Computer Fraud and Abuse Act: Supreme Court Ruling
Date: August 10, 2021
Employers can no longer rely on their contracts, policies, or industry standards as grounds for seeking a private suit against employees under the Computer Fraud and Abuse Act of 1986 (CFAA). The Supreme Court recently ruled that the CFAA did not regulate a person's authorized access to a computer for an improper purpose. The Court limited claims under the CFAA to a person who exceeds his/her authorized access.
CFAA Background
On June 3, 2021, the Supreme Court handed down a decision on a closely watched case involving the Computer Fraud and Abuse Act of 1986 (CFAA). The CFAA, while originally enacted to combat criminal computer hacking, was expanded in 1984 to allow civil remedies, opening the doors for companies to bring suit when their computer and IT infrastructure were compromised. Since then, employers have often sought to use the CFAA to pursue current and former employees for a variety of wrongful uses of computer-accessed information, especially where conduct involving the misappropriation of trade secrets, copyrighted, and other confidential information is involved.The CFAA, however, has long been the subject of scrutiny, especially with the latitude given to prosecutors and employers by several federal circuits. Over the years, a circuit split developed between whether liability was triggered only by accessing IT infrastructure without authorization or whether accessing IT infrastructure with an unauthorized purpose was sufficient to trigger liability under the statute.
Van Buren v. United States
In June, the Supreme Court resolved the split in case law in its decision in Van Buren v. United States, holding that liability under the CFAA is only triggered if the individual lacks authorization to access the device, not whether the individual accesses the devices for an unauthorized purpose. The Supreme Court’s holding will have far-reaching implications, not just in the criminal context, but also for employers faced with current or former employees that may use company devices improperly.Van Buren involved the decision of a former police sergeant to run a license-plate search in a law enforcement computer database in exchange for money. Van Buren, 2021 WL 2229206, at *4. Van Buren was charged with a felony violation of the CFAA on the basis that running the license plate violated the “exceeds authorized access” clause of 18 U.S.C. §1030(a)(2). Id.
Both parties agreed that Van Buren “access[ed] a computer with authorization” and “obtain[ed]…information in the computer.” Id. at *5. At issue in the case was whether Van Buren was “entitled so to obtain” that information. Id.
Van Buren’s narrow approach, and the approach that the Court ultimately adopted, was that being entitled “so to obtain” refers to whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. Id. In this case, the only stated manner of obtaining information was “via a computer [one] is otherwise authorized to access.” Id.
Van Buren’s theory placed emphasis on the location of information rather than the purpose for which that information was being used. In other words, so long as an individual has authorized access to a particular device or, for example, a folder within that device, that individual does not violate the CFAA by accessing information on that device or within that folder, regardless of whether the information is being pulled for a prohibited purpose. See id.
The Government argued, and the Court declined to recognize, the idea that “so to obtain” should be read more broadly to refer to information that one was not allowed to obtain in the particular manner or circumstances in which he obtained it. Id. at *6. Unlike Van Buren’s approach, the Government’s theory rests on the purpose for which the information is being used, determined by “specifically and explicitly” communicated limits on one’s right to access information. Id. The Court ultimately expressed concern with the broad nature of this approach and argued that if adopted, the Government’s theory would encompass any limit anywhere in the United States Code, state statute, private agreement, or elsewhere. Id.
Application to the Employer-Employee Context
Employers have utilized the CFAA’s civil remedies to sue employees for a variety of wrongful uses of computer-accessed information, especially where conduct involving the misappropriation of trade secrets, copyrighted, and other confidential information is involved. Daniel J. Winters & John F. Costello, The Computer Fraud and Abuse Act: A New Weapon in the Trade Secrets Litigation Arena, 44 Intell. Prop. Newsl. 1, 2 (2005). Civil actions under the CFAA have tended to raise the same concerns regarding the definition of “authorized access” as criminal cases under the Act. The Court’s holding in Van Buren should narrow the applicability of the CFAA in the civil context, not just the criminal context.Generally, most courts have held that employees who have permission to access computers cannot act without authorization “unless and until their authorization to access the computer is specifically rescinded or revoked.” Mifflinburg Tel., Inc. v. Criswell, 277 F. Supp. 3d 750, 793 (M.D. Pa. 2017). This is an approach similar to the one adopted in Van Buren, where focus is placed solely on whether or not an employee has authorization to access a device.
Other courts, however, have taken a more purpose-focused approach; for example, some courts have held that an employee lacks authorized access when he or she violates a duty of loyalty to an employer. See Intl. Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); P.C. Yonkers, Inc. v. Celebrations! The Party & Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005). In addition, a number of courts have held that an employee exceeds authorized access when his or her employer has policies that prohibit accessing information for non-business reasons. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
While pending, Van Buren presented a potentially interesting effect on an employer’s use of the CFAA in suits against employees. The Government’s position, if adopted, could have theoretically expanded the number and type of instances in which an employer might sue an employee for wrongful use of computer-accessed information.
As acknowledged by the Court, “[e]mployers commonly state that computers and electronic devices can be used only for business purposes.” Van Buren, 2021 WL 2229206, at *11. Thus, the Government’s reading of the CFAA would have meant that “an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” Id.
In addition, because of the purpose-centric nature of the Government’s approach, an employee who “lawfully pull[ed] information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting,” could have subjected themselves to a CFAA violation and potential suit after “unlawfully pull[ing] the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.” Id. at *6.
The Court’s decision in Van Buren has bridged the divide on the meaning of “authorized access” in the context of employer-employee litigation. In adopting a definition of access that refers solely to whether or not an individual was authorized to use a device, Van Buren has drastically narrowed the scope of CFAA liability and has ultimately created a shift in power from employers to employees. Employers are now limited to bringing actions only in cases where employees lack authorization to use a device, even if employees are using information from that device in a manner that is adverse to the employer.
Whiteford, Taylor & Preston
The attorneys at Whiteford, Taylor & Preston are experienced in advising employers on all matters related to employee use of employer resources. If you have a question, contact one of our experienced labor and employment attorneys.The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.