U.S. Supreme Court Narrows Computer Fraud & Abuse Act

Share this Article
Facebook Icon LinkedIn Icon Twitter Icon
Jason B. Freeman

Jason B. Freeman

Managing Member

214.984.3410
Jason@FreemanLaw.com

Mr. Freeman is the founding member of Freeman Law, PLLC. He is a dual-credentialed attorney-CPA, author, law professor, and trial attorney.

Mr. Freeman has been named by Chambers & Partners as among the leading tax and litigation attorneys in the United States and to U.S. News and World Report’s Best Lawyers in America list. He is a former recipient of the American Bar Association’s “On the Rise – Top 40 Young Lawyers” in America award. Mr. Freeman was named the “Leading Tax Controversy Litigation Attorney of the Year” for the State of Texas for 2019 and 2020 by AI.

Mr. Freeman has been recognized multiple times by D Magazine, a D Magazine Partner service, as one of the Best Lawyers in Dallas, and as a Super Lawyer by Super Lawyers, a Thomson Reuters service. He has previously been recognized by Super Lawyers as a Top 100 Up-And-Coming Attorney in Texas.

Mr. Freeman currently serves as the chairman of the Texas Society of CPAs (TXCPA). He is a former chairman of the Dallas Society of CPAs (TXCPA-Dallas). Mr. Freeman also served multiple terms as the President of the North Texas chapter of the American Academy of Attorney-CPAs. He has been previously recognized as the Young CPA of the Year in the State of Texas (an award given to only one CPA in the state of Texas under 40).

The U.S. Supreme Court recent decision in Van Buren v. United States significantly impacts the scope of the Computer Fraud & Abuse Act (“CFAA”).  The case carries implications for computer fraud prosecutions, employee abuse of computer databases, and a host of other areas, particularly given that the CFAA provides a civil cause of action that has become increasingly prevalent.  The Van Buren decision narrowed the scope of the meaning of “exceed[ing] authorized access” to a computer.

Background

In 2011, an FBI sting in Georgia resulted in police officer Nathan Van Buren being charged with violating the Computer Fraud and Abuse Act (CFAA). The sting operation was initiated after an individual complained that Van Buren had tried to shake them down by soliciting a loan.

During the sting, the complainant, at the FBI’s instruction, offered to pay Van Buren to run the license plate number of the complainant’s acquaintance through a Georgia police database in order to find out if the acquaintance was an undercover police officer.

Van Buren was convicted at trial of, among other things, violating the CFAA, which makes it a crime for anyone to intentionally gain unauthorized access to a computer or to exceed authorized access. Van Buren then appealed that conviction on the basis that his conduct did not violate the statute.

Van Buren’s Arguments on Appeal

On appeal, Van Buren argued that he had not violated the CFAA provision that applies when someone exceeds authorized access because he actually was authorized to access that police database, even if he accessed it for an unauthorized purpose. The United States Court of Appeals for the Eleventh Circuit disagreed, relying on its precedent to uphold Van Buren’s conviction. Van Buren then asked the Supreme Court to review the Eleventh Circuit’s decision.

In support of the Eleventh Circuit’s decision upholding Van Buren’s conviction, the government argued to the court that because Van Buren was only allowed to use the police database for valid law enforcement purposes, he had violated the CFAA by exceeding his authorized access to that database when he used it to identify an undercover police officer in exchange for money. But the Supreme Court rejected the government’s view, reversing the Eleventh Circuit’s decision and overturning Van Buren’s conviction. It held that the CFAA does not criminalize individuals who have improper motives for accessing information that is otherwise available to them.

What Conduct Now Qualifies as Exceeding Authorized Access Under the CFAA?

The Supreme Court held that an individual exceeds authorized access “when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him”.  In other words, if an individual is authorized to access a particular area of a computer, for any purpose, they cannot violate the CFAA by simply accessing that area, even if the purpose for which the individual accessed that area is improper. In this case, for example, the government needed to show that Van Buren had no authority whatsoever to access the police database for any purpose, but it was unable to do so.

Why is the Van Buren Decision Important?

The Van Buren decision is important for both prosecutors and law enforcement and employers. This is because the CFAA, which provides for both civil and criminal liability, has previously been viewed as a simpler enforcement mechanism than other options available to prosecutors and employers.

Though misusing information to which an individual has access could violate other statutes, violations of the CFAA had generally been easier to establish. For example, while an employer could pursue a theft of trade secrets case against an employee who misused access to a company database to steal proprietary information, doing so would require the employer to establish that the information qualified as a trade secret, which could be more difficult than simply pointing to the individual’s motives.

With the Van Buren Decision, it is no longer enough to simply show that an employee violated an employer’s policies by accessing information within the database without an appropriate reason for doing so.  It is also noteworthy that in support of the narrower reading of the CFAA, the Supreme Court specifically cited the fact that the government’s reading of the statute would effectively criminalize all sorts of everyday workplace activity.

What Can Employers Do Now to Police Unauthorized Computer Access and Misuse of Information?

To begin with, employers may still be able to file civil actions under the CFAA in certain situations. For instance, a run-of-the-mill hack by an outsider who has no authorization to access a company’s computer system still constitutes a violation of the CFAA. Likewise, an employee who is authorized to access certain areas of a company’s computer system, but is barred from accessing information in other areas for any purpose, may violate the CFAA if he or she accesses information in those restricted areas.

What Should Employers Do In Light of the Van Buren Decision?

In light of the Van Buren decision, employers should consider reviewing their computer system and policies, with a focus on identifying what information employees should be allowed to access and, where appropriate, implementing technical controls that are designed to limit access when not necessary for an employee’s job. Furthermore, because an employer can no longer prove that an employee exceeded authorized access simply by reference to the employee’s motives, employers should now implement mechanisms to demonstrate that an employee had no authority to access certain sensitive information.

 

Computer Crime Attorneys

Freeman Law represents clients in the Dallas-Fort Worth area. Our team is also skilled in legal and regulatory issues related to blockchain technology and cryptocurrency. As these areas continue to evolve, the related legal matters will meld with more traditional computer intrusion and cyber-crime issues. Freeman Law recognizes this; we are dedicated to staying at the forefront as these emerging technologies continue to revolutionize social and economic activities. In this respect, we combine our knowledge base in more traditional cyber-related litigation with a unique white-collar and accounting background—and a position as a thought leader in the evolving blockchain and cryptocurrency space—to provide a distinctive brand of cutting-edge legal representation. Schedule a consultation or call (214) 984-3000 to discuss your cybersecurity concerns.