Co-authored by Walsh Pizzi O'Reilly Falanga LLP1
In June 2021, the Supreme Court weighed in on a long-extant circuit split involving the Computer Fraud and Abuse Act1 ("CFAA"), carving back the statute's reach. Before in Van Buren v. United States2, employers in select circuits could rely on the CFAA to seek liability on departing employees who used company business information for unauthorized purposes, e.g., for the benefit of the next employer or other opportunity. What is left for employers after the Van Buren decision? Are claims for web-scraping still viable after Van Buren?
To answer the workplace question, let's start with a hypothetical strategic consulting firm which works for top organizations in the world. The firm's work, were it to be disclosed outside of the client organizations, could affect stock prices, provoke competitor responses, and result in public embarrassment. The firm's information management system limits access to client information to the team working on each specific project. Some managers have access to all the company's work across the entire range of clients. If a rogue employee figures out his superior's password to client information that would otherwise be off limits to that individual and exploits business information for personal gain, after Van Buren, has that employee violated the CFAA? We will answer that question in this article.
Background
The CFAA was enacted in 1986 to address concerns about hacking and makes it a federal crime to access a computer without authorization in certain scenarios. Punishments for violations of the CFAA can be serious, subjecting a convicted defendant to a felony conviction and up to five years of imprisonment. Broadly speaking, Section 1030 of the CFAA prohibits anyone who intentionally accesses a computer "without authorization" or who "exceeds authorized access" to obtain information stored on a computer.
For the first time, the Supreme Court has analyzed the scope of Section 1030 of the CFAA in the recently decided Van Buren v. United States. The influence of this decision is far-reaching, especially since today, many companies use technology for most, if not all, of their functions. Employees use various forms of technology in the workplace, such as desktops, laptops, smartphones, and tablets. Employers, in turn, restrict employee access to "off-limits" information on these computers. Just because something is off-limits, however, does not invoke CFAA protection. Similarly, if an employee accesses anything that is deemed "off-limits," the employee has not necessarily "exceeded their authorized access." Van Buren v. United States helped to clarify just how much employees can access before they violate Section 1030 of the CFAA and resolved a longstanding circuit split on the issue.
Before Van Buren, courts struggled to determine the scope of an employee's authorized access for CFAA purposes, which resulted in the circuit split on how to interpret the definition of "exceeds authorized access." The First, Fifth, Seventh, and Eleventh Circuits favored a broader interpretation of "exceeds authorized access," and had found that employees actions violate the CFAA if they use their authorized access to obtain information from a computer for an improper purpose. In contrast, the Second, Fourth, and Ninth Circuits favored a narrower approach, and had determined that an employee "exceeds authorized access" only when they access other areas of the computer that they are not authorized to access.
The issue before the Court in Van Buren was actually quite scandalous, and involved an employee police officer who had accessed his employer's computer system in a breach of department policy. The Defendant police officer, Martin Van Buren, became the subject of an FBI sting operation after he had asked Andrew Albo, a man involved with prostitutes, for a loan, which Albo presented to the FBI as an effort to "shake him down". To incriminate Van Buren, the FBI instructed Albo to request Van Buren to provide license plate information of an exotic dancer, which would require Van Buren to access the Georgia Crime Information Center database. Because he was a police officer, Van Buren had authorization to access this database and was authorized to use the system to retrieve license plate information. He was not, however, permitted to use this information for Albo's needs. After Van Buren provided Albo with the license plate information, Albo paid him $5,000. Before reaching the Supreme Court, the Eleventh Circuit, consistent with the First, Fifth, and Seventh Circuits, held that because Van Buren had used the license plate information from his authorized computer access for an improper purpose, he had "exceeded authorized access" in violation of the CFAA.
The Supreme Court Decision
The Supreme Court's 6-3 decision in Van Buren resolved the circuit split and has set the stage for future CFAA litigation between employers and employees. In reaching its decision, the Court analyzed whether a person who is authorized to access information on a computer violates Section 1030 of the CFAA if they access the information for an improper purpose. The focal point of this inquiry was the definition of the "exceeds authorized access" clause in Section 1030 of the CFAA. Anyone who "exceeds authorized access" would be determined to have been in violation of the CFAA. Van Buren argued that the "exceeds authorized access" clause applied only to those who obtain information to which their computer access did not already extend. The government argued that the "exceeds authorized access" clause applied both to those who obtained information to which their computer access did not extend and to those who are authorized to access a particular computer system but obtain information from the system for an improper purpose.
Ultimately, the Supreme Court overruled the Eleventh Circuit, sided with Van Buren, and resolved the circuit split when it held that a defendant "exceeds authorized access" under the CFAA only by obtaining information from a source to which the defendant was not entitled to access or which was otherwise off-limits to that individual. In other words, the "exceeds authorized access" clause applies "only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have." Importantly, this holding meant that, in turn, an individual does not violate the CFAA by accessing information they are authorized to access for an improper purpose, even if this conduct is prohibited by workplace policies. The Court believed this was the proper outcome because the interpretation advocated by the government could lead to bizarre outcomes. For example, the "improper purpose" interpretation would subject employees to CFAA violations for seemingly innocent activities depending on workplace policies regarding computer use authorization. If employees were not authorized to use their computer for their personal emails, to access social media, to shop online, etc., but they did so, they might be guilty of a federal crime under the CFAA for seemingly mundane actions. This concern led the Court to agree with Van Buren to avoid criminalizing "everything from embellishing an online-dating profile to using a pseudonym on Facebook."
Takeaways for Employee Mobility Claims
Since Van Buren is the first case to reach the Supreme Court involving an interpretation of Section 1030 of the CFAA, there are several takeaways from the decision that will continue to influence workplace litigation. For example, an obvious takeaway is that the CFAA no longer provides a cause of action against employees who use information they are entitled to access for an improper purpose. To impose CFAA liability, employers must show that an employee accessed information from an area of the network that was off-limits to them. Therefore, employers should revisit employment contracts and business agreements to be sure their provisions provide protection in scenarios in the CFAA post-Van Buren does not reach. Employers should also, of course, consider other causes of action outside the CFAA, such as breach of contract, copyright infringement, or misappropriation of trade secrets.
One inquiry under the CFAA that is still important and not quite clear, however, is what exactly makes information "unauthorized" such that the use of such information "exceeds authorized access." The Court noted that there are two different potential theories of authorization – the code-based approach and the contract-based approach. The code-based approach contemplates the use of computer code, such as a password, to bring gates down on certain information, making access to that data "unauthorized" under the CFAA, along the lines of traditional hacking. The contract-based approach to designating information gates-down would allow limitations on authorization to be created through contract or company policy, either by a written or verbal restriction on how a computer can be used.
In Van Buren, the Supreme Court declined to address which approach courts should use. Footnote 8 states: "For present purposes, we need not address whether this inquiry turns only on technological (or 'code-based') limitations on access, or instead also looks to limits contained in contracts or policies." 141 S. Ct. at 1659.
Given that the Court's central holding stemmed from a gates-up-or-down inquiry, meaning that "one either can or cannot access a computer system, and one either can or cannot access certain areas within the system," it is rather anomalous that the Court declined to specify, however, the measures which would bring the gates down on access to information – code-based limitations or contractual limitations. Future courts must decide if a contractual clause or workplace policy is enough to provide CFAA application, or if a technological barrier must have existed.
For example, reflect upon to the strategic consulting firm mentioned at the beginning of this article. This firm wants to protect its information from disclosure to the outside world, and the information is protected by a password. Let's pretend some of the information is located in password-protected Folder X. If a rogue employee acquires the password to Folder X and accesses its information to exploit it for personal gain, has the employee violated the CFAA? Because the Supreme Court declined to parse the code-based versus contract-based dichotomy, the answer remains unclear, and the question remains open for other courts to consider. Despite the lack of clarity from the Supreme Court, however, good arguments exist that the employee will have violated the CFAA in this scenario because the code-based approach to liability is the narrower standard.
Moving forward, the Supreme Court's decision has now provided management-side lawyers with the fortuitous opportunity of arguing in favor of either the code-based approach or contract-based approach to CFAA liability. Those advocating a code-based approach will likely rely on the fact that the CFAA was created to address concerns about hacking, which often involves circumventing barriers, such as passwords, that are put it in place to shield access to information on computers. The code-based approach necessitates the creation of concrete barriers like passwords to be put in place to invoke CFAA protection. Additionally, companies with such restrictions may argue that the code-based approach presents a more appropriate standard to use when the punishment at stake is criminal liability. This is because, under the contract-based approach, an employee may be guilty of a federal crime under the CFAA for simply accessing off-limits information "accidentally" without the need to circumvent any code-based barriers. In contrast, the code-based approach requires that an employee circumvent some sort of company "code" to be liable under the CFAA, and this type of conduct seems much more worthy of this high level of liability.
Finally, those who argue in favor of the contract-based approach may cite privacy concerns animating the need to protect against misuse of business information, and note the importance of providing employers with more mechanisms by which to protect critical information. In addition, to urge the contract-based approach, the plaintiff relying upon CFAA can note that Van Buren has already narrowed the reach of the CFAA substantially, and limiting the statute only to code-based protections would further stifle its influence even more. Because Van Buren left this issue open, however, it is still not clear how the Court would rule if the right case arrived in a future Court term, making this topic a likely subject of interesting future litigation.
CFAA as Applied to Web-Scraping
Another clause of the CFAA applies to those who "intentionally access a computer without authorization."3 Recall that the Ninth Circuit took a narrower view of the "exceeds authorized access" provision4, a position now vindicated by Van Buren. In LinkedIn Corp. v. hiQ Labs, Inc., the defendant hiQ Labs built a data-analytics business by scraping information from LinkedIn, prompting LinkedIn to send a cease-and-desist letter. hiQ brought an action seeking a declaratory judgment that the CFAA did not preclude hiQ's web scraping practice. The Ninth Circuit affirmed the lower court's preliminary injunction in favor of hiQ, holding that the CFAA's "without authorization" language did not apply to hiQ's actions. LinkedIn petitioned for certiorari, which the Supreme Court granted. Following the Van Buren decision, the Supreme Court vacated the Ninth Circuit's affirmance of the district court with instructions for the Court to reconsider the case in light of Van Buren. After Van Buren's Footnote 8 text – leaving open whether the CFAA requires technological (or 'code-based') limitations on access or also extends to limits contracts or policies – LinkedIn theoretically has room to argue that the "without authorization" language of the CFAA may encompass web scraping following a cease-and-desist letter. The easier argument to make, however, is for CFAA application to web-scraping when the defendant has defeated code-based measures.
Footnotes
1 18 U.S.C. § 1030.
2 Van Buren v. United States, 141 S. Ct. 1648 (2021).
3 18 U.S.C. § 1030(a)(2)(A).
4 LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
