The Supreme Court’s recent decision in Van Buren v. United States, — S. Ct. —-, 2021 WL 2229206 (2021) resolved a longstanding Circuit split regarding the scope of liability under the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U.S.C. § 1030 et seq. As we previewed last year, Van Buren addressed whether a person “exceeds authorized access” within the meaning of the CFAA when accessing information on a computer for an improper purpose. In an Opinion authored by Justice Barrett, the Supreme Court ruled, 6-3, that the CFAA does not cover those who have improper motives for obtaining computerized information they are otherwise authorized to access.
The Van Buren case arose out of a federal prosecution against a former Georgia police sergeant who used the state law enforcement computer database to run a license-plate search on behalf of an individual who promised to pay the sergeant around $5,000. Van Buren searched the database using his valid credentials and told the individual he had information to share. But the promise of $5,000 was a ruse devised as part of an FBI sting operation. The federal government charged Van Buren with a felony violation of the CFAA on the ground that running the license plate search in exchange for an illicit payment violated the “exceeds authorized use” clause of 18 U.S.C. § 1030(a)(2). Van Buren was convicted and sentenced to 18 months in prison.
Van Buren appealed to the Eleventh Circuit, which affirmed his conviction and held that he had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” 940 F.3d 1192, 1208 (11th Cir. 2019). The Supreme Court granted Van Buren’s cert. petition and reversed.
To determine the proper interpretation of the “exceeds authorized access” clause, the Supreme Court focused primarily on the statutory text. Under the CFAA, the phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain … information in the computer that the accesser is not entitled so to obtain.” 18 U.S.C. § 1030(e)(6) (emphasis added). The parties agreed that Van Buren accessed a computer “with authorization” when he used his patrol-car computer and credentials to log into the law enforcement database. They also agreed Van Buren obtained information “in the computer” when he pulled the license-plate record. The dispute thus centered on the discrete issue of whether he was “entitled so to obtain” the record.
Van Buren contended that the disputed phrase—“is not entitled so to obtain”—referred only to information a person is not allowed to obtain by using a computer that he is authorized to access. For example, if a person has authorized access to the contents of a computer folder, then he does not violate the CFAA by obtaining information from that folder—even if he pulled the information for a prohibited purpose. In contrast, the government argued the phrase swept more broadly to cover any type of unauthorized activity, including conduct not identified in the CFAA (e.g., pulling a license plate in violation of police department policy). The Supreme Court was troubled that the government’s reading of the statute lacked a limiting principle and could result in almost boundless liability.
Forcefully rejecting the government’s argument as inconsistent with the text and structure of the CFAA, the Supreme Court sided with Van Buren and concluded an individual “exceeds authorized access” only “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Slip Op. at 20. And because Van Buren was authorized to use the law enforcement database to retrieve license-plate information, he did not “excee[d] authorized access” to the database under the CFAA. The fact Van Buren obtained information for an “improper purpose” did not suffice to make him criminally liable.
Although Van Buren was a criminal case, the structure of CFAA strongly suggests that the Supreme Court’s holding will apply in civil cases as well. The Court specifically noted that those who violate Section 1030(a)(2) “also risk civil liability under the CFAA’s private cause of action.” Slip Op. at 2. The Court also found CFAA’s civil penalties “ill fitted” “to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computer,” id. at 15—indicating the Supreme Court was mindful of the ruling’s implications for civil litigation under CFAA. And the same statutory definition of “exceeds authorized access” governs in both criminal and civil cases.
As a result, Van Buren could have wide-ranging implications for employment law and trade secrets litigation. Van Buren effectively abrogates the previously controlling decisions in the First, Fifth, Seventh and Eleventh Circuits that held the “exceeds authorized access” clause applies to those who misuse computer access they already have.
Going forward, plaintiffs and prosecutors in those jurisdictions likely cannot establish a CFAA violation based solely on an individual’s violation of a computer-use policy, violation of a website’s terms of service, or emailing trade secrets the individual already had authorization to access within the scope of employment. The Supreme Court was sensitive to these concerns and refused to adopt an interpretation of the statute that “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Slip Op. at 17.
Post-Van Buren, a person cannot be held criminally liable under the CFAA’s “exceeds authorized access” clause unless the person actually obtains information from a computer that falls outside the bounds of his or her original access. If lower courts apply Van Buren’s holding to criminal and civil cases alike, the “improper purpose” theory of CFAA liability will be totally eliminated.