SCOTUS Narrows Scope of Computer Access that can Violate the CFAA

On June 3, 2021, the U.S. Supreme Court issued its long-awaited ruling in Van Buren v. United States, Case No. 19-783, resolving a circuit split over what it means to illegally “exceed authorized access” to a computer under the Computer Fraud and Abuse Act of 1986 (CFAA).  The decision narrows the scope of CFAA claims and closes the door on bringing a CFAA claim when a person who can lawfully obtain certain information on a computer uses his authorized credentials to obtain that information for an improper purpose.  Slip Op. at 1.  Although the Court noted that this kind of computer misuse usually violates contractual obligations and workplace policies, it found that it does not violate the CFAA.  As a result, we expect to see a sharp drop in CFAA claims brought against departing employees and others for violating purpose-based limits on accessing, downloading, and printing company materials.

In a 6-3 decision written by Justice Barrett, the Court held that a person who has “authorized access” to certain information on a computer system does not “exceed” that authorized access or violate the CFAA by accessing that information for an “improper purpose.”  Under the CFAA, “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).  The Court’s decision turned on the meaning of the phrase “is not entitled so to obtain,” which the Court held to simply mean information the person is not allowed to obtain “by using a computer that he is authorized to access.”  Slip Op. at 6.  The majority rejected arguments from the government and dissenting Justices Thomas, Alito, and Roberts that the phrase should also cover information the person is prohibited from accessing merely in certain circumstances or for certain purposes, reasoning that such circumstance-based limits have no support in the CFAA text.  Thus, the Court held that the CFAA is violated when a person obtains information “from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.”   Slip Op. at 1.

The Supreme Court’s decision overturns Petitioner Van Buren’s conviction for computer fraud under the CFAA.  In that case, a jury found that Van Buren intentionally exceeded authorized access to a law enforcement database when he searched it for a license plate number he could exchange for money.  There was no dispute that Van Buren had authorized access to the law enforcement database, nor that he obtained the license plate number from that database.  The only question on appeal was whether he had “exceeded authorized access” when he obtained the license plate number for an improper purpose, as he had been trained not to use the database for personal use and knew that his search violated departmental policies.  Under the Supreme Court’s ruling, these facts no longer amount to a CFAA violation.  

The Court’s ruling resolves a circuit split over what usage of computer systems can violate the CFAA, and we expect that it will sharply curtail the ability to bring CFAA claims in both civil and criminal suits in jurisdictions that took a broader view of CFAA liability.  Because of their simplicity and ease of proof, CFAA claims have often been brought in cases based on workplace policy or terms of service infractions like improper downloading, printing, emailing, or copying of online materials by employees and other authorized computer system users.  After this case, liability for improper usage of information is likely to be based on trade secret misappropriation, breach of contract, copyright infringement, or common law tort claims. 

Both employers and employees should note that the Supreme Court’s decision left open whether the scope of a user’s “authorized access” is determined by technological limitations, or whether the user may be deprived of authorization to access certain materials through contractual or policy-based limits.  See Slip Op. at 13 n.8.   Employers should therefore keep maintaining and training employees on access and usage policies that govern employee access to materials, although it is generally preferable for security and privacy purposes to set employee permissions and access limits using technological means whenever possible.    

A copy of the opinion is available here.