Supreme Court To Determine Scope Of Computer Fraud And Abuse Act
On April 20, the Supreme Court agreed to review the Eleventh Circuit’s decision in United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), which broadly interpreted the Computer Fraud and Abuse Act (“CFAA”), the main federal anti-hacking statute, as prohibiting otherwise authorized access of electronically stored information when that access occurred for an improper purpose or outside the scope of the authorization. In the wake of a federal circuit split, the Court’s initial review of the CFAA will decide whether the statute can only be deployed against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. The Court’s decision may affect not only how law enforcement uses the CFAA, but also whether civil litigants, such as employers, may use the CFAA to defend against unauthorized employee activities.
Enacted in 1986, the CFAA was designed to combat computer-related crimes and has become an important and powerful tool for any business seeking to protect its intellectual property and computer systems. The CFAA imposes criminal liability on any person who “intentionally accesses a computer without authorization” or “exceeds authorized access” and, in doing so, obtains information from any protected computer. The CFAA also provides a civil cause of action for similar conduct.
The term “without authorization” is undefined, but the CFAA defines “exceeds authorized access” as “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” As can be expected, there has been extensive litigation over the interpretation of “without authorization” and “exceeds authorized access.” This has led to a circuit split on what type of conduct actually constitutes a CFAA violation. In particular, courts have grappled with whether the language of the CFAA places the focus on how the individual accessed the information, rather than how or under what circumstances the individual used the information.
The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction of the statute, allowing CFAA claims alleging an employee misused employer information that they were permitted otherwise to access. For example, in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (2006), the Seventh Circuit held that, where an employee accesses an employer’s computer or information to further interests adverse to the employer, the employee has violated the duty of loyalty and, in turn, “exceed[ed] authorized access” under the CFAA. In contrast, the Second, Fourth, and Ninth Circuits have taken a narrower approach to CFAA application, limiting employers’ claims under the CFAA. Claims must be based on the actions of employees who lack permitted access to information on computers, not the intent of employees who exceed a permitted use of employers’ information under company policies.
Van Buren provides the Supreme Court a much-anticipated chance to determine whether to interpret the CFAA broadly or narrowly and hopefully bring clarity to the law. The Court’s ruling will be consequential for cybersecurity strategies, company computer-use policies and ordinary internet, computer and smartphone users. The Court will hear arguments on this case in its next term, which begins in October.
We will continue to monitor the Van Buren case and provide updates on any significant developments.