Supreme Court Narrows Scope of the Computer Fraud and Abuse Act

The U.S. Supreme Court recently resolved a circuit split regarding the federal Computer Fraud and Abuse Act (CFAA), specifically weighing in on the “exceeds authorized access” provision of the statute.  The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” In Van Buren v. United States, the Court rejected a broader reading of the criminal statute and held in a 6-3 opinion that a police officer, Nathan Van Buren, did not violate the CFAA when he accessed a law enforcement database with his valid credentials to retrieve information about a license plate number in exchange for money.

In a majority decision authored by Justice Barrett, the Supreme Court reversed the Eleventh Circuit's affirmance of Van Buren's conviction. Concerned that the reading of the CFAA urged by the government would impose criminal penalties to a “breathtaking amount of commonplace computer activity” and make criminals out of millions of otherwise law-abiding citizens, the Court held that under a proper reading of the CFAA, an individual “exceeds authorized access” if he accesses a computer that he is authorized to access but then accesses information on that computer that he is not authorized or entitled to access. Because the information Van Buren accessed was “otherwise available” to him within the scope of his work and based on his valid credentials, even though he accessed the information with “improper motives,” he could not be held criminally liable under the CFAA.

This holding resolves a long-standing and significant circuit split on the CFAA (that we’ve followed avidly and discussed here), with the Second, Fourth, and Ninth Circuits having read the statute narrowly, in contrast with the First, Fifth, and Eleventh Circuits, which previously held that the statute may also cover unauthorized use of information, even if the defendant was authorized to access it.  In light of the Supreme Court’s ruling and clarification in this area of the law, employers may wish to take this opportunity to review and refresh how they protect their confidential, proprietary digital information.  First, analyze and consider adding internal authentication points to restricted areas on your computer systems, files, and databases to segregate and limit access to sensitive and confidential data on a need-to-know basis.  (This is a best practice to protect your trade secrets as well, from both practical and legal standpoints.)  Second, even as the holding in Van Buren confirmed a narrower reading of the CFAA, contractual and other remedies remain unaffected. Consider reviewing and refreshing any confidentiality, data security, and computer terms of use agreements with your employees and vendors to ensure protections are in place.