The U.S. Supreme Court on Nov. 30 heard its first ever case on the Computer Fraud and Abuse Act, an anti-hacking law from the 1980s that employers have relied on to bring claims against employees who misuse their computer access to harm the company.
The court is considering whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if he accesses the same information for an “improper” purpose.
The case involves a former Georgia police officer, Nathan Van Buren, who agreed to look up information on a license plate database in exchange for money. The request had been part of a sting operation by the Federal Bureau of Investigation. As a result, Van Buren was arrested and charged with computer fraud under the CFAA.
The CFAA prohibits accessing a computer without authorization or “exceeding authorized access.” It’s this second prong of the law that the court will consider. Van Buren was authorized to access the database but, the government argues, he exceeded his authorized access when he looked up information for an “improper” purpose.
Van Buren argues that while he accessed the database for an improper reason, the CFAA defines “exceeds authorized access” to mean using one’s permitted computer access to obtain or alter information the user is not entitled to obtain or alter. Because he was authorized to access the information in the database, Van Buren argues, he did not violate the CFAA.
Arguing for Van Buren, attorney Jeffrey Fisher said the government’s more expansive interpretation of “exceeding authorized access” would criminalize mundane misuses of computer access, such as an employee who uses a Zoom account for non-work purposes or a dating site user who fibs on their profile in violation of the site’s terms of service. A broad reading of the CFAA, Fisher argued, could make it a federal crime to violate employee handbooks, course syllabi and even oral directives, such as a parent telling a teenager not to check Instagram before homework is finished.
“[T]he opportunities for prosecutorial discretion are probably broader than any statute the court has ever seen if the government is right in literal terms,” Fisher said when asked about the constitutional implications of his “parade of horribles.”
Eric Feigin, assistant to the solicitor general, argued that “serious breaches of trust by insiders” such as Van Buren “are exactly what the statutory language is designed to cover.” He added that Van Buren is “trying to gut the statute and leave all of that data at the mercy of anyone who ever has any legitimate ground to see it under any circumstance.”
When pressed on the limits of the CFAA, Feigin said the statute wouldn’t apply to terms of service on a public website because a website isn’t an “authorization-based system.” He said Congress intended the law to apply to “people akin to employees” who had been given individualized permission to access data or computer systems.
The case is the first time the CFAA, enacted in 1986 to fight computer hacking, has come under Supreme Court review. Critics of the act, which has both a criminal and civil component, say the law is vague and antiquated, as it was passed before the ubiquity of the internet, personal computers and cell phones, which can all be considered “protected computers” under the CFAA’s definition.
The ambiguity over what “exceeds authorized access” means has given rise to a circuit split, with the 1st, 5th, 7th and 11th circuits adopting the broad view advocated by the government and the 2nd, 4th and 9th Circuits upholding the narrower interpretation favored by Van Buren.
While the CFAA has been called the “worst law in technology” by legal scholars, it has offered companies a way to bring claims against employees or former employees who misuse their computer access to harm their employers. For example, the law can be used against disgruntled employees who destroy digital records on their way out the door or those who use their work computers to access client lists so they can share them with a competitor or prospective employers.
William Mosher, an attorney in Fisher Phillips’ Sacramento office, said that while employers can try to assert claims for breach of contract, misappropriation of trade secrets or copyright infringement, “some of those are very high bars to prove,” and those laws aren’t necessarily written with computer-related activity in mind. In some cases, he added, a company might have spent millions compiling data that is later stolen or misused by an employee, but it doesn’t qualify as a trade secret or copyrighted information. The CFAA can provide another remedy in these situations.
“One of the main benefits of the CFAA is that it was supposed to be designed to target these kinds of actions that we all kind of feel are wrong but maybe don’t fall under another category of tort,” Mosher said.
If the Supreme Court adopts a narrower interpretation of the CFAA, Mosher said, employers will have a much harder time asserting claims against employees who misuse digital information at a time when record numbers of employees are working from home, many with more computer access than they had before.
Holland & Hart partner Chris Jackson said a broad interpretation of the law would “give the government and employers and people who own computer systems a lot of leverage because it would be a very broad law, and there’s a lot of conduct that would get captured by it.” He said he doesn’t expect the court will take a “maximalist view” of the CFAA that would encompass small infractions such as lying on a dating website. The court won’t necessarily take an all-or-nothing approach to answering what “exceeds authorized access” means, he added.
“I would guess that their opinion is going to be more nuanced and try to explain in more detail what exactly this phrase in the law means,” Jackson said.
Jackson said he thinks there’s a “good chance” the court’s decision won’t fall along the “traditional liberal-conservative divide,” noting that Justice Alito tends to side with the government in criminal cases, while Alito’s fellow conservatives Justices Gorsuch and Kavanaugh “are more skeptical of government’s power to criminalize conduct.”
During oral arguments, Gorsuch told Feigin that Van Buren’s case appeared to be the latest in “a rather long line of cases in recent years in which the government has consistently” — and unsuccessfully — “sought to expand federal criminal jurisdiction.”
Mosher said that, given the conservative majority, he would expect to see a broad interpretation of the CFAA, but the criminal component of the law does give him some pause. “Whenever you have a criminal component like this, constitutional rights come into play — due process rights, specifically,” he said. “So that may tie the justices’ hands in how they deal with this.”
“I think mostly employers just need to remember that this case really highlights an issue that has always been there for them and that I think most employers have overlooked, which is how to define and regulate employee access to computer systems,” Mosher said.
The high court’s ruling will only address the second prong of the CFAA about what it means to exceed authorized access, and unauthorized access to databases will remain illegal no matter what the court decides. “So that is still the best defense for employers: to prohibit access at all,” Mosher said. “If you do not give an employee access to information for any purposes, then if they get that information, they’re still going to be in violation of the statute.”
—Jessica Folker