In a 6-3 decision, the Supreme Court has ruled that an individual “exceeds authorized access” in violation of the Computer Fraud and Abuse Act when “he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him.” Van Buren v. United States, 141 S. Ct. 1648, 1662 (2021).
An individual does not violate the statute when he obtains information that he otherwise has authority to access but does so for an improper purpose. Id.
Following Van Buren, it is no longer relevant for purposes of CFAA liability that an employee obtains computer information for an unauthorized purpose.
The court’s eagerly awaited decision has finally resolved a split among the circuits and will significantly limit the types of cases that may be brought under the statute.
CFAA: history, circuit split prior to ‘Van Buren’
The CFAA was enacted by Congress in 1986 as a response to the emergence of computer crimes. (It is said that the CFAA was inspired in part by the 1983 film “WarGames,” in which a love-struck teenager (Matthew Broderick) unwittingly hacks a U.S. military supercomputer and brings the United States to the brink of World War III.)
Originally envisaged as an anti-hacking statute, the CFAA (among other things) creates criminal liability for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer[.]”1 18 U.S.C. §1030(a)(2).
A person who violates subsection (a)(2) may face fines and/or up to 10 years in prison. Id. §1030(c)(2). The CFAA also creates a private right of action for those who have suffered “damage or loss” as a result of any such violation. Id. §1030(g).
The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter[.]” Id. §1030(e)(6).
The statute does not explain what it means to “obtain or alter information … that the accesser is not entitled so to obtain or alter[.]” (Emphasis added.)
Prior to Van Buren, courts interpreting the CFAA were split. The 1st, 5th, 7th, 8th and 11th circuits interpreted the “exceeds authorized access” clause broadly to extend to instances in which a person who has authority to access computer information nevertheless does so for an unauthorized purpose (such as an employee taking information for use in his or her next job).
The 2nd, 4th, 6th and 9th circuits, by contrast, interpreted the CFAA more strictly as an anti-hacking statute, holding that (a)(2) does not extend that far. In those circuits, a person’s motives for accessing computer information did not matter — it only mattered that the person had authority to access the information in the first place.
Thus, prior to Van Buren, a person’s liability under the CFAA might turn on the jurisdiction in which the case was brought.
‘Van Buren’ facts and procedural history
Enter Van Buren. Nathan Van Buren was a police sergeant in Cumming, Georgia. In 2015, at the request of a civilian and in exchange for money, he ran a license plate search using an official government database. In doing so, he knowingly violated department policy that the database was to be used for law enforcement purposes only.
As a result of his actions, among other things, Van Buren was convicted of felony computer fraud in violation of the CFAA and sentenced to 18 months in prison. Van Buren appealed his convictions to the 11th Circuit.
The 11th U.S. Circuit Court of Appeals observed that although Van Buren’s appeal was “styled as a sufficiency-of-the-evidence challenge,” it really sought to overrule the court’s prior holding in United States v. Rodriguez, which adopted a broad view of the scope of the CFAA. (In that case, the court held that a Social Security Administration employee “exceeded his authorized access” and violated the CFAA when he obtained personal information from his employer’s database for a nonbusiness reason, in violation of agency policy. United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), abrogated by Van Buren v. United States, 141 S. Ct. 1648 (2021).)
Pointing to decisions from other circuits (narrowly applying the CFAA and criticizing Rodriguez’s broad interpretation), Van Buren echoed Rodriguez’s argument, contending that he was innocent “because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason.”
Bound by the prior-precedent rule, however, the 11th Circuit applied the holding in Rodriguez and upheld Van Buren’s conviction for computer fraud.
Van Buren petitioned the Supreme Court for a writ of certiorari, which the court granted on April 20, 2020.
Supreme Court’s analysis in ‘Van Buren’
Thus, the issue before the Supreme Court was whether Van Buren “exceeded his authorized access” in violation of the CFAA when he obtained license plate information (using his valid credentials) for personal purposes.
In particular, the parties disputed whether Van Buren was “entitled so to obtain” the information. Van Buren, 141 S. Ct. at 1654.
Focusing on the text of the statute, the court agreed with Van Buren that the word “so,” as used in the CFAA, “serves as a term of reference that recalls ‘the same manner as has been stated’ or ‘the way or manner described.’” Id.
Therefore, the court held, “[t]he phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” Id. at 1655. As the court noted:
“On this reading, if a person has access to information stored in a computer — e.g., in ‘Folder Y,’ from which the person could permissibly pull information — then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited ‘Folder X,’ to which the person lacks access, he violates the CFAA by obtaining such information.” Id. at 1654.
In reaching that conclusion, the court rejected the government’s argument that the phrase “is not entitled so to obtain” should be read more broadly “to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it” based on “‘specifically and explicitly’ communicated limits on one’s right to access information.” Id. at 1654-55 (emphasis in original).
The court found the government’s interpretation in that regard inconsistent with the meaning of the word “so” (referring to a “manner or circumstance” already “stated,” “asserted” or “described”) and otherwise lacking textual support. Id. at 1655.
The court also rejected the government’s argument that Van Buren’s reading of the statute would render the word “so” superfluous, finding instead that the statute’s inclusion of the word forecloses certain defenses (i.e., that the defendant was entitled to obtain the same information through other means). Id. at 1656.
The court rejected several other arguments advanced in favor of the government’s broad reading — including concerning the import of the word “entitled,” the “common parlance” meaning of the phrase “exceeds authorized access,” and various arguments concerning precedent and statutory history — and further found that the structure of the statute cut against the government’s position. In this regard, the court found the interaction between the two clauses of subsection (a)(2) to be “particularly probative”:
“Van Buren’s account of subsection (a)(2) makes sense of the statutory structure because it treats the ‘without authorization’ and ‘exceeds authorized access’ clauses consistently. Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry — one either can or cannot access a computer system, and one either can or cannot access certain areas within the system. And reading both clauses to adopt a gates-up-or-down approach aligns with the computer-context understanding of access as entry.
“By contrast, the Government’s reading of the ‘exceeds authorized access’ clause creates ‘inconsistenc[ies] with the design and structure’ of subsection (a)(2). As discussed, the Government reads the ‘exceeds authorized access’ clause to incorporate purpose-based limits contained in contracts and workplace policies. Yet the Government does not read such limits into the threshold question whether someone uses a computer ‘without authorization’ — even though similar purpose restrictions, like a rule against personal use, often govern one’s right to access a computer in the first place. Thus, the Government proposes to read the first phrase ‘without authorization’ as a gates-up-or-down inquiry and the second phrase ‘exceeds authorized access’ as one that depends on the circumstances. The Government does not explain why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.” Id. at 1658-59 (internal footnotes and citations omitted).
On a final note, the court observed that the government’s interpretation of the CFAA would attach criminal liability to “a breathtaking amount of commonplace computer activity” (including, for example, sending personal emails over a work computer in violation of an employer’s policies or breaching a website’s terms and conditions) and, moreover “inject arbitrariness into the assessment of criminal liability” based, e.g., on the “drafting practices of private parties[.]” Id. at 1661-62.
The court thus held that an individual “exceeds authorized access” in violation of the CFAA “when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him.” Id. at 1662.
Because Van Buren was authorized to use the system to obtain license plate information, he did not “excee[d] authorized access” to the database. The court reversed the 11th Circuit’s decision and remanded for further proceedings consistent with its opinion. Id.
Broader impact of case and takeaways
Although the Van Buren decision was only issued on June 3, it has already been cited by at least three opinions, including by the Supreme Court itself in the high-profile data scraping case Linkedin Corp. v. hiQ Labs, Inc., ___ S. Ct. ___, 2021 WL 2405144 (Mem) (2021) (concerning the legality of using bots to scrape information from public websites under the CFAA).
It is highly likely that courts will continue to look to the landmark case in the years to come.
The Van Buren decision has effectively returned the CFAA to its intended form as an anti-hacking statute, targeting external and internal hackers and centering around a gates-up-or-down inquiry.
This holding holds particular significance for trade secrets owners (such as employers) in those circuits that had previously interpreted the statute broadly.
Following Van Buren, it is no longer relevant for purposes of CFAA liability that an employee obtains computer information for an unauthorized purpose. Employers must now show that, in obtaining the computer information, the employee accessed a computer, or an area of a computer (such as a file, folder or database), that was off-limits to him.
Accordingly, employers who are interested in potentially preserving the option of bringing a CFAA claim may want to consider establishing internal firewalls on their computer systems and technologically cordoning their employees from information that they do not need to know in order to perform their roles.
(Doing so is also helpful for purposes of establishing a trade secrets claim but, on the other hand, may be counter to a company’s culture and otherwise slow down workflow processes. The extent to which a company partitions between departments and employees is thus a decision that an employer should make in partnership with its trade secrets counsel.)
Moreover, following Van Buren, companies looking to prevent the scraping of their online data may need to look to other causes of action, including, inter alia, for breach of contract, copyright infringement, trade secrets misappropriation, and under the Digital Millennium Copyright Act.
In addition to creating internal technological barriers (to address threats posed by employees), those companies may want to limit the amount of information they make available to the public (by, e.g., taking down certain information or password-protecting certain pages).
While subsection (a)(2) originally protected only certain financial information, it was later expanded to cover any information on any computer “used in or affecting interstate or foreign commerce or communication” (including any computer that connects to the internet). Id. §1030(e)(2)(B).
Hannah T. Joseph is senior counsel at Beck, Reed, Riden in Boston, where she focuses her practice on the growing areas of trade secrets and restrictive covenants law, employee mobility, and unfair competition.