Supreme Court Limits the Scope of the CFAA (and What Employers Should Now Consider)

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

Supreme Court Limits the Scope of the CFAA (and What Employers Should Now Consider). The Computer Fraud and Abuse Act of 1986 (CFAA) subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U. S. C. §1030(a)(2).  But what constitutes exceeding authorized access?  The CFAA does not define what authorization means in that context. So, as so often happens with internet-related statutes, technology changes more quickly than statutory language, and ambiguity about the language then leads conflicting interpretations of the statute.

On June 3, 2021, the United States Supreme Court adopted a narrow construction of what it means under the CFAA when a computer user “exceeds authorized access.”  In Van Buren v. U.S., the Court considered the case of Nathan Van Buren, a former police sergeant, who violated his workplace’s policies when he ran a license-plate search in a law enforcement computer database in exchange for money.  There, the Supreme Court found that Van Buren did not violate the CFAA.

Writing for the majority, Justice Amy Coney Barrett interpreted “authorization” under CFAA as a “gate up, gate down” inquiry, rather than a “purpose”-focused inquiry – meaning that a computer user is either authorized to access the information on the computer or not. The CFAA does not encompass “violations of circumstance-based access restrictions on employers’ computers.”

You may read the opinion by clicking on the following link:

https://www.law.cornell.edu/supremecourt/text/19-783

For employers facing the unlikelihood of substantive, congressional updating of the CFAA any time soon – it’s time to reconsider technical access limitations and company contracts and policies.  We suggest (1) applying technical measures to restrict users’ access to exactly what they need in order to do their jobs and nothing more, and (2) reviewing agreements, policies, training, and regular practices to be sure they are clear and up to date in these regards.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

Colorado Privacy Act
Next

A New Way to Move Data from the EU to the US