FINALLY! Supreme Court to Clarify Computer Fraud and Abuse Act…
On November 30, 2020, the US Supreme Court will hear oral argument on an issue confounding lawyers, litigants and courts for decades. The Court will consider whether employees who permissibly access their work computer but use that access for some “unauthorized” purpose may be criminally and civilly liable under the federal Computer Fraud and Abuse Act (the CFAA). This simple but important question has frustrated practitioners and courts for years and has cut a dramatic 4-3 split among the federal appellate courts.
The CFAA was enacted in 1984, after computer hacking emerged as a concern but before computers were ubiquitous in the workplace. The statute provides that “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from a “protected computer” commits a federal crime and is subject to civil suit by the aggrieved party (italics added). The CFAA defines a “protected computer” as a computer that is “used in or affects interstate commerce.” Requiring a connection to interstate commerce might have limited the reach of the CFAA in 1984, but courts today recognize that the CFAA covers any computer with Internet access.
When does computer use “exceed authorized access”?
The CFAA’s inartful reference to computer use that “exceeds authorized access” has resulted in decades of contentious litigation over the scope of the CFAA. The phrase apparently contemplates that a user initially permitted to use a computer will violate the CFAA if he proceeds to use the computer in an unauthorized manner. But by that reading, the CFAA turns many plain vanilla employment disputes into federal criminal and civil offenses. Employers regularly claim that employees mis-use work computers to access confidential information such as client lists, marketing plans, compensation data, etc. Did Congress really intend to federalize, and criminalize, such routine disputes? Criminal and employment attorneys have spilled barrels of ink in hundreds of civil and criminal cases trying to answer that question.
The result is a dramatic split between the federal circuit courts. The First, Fifth, Seventh, and Eleventh Circuit Courts have interpreted the CFAA broadly, holding that it applies when employees authorized to access a computer system use that access for an improper purpose. The Second, Fourth, and Ninth Circuits have interpreted the CFAA more narrowly, holding that employees violate the CFAA only if they access information on a computer that they are prohibited from accessing for any reason.
The Supreme Court weighs in
In April 2020, the Supreme Court granted cert. on an appeal from the Eleventh Circuit that squarely presented the conflict among the circuit courts. In Van Buren v. U.S., prosecutors charged Georgia police seargent Nathan VanBuren under the CFAA after he ran computerized background checks as a favor for an acquaintance who wanted to dig up dirt on people. Van Buren was authorized to access his department’s computerized background check system, but he used that system for an improper purpose. He was convicted of one count of computer fraud under the CFAA and sentenced to eighteen months in prison. He now asks the Supreme Court to vacate his conviction on the ground that the lower courts improperly applied the CFAA.
Many employment attorneys have been vexed for years by the scope of the CFAA. More importantly, many employees have been shocked to learn that their alleged unauthorized use of their work computer may subject them to federal criminal and civil liability. Hopefully, the Supreme Court clarifies the reach of the CFAA with a decisive decision soon after the November 30th oral argument. Watch for updates on this story!