The U.S. Supreme Court recently resolved a circuit split regarding the federal Computer Fraud and Abuse Act (CFAA), specifically weighing in on the “exceeds authorized access” provision of the statute. The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” In Van Buren v. United States, the Court rejected a broader reading of the criminal statute and held in a 6-3 opinion that a police officer, Nathan Van Buren, did not violate the CFAA when he accessed a law enforcement database with his valid credentials to retrieve information about a license plate number in exchange for money.
In a majority decision authored by Justice Barrett, the Supreme Court reversed the Eleventh Circuit’s affirmance of Van Buren’s conviction. Concerned that the reading of the CFAA urged by the government would impose criminal penalties to a “breathtaking amount of commonplace computer activity” and make criminals out of millions of otherwise law-abiding citizens, the Court held that under a proper reading of the CFAA, an individual “exceeds authorized access” if he accesses a computer that he is authorized to access but then accesses information on that computer that he is not authorized or entitled to access. Because the information Van Buren accessed was “otherwise available” to him within the scope of his work and based on his valid credentials, even though he accessed the information with “improper motives,” he could not be held criminally liable under the CFAA.