On June 3, 2021, the Supreme Court issued its opinion in Van Buren v. United States, resolving the circuit split on whether the “unauthorized access” clause of the Computer Fraud and Abuse Act (CFAA) applies only to those who obtain information to which their computer access does not extend, or whether it also applies to those who misuse access that they otherwise have. In a 6-3 opinion authored by Justice Barrett, the Court ruled that the “exceeds authorized access” prong of 18 U.S.C. §1030(a)(2) applies when an individual accesses a computer with authorization, but then obtains information located within the computer that is off limits to the user. In so holding, the Court refused to extend liability under this prong of the CFAA when a user authorized to access a computer accesses its information for an improper purpose.
The CFAA, enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, contains numerous provisions providing for criminal and civil liability aimed at computer hackers. Its broadest provision, Section 1030(a)(2), subjects to criminal liability anyone who intentionally accesses a computer “without authorization” or “exceeds authorized access” and thereby obtains information (18 U.S.C. §1030(a)(2)). Courts throughout the country have almost universally held that the “without authorization” prong applies to outside hackers, or those who have no permission to access information. On the other hand, a deep circuit split has developed over the scope of liability for those authorized in some way to access a computer under the “exceeds authorized access” prong of the CFAA, which is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The First, Fifth, Seventh, and Eleventh Circuits have imposed CFAA liability under its “exceeds authorized access” prong on individuals who had permission to access information but did so for an improper or unauthorized purpose. In Van Buren, the Eleventh Circuit affirmed a jury’s finding that a police officer violated the CFAA by using his police computer — which he was authorized to access — to look up a person’s license plate number for money, which was forbidden under official police policy. However, the Second, Fourth, Sixth, and Ninth Circuits have applied a narrower interpretation, refusing to extend liability to a person who has permission to access the computer and information at issue, but then subsequently uses the information for an improper purpose.
Adopting the narrow approach, the Court held that a user “exceeds authorized access” when accessing a computer with authorization, but then using that authorization to access or obtain information located within the computer to which the user lacks permission. In so holding, the Court applied a textualist analysis as to whether Van Buren was “entitled so to obtain” the information at issue.
Van Buren argued that this phrase refers back to the CFAA’s language, meaning the “exceeds authorized access” prong does not impose liability for one who accesses information stored in a computer from which the person could permissibly obtain information — no matter the purpose. Under these circumstances, a person does not violate the CFAA even if the information was obtained for a prohibited purpose. Instead, as Van Buren argued, the plain language only imposes liability on those who access information in a prohibited location, such as a folder to which the user does not have access, even though the user is permitted to access the computer or network more generally.
In response, the government argued that the phrase “entitled so to obtain” is meant to apply to capture “any circumstance-based limit appearing anywhere.” Under this interpretation, an individual could be found liable under CFAA if the access was in violation of an access-based limitation found “in the United States Code, a state statute, a private agreement, or anywhere else.”
Ultimately, Justice Barrett and the majority rejected the government and the dissent’s expansive interpretation, finding Van Buren’s interpretation “more plausible,” reasoning that the word “so” within this phrase was meant to refer to the preceding text of the CFAA. Referring to other federal statutes that have been similarly interpreted, the Court found that the phrase “is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” Critical to the Court’s reasoning was the rejection of the government’s argument that the word “so” would be rendered superfluous by Van Buren’s interpretation. The Court noted that the use of the word “so” made clear that the statute was intended to cover what a person does on a computer. As the Court explained, without this word, an individual could argue that the hacking of a restricted file was not a violation because the person was “entitled to obtain” the information through another manner, such as by requesting hard copies. However, with “so,” the CFAA “forecloses that theory of defense” by focusing on the CFAA’s purpose: what a person does on a computer.
In support of this approach, the Court also explained that Van Buren’s approach harmonized both prongs of liability under CFAA. Seeking an interpretation that would “make sense of the statutory structure,” the Court agreed that liability under CFAA hinged on a “gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Under this framework, the Court foreclosed any consideration of the purpose or motive for accessing and subsequently using the information.
Lastly, the Court pointed to policy reasons supporting Van Buren’s narrow reading of the CFAA. The Court explained that if the “exceeds authorized access” clause “criminalizes every violation of a computer-use policy,” then “everything from embellishing an online-dating profile to using a pseudonym on Facebook” would turn “millions of otherwise law-abiding citizens” into federal criminals. Such an interpretation, the Court found, would “inject arbitrariness into the assessment of criminal liability” that could not be left to the whims of prosecutorial discretion.
The Court’s first decision addressing the CFAA has wide-ranging implications for businesses and prosecutors across the country. In recent years, entities have relied on the CFAA’s private right of action to target “disloyal employees” who, for example, access company information such as trade secrets, then use it after beginning work for a competitor. The Court’s opinion in Van Buren should cause businesses to rethink their approach to protecting against and remedying “inside” data breaches, such as by preventing physical access to sensitive data such as trade secrets by those without a need to see it, or by beefing up their internal policies and agreements as to access to such information. While other federal statutes (such as the Defend Trade Secrets Act), similar provisions under state law, other criminal laws, and employee agreements remain as viable legal remedies to address such breaches after they occur, a prudent business would be well served by reviewing the measures it can take to prevent access to its most sensitive information in the first place. If a disloyal current or former employee still bypasses those measures, then the CFAA will provide another remedy, notwithstanding the limitations of the Court’s ruling in Van Buren.