By: Courtney Samford, contributing author Blake Sims, Wyatt Summer Associate
Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).
The issue before the Court was whether Nathan Van Buren, in his time as a Georgia police sergeant, violated the Computer Fraud and Abuse Act of 1986 (CFAA). More specifically, the Court sought to determine the scope of “exceeds authorized access,” which according to the CFAA means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.”
Concerned with the increasing technological advances of the 1980s and the lack of existing muscle to address cybercrime, Congress enacted the CFAA, which made it illegal “ to access a [protected] computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” A protected computer is one “which is used in or affecting interstate or foreign commerce or communication,” which nowadays encompasses nearly every computer and smartphone because of their inherent interstate nature.
In the case at hand, Van Buren used his patrol-car computer to validly access the law enforcement database and search for a license plate, in exchange for a personal loan. Van Buren’s license plate search was actually part of a sting operation though, and the Federal Government charged Van Buren with a felony violation of the CFAA. Affirming Van Buren’s jury conviction under one count of felony computer fraud, the Eleventh Circuit Court of Appeals held that Van Buren violated the CFAA because his accessing the law enforcement database was for an “inappropriate reason.”
Besides the eventual outcome for Van Buren himself, a broad concern amongst Supreme Court observers and amici was what implications this case would have for both public and private employees across the board. Likewise, Justice Amy Coney Barrett, in writing for the majority, did not ignore the practical aspects of how an affirmation of the Eleventh Circuit might affect employees nationwide. “To top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. . . [I]f the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law abiding citizens are criminals.”
According to the Court’s interpretation of the Government’s argument, “an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” Had a majority of Justices agreed with this reading of the CFAA, many if not all of employees could be found guilty of committing a federal crime and also potentially civilly liable to their employers.
The takeaway from Van Buren is that criminal and civil liabilities under the CFAA will not occur if an employee has authorized access to a computer and then obtains information located in particular areas of the computer that he has further authority to access, even when that computer use is for improper purposes. While Van Buren’s actions were certainly not in furtherance of his duties as a police officer, his accessing of the law enforcement database system was indeed authorized. This narrow reading of the statute doesn’t mean that employers cannot still recover for unauthorized access of their protected computers. Section (g) of the Act still reads that “any person who suffers damage or loss” may maintain a civil action if the unauthorized access meets certain factors outlined in the law.
Employers would be wise to restrict access to employees with a specific need if there is concern about improper use of computer systems or information stored therein. Furthermore, this decision does not have any impact on employers disciplining or terminating employees for improper use of technology based on technology use policies. The decision just applies to criminal and civil penalties under the CFAA.