license plate number. The Government argued that the use of “so” in the definition should be interpreted to mean information an individual was not allowed to obtain in the particular manner or circumstances in which it was obtained. However, the Court rejected this broad interpretation, adopting the more narrow approach offered by Van Buren. This narrow approach limits application of the clause to information that an individual is not entitled to obtain by using a computer to which they are otherwise authorized to access.
The Court also addressed policy concerns raised by the Government’s interpretation. Specifically, the Court was concerned that the Government’s broad interpretation would “attach criminal penalties to a breathtaking amount of commonplace computer activity,” thereby exposing millions of “otherwise law-abiding citizens” to criminal penalties. Under the government’s interpretation, the Court warned of the potential criminalization of sending personal emails, reading the news, or scrolling through social media using a work computer.
The dissent, penned by Justice Thomas, agreed with the majority’s interpretation of the word “so” in the statute (i.e., whether the individual was authorized to obtain information through the means identified earlier in the Act’s definition), but disagreed that Van Buren was “entitled” to the information. Viewing an individual’s “entitlement” as circumstance dependent, the dissenters would have held that because Van Buren obtained the information for personal gain instead of for a valid law enforcement purpose, he was therefore not entitled to the information.
The CFAA, originally enacted in 1984 and most recently amended in 2008, has been widely criticized as being confusing and outdated. Van Buren calls for Congress’s prompt attention to the statute, especially in light of significant technological changes in the last 13 years. Congressional action could address the remaining ambiguities surrounding the CFAA. For example, while the Van Buren decision clarifies that “exceeding authorized access” does not include an otherwise authorized user’s misuse of accessed information, the decision does not clarify what it means to have “authorized access.” Additionally, the decision only touches on what it means to be “entitled” to access information—relying on only two dictionary definitions of “entitle”—and the majority’s single paragraph analysis could be difficult to apply to cases with more complex facts. An amendment could also limit further confusion by defining the key terms and phrases used throughout the statute (such as “authorized access,” “obtain,” or “alter”) and updating the language of the CFAA to better align with current technology. For example, cell phones have advanced tremendously since the latest amendment and tablets are becoming more common in lieu of computers. Access to devices has also evolved to accommodate remote and virtual access. And even though the current definition of “computer” in the Act is assumed to include “smart” devices and not just computers, amending the Act to explicitly list such devices is a step in the right direction.
While the Court’s decision will help prevent excess litigation in the future, it also creates a challenge for employers seeking to hold liable disloyal employees who misuse company information to the employer’s detriment. Regardless whether Congress ultimately revisits the CFAA, companies should consider revisiting their user access policies and safeguards to appropriately limit authorized access to sensitive data. Additionally, companies should continue to enforce policies prohibiting the unauthorized use of information to which the employee is authorized to access. Finally, while the Van Buren decision only addresses situations where individuals overstep that authorized access, companies will also need to explore alternative theories of liability in situations where information is misused by an employee.
*Alexandria Amerine is a summer associate in the Sheppard Mullin Dallas Office.