Because of a recent U.S. Supreme Court decision, the federal Computer Fraud and Abuse Act has become less protective of employers’ rights to be free from theft or sabotage by employees and others with access to those systems.
In Van Buren v. United States, the Court ruled that Section 1030 of the CFAA does not apply to individuals who had legitimate access to an employer’s computer systems but then misused the systems in some way.
The Computer Fraud and Abuse Act was enacted in 1986 as an amendment to the 1984 Comprehensive Crime Control Act. The CCCA was the first federal computer fraud law designed to address hacking in cases involving a compelling “federal interest” (that is, where computers of the federal government or certain financial institutions are involved or where the crime itself was interstate in nature). The CCCA, codified as 18 U.S.C. 1030, consisted of three new federal crimes that covered certain conduct by a person who “knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend[.]” The crimes were limited to three specific scenarios tailored to particular government interests: computer misuse to obtain national security secrets, computer misuse to obtain personal financial records, and hacking into government computers.
With the CFAA, Congress broadened the protection by adding three new prohibitions. Section 1030(a)(4) prohibited unauthorized access with intent to defraud; section 1030(a)(5) prohibited accessing a computer without authorization and altering, damaging, or destroying information; and section 1030(a)(6) prohibited trafficking in computer passwords. The amendment also provided additional penalties.
Until it was amended in 1994, the CFAA provided only criminal penalties for engaging in prohibited conduct. At that point, Congress added a civil cause of action for CFAA violations that gave private parties the ability to obtain compensatory damages, injunctive relief, and other equitable relief. Congress also expanded the CFAA to cover several other computer-related acts, including theft of property via computer that occurs as part of a scheme to defraud; intentional alteration, damage, or destruction of data belonging to others; distribution of malicious code and denial of service; and trafficking in passwords and similar items. Section 1030(a)(5) was amended to provide further protection from unauthorized access resulting in damage, even if the damage was accidental and without negligence. It was also extended to outsiders gaining unauthorized access, and to insiders who intentionally damaged a computer.
Congress has broadened the scope and coverage of the CFAA through eight subsequent amendments, including in 1996, in 2001 (by the USA PATRIOT Act of 2001), in 2002, and in 2008 (by the Identity Theft Enforcement and Restitution Act).
However, federal appeals courts have disagreed about whether a person violates the CFAA when accessing information via a valid log-in or other legitimate authorization for an improper purpose. That uncertainty has now been put to rest.
Van Buren v. United States
Earlier this month, the U.S. Supreme Court adopted a “gates-up-or-down” approach. A former police sergeant in Georgia used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Nathan Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes. Unbeknownst to Mr. Van Buren, his actions were part of an FBI sting operation. Mr. Van Buren was charged with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” He was convicted, and his conviction was upheld by the U.S. Court of Appeals for the Eleventh Circuit. The Supreme Court agreed to review the decision.
In an opinion delivered on June 3 and written by Justice Amy Coney Barrett, the majority ruled that Section 1030 is so broadly written that it has been used well beyond its main purpose, which is to prohibit and punish illegal hacking of computer networks. As explained by the majority, “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” Justice Barrett reasoned that because employers commonly state that computers and electronic devices can be used only for business purposes, then an employee who does something as innocuous as sending a personal e-mail or reading the news on her work computer has violated the CFAA.
The focus of the Supreme Court’s analysis turned on the meaning of “so,” as used in Section 1030, which defines the phrase “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” (Emphasis added.) The word “so,” the majority reasoned, is “a term of reference,” and thus the phrase “so to obtain” means to obtain in “the same manner as has been stated.” That manner is “via a computer one is otherwise authorized to access,” and therefore the phrase “is not entitled so to obtain” must be read as “not allowed to obtain by using a computer that he is authorized to access.”
Thus, the majority held that individuals “exceed authorized access” only when they access computers with authorization but then obtain information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to them. Because Mr. Van Buren had legitimate access to the area of the computer from which he accessed the license plate information, he did not violate the CFAA, even though he used that information for an improper purpose.
How employers can protect their businesses after Van Buren
Clearly, Van Buren narrows the grounds upon which an organization may civilly or criminally enforce its data access and use policies. Although it was a criminal case, Van Buren has clear implications for employers who learn that their employees (oftentimes, departing employees) have accessed company servers and downloaded confidential information for their own purposes. So what should employers do now? Preliminarily, it should be noted that numerous other laws continue to apply, such as the federal Defend Trade Secrets Act, state trade secret and trespass laws, and business torts (for example, breach of the duty of loyalty). In addition, invention assignment/confidentiality agreements, non-disclosure agreements, and noncompete agreements containing express prohibitions on unauthorized use and disclosure should provide employers with ample grounds for civil lawsuits.
Employers should already have these agreements in place, but must review them to ensure that they’re in step with the current laws. Even better, employers should take steps to prevent an unauthorized access issue from arising in the first place. This can be accomplished in a number of ways:
Undertake data mapping to determine where sensitive data, customer lists, intellectual property, and trade secrets reside on the network – and restrict access to them by adopting the security measure of “least privilege” and giving access to more sensitive information or trade secrets only to those employees who truly need such access.
Review data use policies and contractual agreements to identify the “insiders” who may have access to corporate networks, including employees, contractors, vendors, or others. Review all contractor and vendor agreements in place with regard to access granted, and implement technological restrictions in addition to the contractual.
Review the external entry points to your digital infrastructure and consider whether additional measures are necessary, such as switching to a more restrictive access or monitoring the efforts of data scrapers in order to potentially revoke their authorizations.
Your company’s infrastructure should be covered from all angles to prevent unauthorized access to sensitive information. In light of the holding of Van Buren, the foregoing requirements take on an even greater sense of urgency.