Supreme Court Narrows Liability Under the Computer Fraud and Abuse Act
June 7, 2021 | By: Lawrence Bluestone, Esq., Katherine Szabo, J.D. Candidate 2022
Late last week, the U.S. Supreme Court issued a decision that narrows the scope of a statute used by the Government and private parties against individuals who access computer systems without authorization. The decision in Van Buren v. United States resolved a split among lower courts limiting both civil and criminal liability under the Computer Fraud and Abuse Act (CFAA), a statute that prohibits individuals from “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]…information from any protected computer.” CFAA, 18 U.S.C. § 1030(a)(2)(C). The CFAA also creates a civil remedy for parties that suffer damages as a result of unauthorized computer access.
At issue was the concept of “exceed[ing] authorized access,” defined in the statute as accessing a computer “with authorization,” but obtaining or altering “information in the computer that the accesser is not entitled so to obtain or alter.” CFAA, 18 U.S.C. § 1030(e)(6). Van Buren, a police sergeant, was prosecuted and convicted under the CFAA after he used his access to a law enforcement database for personal reasons in violation of his employment agreement. Under the Supreme Court’s decision Van Buren is not liable under the CFAA, because he was authorized to access the specific computer files he accessed, even if he accessed them for improper purposes or did so outside of the bounds of his private agreement.
In addition to narrowing criminal liability, the Supreme Court’s decision limits a remedy that private companies have relied on in the civil context, most notably to seek relief against employees or former employees who may have been authorized to access company data for certain purposes, but who improperly accessed the same data for an improper purpose (for instance to take the data to a competitor or to directly compete with the company).
Businesses should be aware that individuals with access to their computer systems can no longer be held civilly liable for exploiting that access under the CFAA. Although other remedies may be available, the removal of the CFAA as a potential claim may prevent companies from accessing the federal courts in certain contexts.
For more information on the Computer Fraud and Abuse Act or other measures companies can take to protect their data, please contact Jennifer Borek, Esq., Partner in the Complex Commercial Litigation Practice Group via email here, or Lawrence Bluestone, Esq., Counsel in the Complex Commercial Litigation Practice Group, via email here, or 973.535.4434.