The Computer Fraud and Abuse Act
In 1984, Congress passed the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, the first federal statute to criminalize digital theft. Pub. L. No. 98-473, tit. II, §§ 2101–2102, 98 Stat. 2190–2192 (1984). In 1986, Congress amended the act in several significant ways and renamed it the Computer Fraud and Abuse Act. Pub. L. No. 99- 474, 100 Stat. 1213 (1986). Several other amendments have happened since.
Today, the CFAA imposes criminal and civil liability on a person who “accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.” 18 U.S.C. § 1030(a)(2). The “without authorization” prong of the statute generally creates liability for outside hackers. As for “exceeds authorized access,” the CFAA defines that phrase as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Id. § 1030(e)(6). The “exceeds authorized access” prong generally imposes liability on insiders, usually employees, who misuse personal or commercial information.
A violation of section 1030(a)(2) carries criminal and civil penalties. On the criminal side, a violation is a misdemeanor, but punishable by a fine and up to one year of imprisonment. Id. § 1030(c)(2)(A). That misdemeanor can be elevated to a felony punishable by up to five years in prison if the information was accessed for commercial advantage or private financial gain, furthered other criminal violations, or exceeds $5,000 in value. Id. § 1030(c)(2)(B).
The CFAA also includes civil remedies. Any person who suffers damages from a violation of the CFAA can “maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” Id. § 1030(g). A typical civil CFAA claim involves an employer suing a former employee who has used information from the former employer’s computer to gain a competitive advantage. E.g., Pac. Aerospace & Elecs., Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196 (E.D. Wash. 2003). Employers contend that the employee “exceeds authorized access” by taking client information in order to compete against the employer. Other civil claims have involved competitors using “scraper” software to systematically glean prices from another company’s website in order to undercut those prices. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). Because the scope of the CFAA’s civil remedy depends in part on the meaning of “exceeds authorized access,” the Supreme Court’s interpretation of that phrase will shape the potential claims available to companies whose information is stolen.
Courts Divided over the Meaning of “Exceeds Authorized Access”
Since 2012, appellate courts have divided over whether the CFAA imposes liability when someone uses his or her access to obtain information for an unauthorized purpose. The first four circuits to address this question held that the CFAA prohibits access of information in violation of confidentiality agreements or other use restrictions, or for nonbusiness reasons. See EF Cultural Travel BV, 274 F.3d at 582–84 (1st Cir. 2001); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006); United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010). The Eleventh Circuit’s view is representative of these circuits. In United States v. Rodriguez, the Eleventh Circuit affirmed the convictions of a former employee of the Social Security Administration who had used his access to Social Security records to access the records of people he personally knew or their relatives. The Eleventh Circuit held that “Rodriguez used his authorized access and violated the [CFAA] when he obtained personal information for a nonbusiness reason.” Rodriguez, 628 F.3d at 1263.
Two years after Rodriguez, the Ninth Circuit disagreed with these circuits and ruled that “‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc). The Ninth Circuit’s reasoning focused on the potential breadth of the CFAA, which would, under the broad interpretation, criminalize the behavior of millions of employees and consumers who violate terms restricting the use of computers or the access of websites. The Fourth and Second Circuits have agreed with Nosal and deepened the circuit split. WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012); United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015).
Since Nosal, commentators have called on the Supreme Court to resolve this split. It has taken nearly a decade, but in Van Buren, the Supreme Court will do so.
Background of the Case and the Government’s Prosecution of Van Buren
Nathan Van Buren was a police sergeant in Cumming, Georgia, who, as part of his job, had access to a network maintained by the Georgia Crime Information Center, a division of the Georgia Bureau of Investigation. Through that system, Van Buren could access information from many government databases, including the National Crime Information Center maintained by the Federal Bureau of Investigation (FBI).
Through his work as a police sergeant, Van Buren became acquainted with a local resident who had encounters with law enforcement. In 2015, due to financial problems, Van Buren asked this resident for a loan. The resident was concerned that Van Buren’s conduct amounted to a “shake down.” The resident was put in contact with the FBI, which decided to run a sting operation to test whether Van Buren would engage in unlawful conduct in exchange for money.
The FBI created a fake person in the Georgia Crime Information Center database and instructed the resident to ask Van Buren to provide him with that person’s license plate number and to give Van Buren $5,000 in exchange for conducting the search. After receiving the money, Van Buren searched the database for the license plate number and then texted the resident that his attempt was successful. The FBI arrested Van Buren the next day.
Van Buren was indicted for violating the CFAA and for honest-services wire fraud. The jury found Van Buren guilty on both counts, and he was sentenced to 18 months of imprisonment, followed by 2 years of supervised release. The Eleventh Circuit affirmed his conviction, concluding that the court’s prior holding in Rodriguez controlled the CFAA conviction. United States v. Van Buren, 940 F.3d 1192, 1207–8 (11th Cir. 2019).
The Supreme Court’s Hearing of Van Buren’s Appeal
The Supreme Court granted certiorari to resolve the circuit split described above, and the Court held oral argument by telephone in November 2020.
In his briefs and at oral argument, Van Buren contended that the CFAA’s “exceeds authorized access” prong criminalizes obtaining information only if the person is not entitled to access that information for any purpose. His argument focused on the text of the statute, Congress’s purpose in passing the statute, and the “improbable consequences” that would follow from a broader interpretation.
Starting with the text, both sides agreed that the scope of the statute turns on the meaning of the phrase “not entitled so to obtain,” which is part of the definition of “exceeds authorized access.” 18 U.S.C. § 1030(e)(6). Based on the dictionary definition of the word “entitled,” Van Buren contends that a person is “entitled so to obtain” information if the person has a right to obtain information regardless of purpose. Van Buren’s position also turns on the interpretation of “so,” which, in his view, means only that the information must be obtained via a computer. Van Buren also emphasized that other federal statutes expressly prohibit accessing information for unauthorized purposes, but the CFAA does not do so expressly.
The U.S. government’s position hinges on the word “so” in “not entitled so to obtain.” Id. § 1030(e)(6). According to the government, “so” refers back to the concept of “access.” In its view, a person is “entitled so” only if he or she has the right to access the information in the manner and under the circumstances in which he or she did. The government has argued that Van Buren’s position makes the word “so” superfluous.
The parties have debated the consequences of their interpretations and whether Congress could have intended those consequences. In enacting the CFAA, Congress, according to Van Buren, was concerned primarily with computer hacking, whether by outside or inside hackers, but not misappropriation of information that an employee could access. Relying on the Ninth Circuit’s reasoning in Nosal, Van Buren emphasized the unlikelihood that Congress intended the CFAA to criminalize misappropriation already covered by state contract and tort law. Van Buren also argued, again relying on Nosal, that the government’s interpretation criminalized vast amounts of ordinary behavior—such as participation in college basketball tournament office pools in violation of computer-use restrictions.
The government, by contrast, argues that the parade of horribles Van Buren claimed would come to pass was entirely hypothetical and had not happened in the circuits endorsing the government’s interpretation. Even if those hypotheticals were a concern, the government suggested those situations were best addressed through the interpretation of other parts of the statute.
During oral argument, at least four justices—Sotomayor, Kagan, Gorsuch, and Kavanaugh—expressed either skepticism for the government’s interpretation of “so” and its other suggested limitations or a concern for the consequences of criminalizing vast amounts of ordinary behavior. Justice Kagan summarized the two sides’ positions as depending on the word “so” and pressed the government on why its interpretation of “so” is more natural than Van Buren’s. And Justice Gorsuch, for instance, characterized this case as “the latest . . . in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction, in pretty significantly contestable ways that this Court has rejected.”
Other justices were concerned about the consequences of ruling for Van Buren. Justice Thomas asked whether, under Van Buren’s interpretation, it would be a crime for an employee of a car rental company to use access to GPS information to follow his or her spouse, and Justice Alito emphasized that the information protected by the CFAA often involves substantial privacy concerns. Van Buren’s counsel, Stanford law professor Jeffrey Fisher, sought to reassure these justices that the conduct they described could be criminalized by other federal statutes besides the CFAA, and he also emphasized that such conduct could lead to tort or contract liability as well.
The Supreme Court’s opinion will likely issue in the spring of 2021. And whether it rules for the government or for Van Buren, the Court’s decision will change the law in several circuits. Employers, trade secret litigators, and criminal defense lawyers should watch closely for the Court’s opinion, which will shape the interpretation of the CFAA for the next generation.