U.S. Supreme Court Limits Reach of Computer Fraud and Abuse Act
On June 3, 2021, the United States Supreme Court issued its opinion in Van Buren v. United States, No. 19-783, an important case about the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”). The issue in the case was whether a police officer who accessed a government computer system to run a license plate for non-law-enforcement purposes (in exchange for money) had violated the CFAA. Whether the officer violated the CFAA depended on whether he “exceed[ed] authorized access” to a computer system. Lower federal courts of appeal had previously come to differing decisions regarding how to interpret the phrase “exceeds authorized access” and, therefore, the Supreme Court decided to hear the case. See e.g., United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (Individual who accesses a protected computer for a prohibited purpose or use violates the CFAA); United States v. Valle, 807 F.3d 508, 526-28 (2d Cir. 2015) (Officer who accessed federal database for personal use did not violate CFAA).
The government argued that the officer had exceeded authorized access because his police department prohibited accessing the database for anything other than proper law enforcement purposes and the officer had accessed the license plate information on the computer system for an unauthorized purpose. The officer argued that he had not violated the CFAA because he did not access a computer that he was not authorized to access. The Supreme Court instead charted a middle path, holding that “exceeds authorized access” means accessing a computer with authorization but obtaining information located in particular areas of the computer, such as files, folders or databases, that are off-limits to him.
This was an important decision because the CFAA does not apply just to government workers or government computers. If the government’s interpretation of the CFAA had been adopted by the Court, it would have criminalized, and imposed civil liability on, a wide variety of unsuspecting people. For instance, if the CFAA were interpreted by the Court as the government suggested, an employee who merely used his or her employer’s computer system to send a personal email, where the employer’s policies prohibited doing so, would have committed a federal crime.
Donoghue & Picker is available to provide advice and guidance regarding legal issues involving the CFAA.