“So” Entitled Under the CFAA

By James Juo.

The U.S. Supreme Court in Van Buren v, United States, No. 19-783 (Jun. 3, 2021), has adopted a narrow interpretation that the Computer Fraud and Abuse Act (“CFAA”), a criminal and civil statute sometimes referred to as the federal anti-hacking law, is limited to violations of technological restrictions and not to violations of a computer-use policy. The CFAA imposes liability on a person who “intentionally accesses a computer without authorization” or “exceeds authorized access” to obtain information from a protected computer.

Historically, the CFAA had been asserted to cover a wide range of activity such as: cracking or stealing passwords; exploiting code-based security flaws; launching a denial of service attack on a website; spoofing IP addresses to avoid access restrictions; allowing an unauthorized person to use the valid password of another; violating a website’s ever-changing Terms of Service, and accessing information stored on an employer’s computer for a competing business. Many civil cases under the CFAA arose from trade secret and employment litigation where a defendant having authorized credentials accessed information intending to misuse that information.

A circuit split developed over how to interpret “without authorization” and “exceeds authorized access” under the CFAA. The First, Fifth, Seventh, and Eleventh Circuits broadly interpreted the CFAA to prohibit, in addition to traditional computer hacking, use-based violations such as misusing computer data that the user was otherwise authorized to access. The Second, Fourth, and Ninth Circuits, on the other hand, had adopted a narrower interpretation of the CFAA that focused on technological restrictions and not violations of a company’s computer use policies.

Such was the state of the law before the Van Buren case in the Supreme Court, where Nathan Van Buren, a Georgia police officer, had been convicted of violating the CFAA for improperly using the Georgia Crime Information Center (“GCIC”) database on behalf of an acquaintance who wanted to learn whether or not a dancer at a local strip club was as an undercover officer. As a police officer, he was supposed to run database searches only for law enforcement purposes, but instead ran the search for a $6,000 cash payment. Unfortunately for Mr. Van Buren, it was part of a sting operation.

Mr. Van Buren was arrested by the FBI, convicted under the CFAA, and sentenced to 18 months in prison. The Eleventh Circuit, one of the circuits following the broader interpretation of the CFAA, upheld his conviction.

The Supreme Court, starting with the words of the statute, stated that the most relevant text is the phrase “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” 18 U.S.C. § 1030(e)(6). The Court concluded that the word “so” in the disputed phrase “entitled so to obtain” references the previously stated manner or circumstance in the text of Section 1030(e)(6) which was “via a computer [one] is otherwise authorized to access.” Also, without the word “so” in the statutory text, “the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability.” So “[t]he phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”

This interpretation “makes sense of the statutory structure because it treats the ‘without authorization’ and ‘exceeds authorized access’ clauses consistently.” Describing this as a “gates-up-or-down inquiry,” the Court stated that “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”

In addition, the jurisdictional “damage” for civil liability under the CFAA was focused on technological harms such as the corruption of electronic files and data. And Van Buren’s misuse of the license plate database did not impair the integrity or availability of data or otherwise harm the database system itself.

The Court also observed that “[b]ecause purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions,” conduct would only violate the CFAA if an employer’s computer use policy were phrased as an “access” (e.g., prohibit using a database for a non-law-enforcement purpose) restriction rather than as a “use” (e.g., prohibit using information from a database for a non-law-enforcement purpose) restriction. “An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.”

“In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him.” Here, even though information from the database had been obtained for an improper purpose, there was no violation of the CFAA and the contrary judgment of the Eleventh Circuit was reversed.

Although a company’s computer-use policy no longer would be a basis for a CFAA claim against a disloyal employee, businesses could still have recourse for trade secret misappropriation including under the Defend Trade Secrets Act (“DTSA”) or breach of contract, instead of the CFAA.

The commercial litigation attorneys at Thomas P. Howard, LLC can evaluate whether the CFAA or another legal claim applies to your case.