On June 3, the Supreme Court issued its opinion in Van Buren v. United States,[1] holding that the Computer Fraud and Abuse Act of 1986 (CFAA) does not create liability when a user who is authorized to access information on a computer does so in a manner that violates an acceptable use policy. The Court’s decision significantly narrows the scope of the CFAA, which now applies only to hackers — that is, to users that breach code-based or otherwise absolute barriers in order to obtain access to information on a computer. In light of the Court’s narrow interpretation of the CFAA, which removes a deterrent to employee misconduct, business should take additional steps to protect against employee misuse of databases that contain personal information or sensitive business information.

The Court’s Decision. In Van Buren, the Court was asked to decide whether police officer Nathan Van Buren violated the CFAA when he ran a license plate search in a law enforcement computer database in exchange for money. The entire transaction, however, was part of an FBI sting. And Van Buren was charged with violating the CFAA because the license plate search was for “an improper purpose” and thus breached departmental policy. A jury convicted Van Buren, and the district court sentenced him to 18 months in prison.

Before the Supreme Court, Van Buren argued that the CFAA does not apply when, as with his conduct, a user is authorized to access a database but misuses his or her access privileges.

The Supreme Court agreed. Writing for a six-justice majority, Justice Barrett noted that the CFAA creates criminal and civil liability for a user who “intentionally accesses a computer without authorization,” as well as for a user who “exceeds authorized access.”[2] She then noted that the CFAA defines the phrase “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[3]

According to Justice Barrett, the “so” in the disputed phrase — “is not entitled so to obtain” — “refers to a stated, identifiable proposition” in the preceding text. Specifically, the “so” is “best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”

Based on that reading of the disputed phrase, Justice Barrett interpreted the CFAA to apply only to hackers. She noted that the “without authorization” clause of the CFAA targets “outside hackers — those who access a computer without any permission at all,” while the “exceeds authorized access” clause of the CFAA targets “inside hackers — those who access a computer with permission, but then exceed the parameters of authorized access by entering an area of the computer to which that authorization does not extend.” In other words, “liability under the both clauses stems from a gates-up-or-down inquiry — one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”

Important here, however, the Court did not decide whether the now-controlling “gates-up-or-down inquiry” must focus exclusively on technological barriers to access. Instead, that question was put off, with Justice Barrett noting that the Court did not for “present purposes” need to “address whether this inquiry turns only on technological (or ‘code based’) limitations on access, or instead also looks to limits contained in contracts or policies.”

Before the Court’s ruling in Van Buren, four circuit courts had adopted a much broader reading of the CFAA’s “exceeds authorized access” clause. For instance, the First Circuit had interpreted the clause to apply when a user who was authorized to access information did so with the intent of disclosing the information in violation of a confidentiality agreement.[4] The Fifth Circuit had interpreted the clause to apply when a user who was authorized to access information did so with the intent of committing a fraud in violation of an employment policy.[5] The Seventh Circuit had interpreted the clause to apply when a user who was authorized to access information did so with the intent of deleting information and thus harming his soon-to-be former employer.[6] And the Eleventh Circuit had interpreted the clause to apply when a user who was authorized to access information for business purposes did so for personal purposes.[7] Under the Court’s decision in Van Buren, however, none of those types of misconduct would fall within the scope of the CFAA’s “exceeds authorized use” clause.

Our Take. The Court’s narrow interpretation of the CFAA removes a deterrent to employee misconduct. The broader interpretation of the CFAA — which, again, had been adopted by four circuit courts — left open potential federal criminal and civil liability for any employee who was authorized to access a computer database but did so for an improper purpose or in violation of an employment policy.

With that deterrent removed, and in an age in which privacy violations are likely to lead to lawsuits and government enforcement actions, businesses should take additional steps to protect against employee misuse of databases that contain personal information or sensitive business information. Business should, for instance:

  1. Review their data retention policies and procedures to ensure that personal information and sensitive business information are kept no longer than necessary;
  2. Review their employee and vendor onboarding procedures to ensure that employees and vendors are appropriately vetted;
  3. Review their employee and vendor contracts to ensure that employees and vendors are prohibited from misusing personal information and sensitive business information;
  4. Review their employee and vendor policies to ensure that employees and vendors are aware that their use of personal information and sensitive business information will be monitored and that any related misconduct will be disciplined;
  5. Review their data classification and mapping policies to ensure that employees and vendors only have access to personal information and sensitive business information that they must have in order to perform their duties;
  6. Review the technical (code based) controls that govern access to their databases of personal information and sensitive business information to ensure that written data classification policies are complemented by access controls; and
  7. Audit employees and vendors to ensure that they are in fact abiding by governing policies and controls.

[1] Van Buren v. United States, No. 19-783 (U.S. June 3, 2012).

[2] 18 U.S.C. § 1030(a)(2).

[3] 18 U.S.C. § 1030(e)(6).

[4] EF Cultural Travel BP v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

[5] United States v. John, 597 F.3d 263 (5th Cir. 2010).

[6] Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006).

[7] United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).