On June 3, 2021, in a much-anticipated decision, the US Supreme Court ruled in Van Buren v. United States that under the Computer Fraud and Abuse Act of 1986 (CFAA), an individual "exceeds authorized access" to a computer when he accesses the computer with authorization but then accesses information located in particular areas of the computer to which he does not have specific authorization. The Court also held, however, that the "exceeds authorized access" clause does not reach individuals who have authorized access to the information but use that authorization for an unauthorized purpose. This ruling, which rejected the government's interpretation of the CFAA provision, narrows the reach of the statute in a variety of contexts, including for employees who may use their authorized access to employer-provided computers and databases to serve an improper purpose, such as personal use or financial gain.

In Van Buren, former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve license plate information in exchange for money. In his official position, Van Buren was authorized to access the database, and he used his own valid credentials to perform the license plate search. However, because his search was pursuant to a non-law-enforcement purpose—that is, for personal monetary gain—he violated a department policy prohibiting "an improper use" of a law enforcement database, defined as "any personal use." He was then criminally charged with violating the CFAA.

The CFAA imposes civil and criminal liability on an individual who "intentionally accesses a computer without authorization or exceeds authorized access." 18 U.S.C. § 1030(a)(2). The second prong, "exceeds authorized access," was at issue in Van Buren. At the time, circuits were split on how to read that clause. Did "exceeds authorized access" only include accessing particular areas of a computer—such as files, folders, and databases—to which the individual did not have specific authorization, even if the individual had general authorization to access the computer? Or would an individual also "exceed[] authorized access" when accessing a particular area of a computer with authorization, but for an improper purpose? Van Buren was convicted for the latter and sentenced to 18 months in prison. On appeal, the Eleventh Circuit affirmed his conviction, relying on prior circuit precedent that the CFAA's "exceeds authorized access" clause does prohibit authorized access for an "inappropriate reason." United States v. Van Buren, 940 F. 3d 1192, 1208 (11th Cir. 2019).

Relying on a close reading of the statutory text, the Supreme Court reversed the Eleventh Circuit's decision in a 6-3 decision. The Court rejected the government's broader interpretation of the "exceeds authorized access" prong, which would have prohibited authorized access to a computer for an improper purpose. The Court reasoned that such an interpretation did not sufficiently identify the type of conduct that would be considered illegal access, opening a person up to civil and criminal liability for exceeding any access limits that might appear "in the United States Code, a state statute, a private agreement, or anywhere else." The Court also pointed out that the government's interpretation would result in an inconsistency: it would permit an inquiry into a person's improper purpose in accessing a particular area of a computer under the second prong of the CFAA, but not into their improper purpose in accessing the computer itself under the first prong of the CFAA.

In contemplating the circumstances in Van Buren and other similar situations, the Court declined to criminalize "a breathtaking amount of commonplace computer activity" performed by "millions of otherwise law-abiding citizens," including, for example, "an employee who sends a personal e-mail or reads the news using her work computer." What is more, because the CFAA provision under which Van Buren was prosecuted provides for both criminal and civil liability, the Court's holding also insulates an individual from civil liability under the CFAA for that same conduct. The Court explained that civil liability under the "exceeds authorized access" clause of the CFAA was intended to remedy technological harms to computer data or systems, not the "misuse" of information that someone accessed with authorization.

While the decision appears to suggest that government agents and other employees may use their authorized access to their employers' computer databases to pursue an improper purpose with impunity, it is important for computer users and owners alike to be aware that the conduct described in Van Buren may still constitute a violation of other federal and state criminal statutes. Further, this narrower reading of the CFAA may encourage computer owners and website operators to place clearer restrictions on access to information databases or computers, including (for employers) time-of-use and place-of-use restrictions.

In the workplace, employers may opt to exercise a more rigid gatekeeping role regarding which employees have access to the information database or computers in the first place, perhaps by strengthening their technological safeguards or by enhancing recordkeeping that logs employee access. Moreover, given the inevitability and necessity of technological connectivity and accessibility today, employers may also consider assessing their internal regulations and policies to discourage employees from accessing information databases for an "improper purpose," whether it is something as innocuous as a news anchor using the news channel's internal database to check proprietary weather information for an upcoming picnic, or something more mischievous, like Van Buren's decision to obtain license plate information for personal gain.

Originally published 7 June 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.