Every employer has to contend with employee turnover, including key personnel leaving for a competitor. The loss or compromise of confidential data is a significant risk in such a scenario. One way for an employer to protect itself is by resorting to the Computer Fraud and Abuse Act (“CFAA”), a civil remedy that allows a private party (including employers) to seek compensation for losses caused by the unauthorized access to data on a protected computer by a current or former employee.
The CFAA is a statutory provision that was part of the Comprehensive Crime Control Act of 1984. The CFAA gives employers a civil cause of action against an employee who “intentionally accesses a computer without authorization or exceeds authorized access” and obtains or misuses certain information obtained from the computer. While the CFAA defines the phrase “exceeds authorized access,” it does not define “with authorization” or “without authorization.” These terms have been interpreted differently by the various circuits, causing the reach of the CFAA to vary by jurisdiction.
However, earlier this week, the Supreme Court of the United States took steps to limit those interpretations in the Court’s Van Buren decision, which you may read here. Van Buren is a CFAA case that originated in Georgia where Nathaniel Van Buren was a police sergeant. Van Buren was targeted in an FBI sting operation where he was told to access license plate information from the police department’s database and, in exchange, he’d receive a payoff of $5,000. Van Buren accessed the requested information and was arrested. He was charged with a felony violation of the CFAA for “exceeding authorized access” of the department’s database and was convicted of violating the CFAA because he allegedly used that database for an improper purpose, even though it was a database that he was allowed to access for work purposes.
In response, Van Buren argued that the department granted him access to the license plate database. He didn’t break into the system. Instead, he accessed information that he was allowed by his employer to view. His improper purpose in accessing the database should not have played into whether he violated the CFAA.
The Government countered that Van Buren was only authorized to do so for law enforcement purposes and accessing the database for the improper purpose of facilitating a personal financial arrangement exceeded that authorization. The Eleventh Circuit agreed with the Government, affirming Van Buren’s conviction, and the Supreme Court granted cert.
The Supreme Court reversed concluding that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Accordingly, the Court held, Van Buren did not “‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.” Said another way, because Van Buren had access to the license plate database, he could not violate the CFAA no matter his motives.
In reaching this conclusion, the Court primarily relied on the text and structure of the CFAA, concluding that the phrase “authorized access” should be understood as a “gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”
So how do employers respond?
If employers want to continue availing themselves of the civil claim, an employee’s “access” will have to change. Primarily, employers will need to focus on compartmentalized access. Although it will add extra steps, consider compartmentalizing each employee’s computer access to the areas they need for the normal parts of their job. While they might need extra access on occasion, limiting their standard access will add protections under the Supreme Court’s new Van Buren interpretation.