In Van Buren v. United States, No. 19-783 (U.S. June 3, 2021), the United States Supreme Court issued an opinion drastically limiting the application of the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030 et seq.), holding that the “exceeds authorized access” clause of the Act applies only to those who obtain information from particular areas in the computer—such as files, folders, or databases—to which the individual is not authorized to access under any circumstances. However, the Supreme Court excluded application of the clause to individuals who misuse their access to obtain information otherwise available to them for an unauthorized purpose.
Van Buren, a former Georgia police sergeant, was charged with honest-services wire fraud and violating the CFAA after using his own, valid credentials to retrieve information about a license plate number in exchange for money, in violation of the department’s policy. The Government alleged that Van Buren knowingly accessed information in the department’s database for an unauthorized purpose, both in violation of the department’s policy and the CFAA. Van Buren argued that, despite his later misuse of the information, he was authorized to access the information and did not violate the CFAA.
A jury convicted Van Buren, and the United States District Court for the Northern District of Georgia sentenced Van Buren to 18 months in prison. The United States Court of Appeals for the Eleventh Circuit affirmed the conviction. The Supreme Court granted certiorari to address the ongoing circuit split surrounding the CFAA’s application to the use of one’s access for an unauthorized purpose.
The Eleventh Circuit, as well as the First, Fifth, and Seventh Circuits, have interpreted the CFAA’s definition of “exceeds authorized access” to include the act of using an individual’s authorized access to obtain information for an unauthorized purpose. Conversely, the Second, Fourth, Sixth, and Ninth Circuits have held that as long as an individual is generally authorized access to the information, later access of that information by that individual for an unauthorized purpose does not violate the CFAA.
In a 6-3 decision, the Court sided with the Second, Fourth, Sixth, and Ninth Circuits, holding that an individual “exceeds authorized access” under the CFAA only when they use their authorization to access information that is entirely off limits. The majority further held that an individual does not violate the CFAA when they access information that they are allowed to access, but later use for an improper purpose.
The Court focused much of its opinion on the semantics of the CFAA’s definition of “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” (emphasis added). Justice Barrett, writing for the majority, agreed with the parties that Van Buren was entitled to obtain the information he had accessed and was authorized to retrieve information about the license plate number. The Government argued that the use of “so” in the definition should be interpreted to mean information an individual was not allowed to obtain in the particular manner or circumstances in which it was obtained. However, the Court rejected this broad interpretation, adopting the more narrow approach offered by Van Buren. This narrow approach limits application of the clause to information that an individual is not entitled to obtain by using a computer to which they are otherwise authorized to access.
The Court also addressed policy concerns raised by the Government’s interpretation. Specifically, the Court was concerned that the Government’s broad interpretation would “attach criminal penalties to a breathtaking amount of commonplace computer activity,” thereby exposing millions of “otherwise law-abiding citizens” to criminal penalties. Under the government’s interpretation, the Court warned of the potential criminalization of sending personal emails, reading the news, or scrolling through social media using a work computer.
The dissent, penned by Justice Thomas, agreed with the majority’s interpretation of the word “so” in the statute (i.e., whether the individual was authorized to obtain information through the means identified earlier in the Act’s definition), but disagreed that Van Buren was “entitled” to the information. Viewing an individual’s “entitlement” as circumstance dependent, the dissenters would have held that because Van Buren obtained the information for personal gain instead of for a valid law enforcement purpose, he was therefore not entitled to the information.
The CFAA, originally enacted in 1984 and most recently amended in 2008, has been widely criticized as being confusing and outdated. Van Buren calls for Congress’s prompt attention to the statute, especially in light of significant technological changes in the last 13 years. Congressional action could address the remaining ambiguities surrounding the CFAA. For example, while the Van Buren decision clarifies that “exceeding authorized access” does not include an otherwise authorized user’s misuse of accessed information, the decision does not clarify what it means to have “authorized access.” Additionally, the decision only touches on what it means to be “entitled” to access information—relying on only two dictionary definitions of “entitle”—and the majority’s single paragraph analysis could be difficult to apply to cases with more complex facts. An amendment could also limit further confusion by defining the key terms and phrases used throughout the statute (such as “authorized access,” “obtain,” or “alter”) and updating the language of the CFAA to better align with current technology. For example, cell phones have advanced tremendously since the latest amendment and tablets are becoming more common in lieu of computers. Access to devices has also evolved to accommodate remote and virtual access. And even though the current definition of “computer” in the Act is assumed to include “smart” devices and not just computers, amending the Act to explicitly list such devices – or not – would be a salutary step toward predictability of result, which should be the objective of any well-written criminal statute.
Regardless whether Congress ultimately revisits the CFAA, companies should consider revisiting their user access policies and safeguards to appropriately limit authorized access to sensitive data. Additionally, companies should continue to enhance and enforce policies prohibiting the unauthorized use of information to which the employee is authorized to access.