“Who Goes There!”: U.S. Supreme Court Trims the Reach of the Computer Fraud and Abuse Act

Posted on

By: James K. Paulick, Esq.

The U.S. Supreme Court trims the reach of the Computer Fraud and Abuse Act (CFAA) to now target only those who hack into computers or access information that which their credentials do not permit. Although a fascinating academic study of statutory interpretation, the decision may take the teeth out of a criminal statute that some businesses  have previously relied upon as a remedy if employees misuse the data to which they have access.

In Van Buren v. United States, 593 U.S. __ (2021), a police officer misused his access to law enforcement databases by pulling information on a license plate for an acquaintance in exchange for cash. (The individual’s plate that was searched was a fake entry created by the FBI as part of a sting operation on the Defendant Officer.) There was no dispute that the officer used his actual credentials and accessed information he would otherwise be permitted to access in his day-to-day job, but there was also no question that he was violating his organization’s policy that prohibited using the computer access for anything other than official police business.

Prior to Van Buren, several circuits had interpreted the CFAA statute to mean that “exceeds authorized access” is defined as “exceeding the access in the manner and instance and reason for which he or she was accessing,” while other circuits narrowly interpreted that phrase to mean “specifically to access files and information that your credentials do not permit.”

Taking a narrow, plain-meaning, statutory construction approach, the majority ruled that the “intentionally accesses a computer without authorization or exceeds authorized access” part of the statute is targeted toward those individuals who literally break into computers, or if they have valid access to a computer, break or hack into files and databases that their valid credentials do not have authorization to access.

In the business context, many employees have credentials that give them vast access to company databases containing extremely sensitive and private information on individuals and companies. Since the enactment of the CFAA, for many years  it was presumed that a company could leverage the CFAA with the help of law enforcement to punish those employees who stole information that they otherwise had the present ability to access through their credentials. This was based on the theory that in that instance these employees were “exceeding authorized access” by virtue of accessing that information for a corrupt reason or at least a reason that violated the company’s computer use policies.

With the Van Buren decision, companies will now have to rely on the patchwork of state statutes that may or may not fall to the same statutory interpretation. Companies are well advised to continue to protect themselves from misuse of their private and valuable electronically stored information by narrowly tailoring their credentialing and authorization such that every username and password should not be keys to the kingdom of company information. Right or wrong, the CFAA is no longer a big stick to play backup for businesses’ computer use policies.

For more information or assistance with reviewing data privacy and cybersecurity policies,  please contact James K. Paulick. Jim co-leads the Data Privacy Group, part of Leech Tishman’s Corporate Practice Group. He can be reached at 412.261.1600 or jpaulick@leechtishman.com.

Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman

Leech Tishman’s Twitter: https://twitter.com/LeechTishman

Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman

Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, and Wilmington, DE.