Supreme Court Finds Employee’s Misuse of Authorized Access Does Not Violate Computer Fraud and Abuse Act
In a criminal case with employment implications, the U.S. Supreme Court ruled that there is no violation of the Computer Fraud and Abuse Act (CFAA) when an employee misuses information obtained through their authorized computer access.
Background of the Case. The CFAA provides for civil and criminal penalties against someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer.” Employers have relied on this law as one means of addressing employee theft of trade secrets or other misuse of confidential information. However, as we discussed in our September 2020 E-Update, the federal appellate courts were split on the interpretation of “exceeds authorized access.” The Second, Fourth, Sixth and Ninth Circuits have held misuse of information that is validly accessed is not a violation of the CFAA, while the First, Fifth, Seventh, Eighth and Eleventh Circuits have interpreted the language more broadly to prohibit the misuse of information that the employee was authorized to access.
In Van Buren v. United States, a police sergeant was paid by a third party to run a license plate search in a law enforcement database that he was authorized to access in violation of a departmental policy that prohibited obtaining database information for non-law enforcement purposes. He was convicted of a felony violation of the CFAA, and his conviction was affirmed by the U.S. Court of Appeals for the Eleventh Circuit. He then appealed to the Supreme Court.
The Supreme Court’s Ruling. The Supreme Court overturned his conviction, finding that his misuse of information that he was authorized to access was not a violation of the CFAA. Rather, the Supreme Court held that an individual “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to them. But the CFAA “does not cover those who … have improper motives for obtaining information that is otherwise available to them.”
The Supreme Court noted that employers commonly state that computers should be used only for business purposes. In rejecting the government’s argument that a violation of a computer-use policy is also a violation of the CFAA, the Supreme Court somewhat wryly commented “then an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA” – a result that renders millions of otherwise law-abiding citizens to be criminals.
What This Means for Employers. Employers will not be able to invoke the CFAA against employees who misuse company confidential information that they are authorized to access for personal gain. But they may still be able to proceed against those employees under the federal Defend Trade Secrets Act, similar state trade secret laws and, if confidential information agreements exist, for breach of such agreements. This emphasizes the importance of confidential information agreements in situations where employers have significant confidential information that they need to protect against theft or disclosure by employees, as well as more technical safety measures to ensure that employees and others cannot access systems without authorization.