Does the Computer Fraud and Abuse Act (CFAA) and its harsh penalties apply to employees who exceed their authorized access to computer systems for personal reasons? The Supreme Court has now said no.
The Supreme Court issued a 6-3 decision this week limiting the application of the CFAA against company “insiders” who exceed the scope of their authorization to access company data. The CFAA, generally speaking, provides both civil relief and criminal penalties against individuals who “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Prior to this decision, there was a circuit split where some courts interpreted “unauthorized access” as including access to data that exceeded a limited scope of authorization provided to an individual, and other courts interpreted “unauthorized access” more narrowly to mean that the CFAA only applied to individuals who had no scope of authorized access.
In Van Buren vs. U.S., police sergeant Nathan Van Buren accessed a law enforcement database through his police-issued laptop to provide license plate information to a third-party for non-law enforcement purposes for money. The transaction was part of a sting operation by the FBI, who charged Van Buren with violating the CFAA on the basis that his authorization to use the law enforcement database was limited to purposes related to his job as a police officer, so the use of the database for personal purposes constituted unauthorized access under the CFAA. In overturning the lower court’s decision that Van Buren’s behavior constituted a violation of the CFAA, the Court found that restriction on unauthorized access under the CFAA means access to information stored in areas (such as files, folders, or databases) to which the accesser’s computer access does not extend. The CFAA does not, however, extend to restrict authorization if the accesser has different motives to use the information s/he has authorization to access for limited purposes.
In short, the Supreme Court has dramatically limited the scope of the CFAA to individuals with no authorization to access data and determined the CFAA does not apply to misuse of an individual’s authorization. The Court seemed particularly troubled at the prospect of recognizing CFAA application to access misuse as doing so “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” 593 U. S. ____, 17-18 (2021) (“Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.”).
There remain some ambiguities and ultimately, it may be up to Congress to revisit the statutory language of the CFAA to confirm its intent as to its scope. For now, though, businesses take note: under the Court’s reading of the CFAA, you may be limited in seeking relief under the CFAA against insiders who access information for purposes outside of their authorization. Digitally segregating valuable and sensitive company data into files, folders, or databases that your company can exercise greater access control over can better position your business to avail itself of CFAA relief than permitting unfettered access to your employees and relying on purpose limitations to the employee’s access.