In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute.Conversely, the majority of federal appellate courts have interpreted the phrase to mean that an individual exceeds authorized access where they are permitted to access the files or information but only for specified purposes, typically business purposes. For example, many employers have instituted computer usage policies that limit an employee’s authorized access to company documents for the purpose of performing their employment duties. As a result, a common CFAA fact pattern involves a so-called disloyal employee exceeding their authorized access by accessing the company’s computer system in order to obtain documents or information on the eve of their resignation for use at their new place of employment. In other words, the majority of courts held that an individual exceeds their authorization where they were permitted to access the information but did so for unauthorized purpose.
In Van Buren v. United States, a former police officer challenged his conviction under the CFAA where he had accessed a law enforcement database to obtain information that he provided to a third-party in exchange for money. The Eleventh Circuit affirmed the conviction because the police department’s policy stated that the database could only be accessed for valid law enforcement purposes. Therefore, the officer had exceeded his authorization by accessing the database for personal reasons.
Justice Barrett, writing for the majority, largely focused on the statutory definition of “exceeds authorized access,” which is “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled to so obtain.” 18 U.S.C. §1036(e)(6). The majority agreed with Van Buren that the definition is “best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
In addition to relying on statutory interpretation, the Court also reasoned that a contrary interpretation would result in far-ranging consequences. As the Court reiterated, the CFAA is primarily a criminal statute and “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.” For example, if a computer-use policy stated that a company computer could only be used for business purposes, “an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” Recognizing the ubiquity of such conduct, the Court noted that if a violation of a computer-use policy constituted a CFAA violation, “then millions of otherwise law-abiding citizens are criminals.” The Court found it implausible that Congress intended to place the very liberty of citizens at the mercy of the intricacy of how an employer crafted its computer-use policy. Thus, the Court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him.”
The Court’s ruling in Van Buren is likely to limit certain kinds of computer trespass actions, particularly those involving departing employees that allegedly copy trade secrets or other proprietary company information for use in a new job where the departing employees had authorized access to such files. The ruling, however, does not place all computer trespass claims against former employees completely outside the scope of the CFAA. Claims against former employees who allegedly copy files from folders or databases that they were not originally authorized to access may still be permissible. However, the viability of such claims going forward will be even more fact specific as the employer now must also show that the employee was not authorized to access the specific folder, file, or database. As a result, employers should consider segmenting computer systems where highly proprietary or trade secret information is kept within specialized folders and databases that only specific employees are authorized to access.