Recent Supreme Court Decision Significantly Narrows the Scope of the Computer Fraud and Abuse Act
The Supreme Court’s recent decision in Van Buren v. United States, 141 S.Ct. 1648 (2021), resolves a longstanding circuit split over the scope of the Computer Fraud and Abuse Act of 1986, and appears to have significantly narrowed the reach of a statute that has often been criticized as criminalizing too broad a range of computer-related conduct.
The CFAA was enacted in 1986 to address the emerging problem of computer hacking1. The Act imposes criminal liability on individuals that either “intentionally access a computer without authorization or exceed authorized access, and thereby obtain” information from that computer. 18 U.S.C. § 1030(a)(2). Van Buren focused on the phrase “exceeds authorized access,” which is defined under the Act to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6).
Examining the statutory text closely, the Supreme Court held that the phrase “exceeds authorized access” in subsection (a)(2) of the Act applies “only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.” Van Buren, 141 S.Ct. at 1653.
Throughout the years, the scope of subsection (a)(2) has “expanded to cover any information from any computer ‘used in or affecting interstate or foreign commerce or communication.’” Van Buren, 141 S.Ct. at 1652 (quoting § 1030(e)(2)(B)). “As a result, [subsection (a)(2)’s] prohibition now applies—at a minimum—to all information from all computers that connect to the Internet.” Id. The expansive nature of § 1030(a)(2) has caused critics to argue the CFAA is overly broad, especially considering the significant criminal and civil penalties associated with violations of the Act.
Courts have struggled with how to interpret the definition of “exceeds authorized access” so as to determine the proper scope of that phrase. While some circuits have broadly construed the phrase to prohibit a person from using their authorized access to a computer to obtain any information on that computer for an improper purpose (e.g., a purpose that violates company policy), others have given a more narrow construction—that a person “exceeds authorized access” only by using their authorized access to obtain information located in certain folders, drives, or other areas of the computer that they are not authorized to access. Compare United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) with Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 760 (6th Cir. 2020).
In a 6-3 opinion authored by Justice Amy Coney Barrett, the Supreme Court endorsed the narrower construction. The case involved Defendant Nathan Van Buren, who as a police sergeant in Georgia ran a search for an individual’s license-plate information through his law enforcement computer database in exchange for $5,000 from a man who was cooperating with the FBI in a “sting” operation. Van Buren was charged with and convicted of violating § 1030(a)(2). Van Buren appealed his conviction to the Eleventh Circuit, which held that, notwithstanding his authorization to access the database, Van Buren violated § 1030(a)(2) by accessing the information in violation of department policy. United States v. Van Buren, 940 F.3d 1192, 1208 (2019).
The Supreme Court disagreed, holding that an individual “exceeds authorized access” only if “he accesses a computer with authorization but then obtains information located in particular areas of the computer . . . that are off limits to him.” Van Buren, 141 S.Ct. at 1662. The Court recognized that “[i]f the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy,” then “the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Id. at 1661. For example, most companies have policies in place stating that company computers are to be used for business purposes only. Under an expansive reading of the statute, the Court posited that “an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” Id. The Court’s ruling sought to avoid an interpretation of the Act that would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.” Id.
The contours of the Court’s ruling will undoubtedly be shaped as lower courts apply the Van Buren standard to new cases. However, this decision sends a clear message regarding the intended scope of the CFAA moving forward.
1 Computer Fraud and Abuse Act (CFAA), NATIONAL ASSOCIATION OF CRIMINAL DEFENSE LAWYERS, (last accessed July 13, 2021), https://www.nacdl.org/Landing/ComputerFraudandAbuseAct.