<iframe src="//www.googletagmanager.com/ns.html?id=GTM-NQZ8BZF&l=dataLayer" height="0" width="0" style="display:none;visibility:hidden"></iframe>

U.S. Supreme Court Limits Scope of Employee-Employer Liability Under the CFAA

Article

New Jersey Law Journal

September 30, 2021

The Supreme Court’s recent decision in Van Buren v. United States, 141 S.Ct. 1648, 1653 (2021), resolved a circuit split regarding the scope of liability under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq. Specifically, the court held that a person does not “excee[d] authorized access” under the CFAA when the person accesses information on a computer for an improper purpose if he or she was authorized to access the information. Van Buren, 141 S.Ct. at 1662. The decision provides guidance for employers and employees regarding the scope of criminal and civil liability under the CFAA for the access and use of sensitive company information; it will also have broad implications for trade secret litigation in federal court.

The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U.S.C. §1030(a)(2) (added emphasis). Although the Third Circuit had not interpreted the “exceeds authorized access” before Van Buren, “[d]istrict courts in the Third Circuit have held, in the employer-employee context, that an employee who may access a computer by the terms of her employment is ‘authorized’ to use that computer for purposes of the CFAA even if her purpose in doing so is to misuse or misappropriate the employer’s information.” Beauty Plus Trading, Co. v. Adamo, Civil Action No. 17-7469 (JLL), 2018 U.S. Dist. LEXIS 23267, at *5 (D.N.J. Feb. 13, 2018).

Similarly, the Second Circuit had adopted the narrower interpretation of “exceeds authorized access.” United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015) (reversing conviction as to the count of improperly accessing a computer in violation of the CFAA). Those who violate §1030(a)(2) face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. §1030(c)(2). They also risk civil liability under the CFAA’s private cause of action, which allows persons suffering “damage” or “loss” from CFAA violations to sue for money damages and equitable relief. §1030(g).

The Van Buren case arose out of a federal prosecution against a former Georgia police sergeant who used the state law enforcement computer database to run a license plate search on behalf of an individual who promised to pay the sergeant around $5,000. Van Buren, 141 S.Ct. at 1653. “Van Buren used his patrol-car computer to access the law enforcement database with his valid credentials.” Id. The federal government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate for the third party “violated the ‘exceeds authorized access’ clause of 18 U.S.C. §1030(a)(2).” Id. Van Buren had been trained not to use the law enforcement database for “an improper purpose,” defined as “any personal use.” Id. The jury convicted Van Buren, and the district court sentenced him to 18 months in prison.

On appeal to the Eleventh Circuit, Van Buren argued that the “exceeds authorized access” clause “applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.” Van Buren, 141 S.Ct. at 1653. Consistent with its Circuit precedent, the Eleventh Circuit held that Van Buren had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” Id. at 1653-54. The Supreme Court granted certiorari and reversed.

The Supreme Court found the text of the statute conclusive. The CFAA defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” §1030(e)(6) (added emphasis). The government argued that the phrase “is not entitled so to obtain” refers to “information one was not allowed to obtain in the particular manner or circumstances in which he obtained it.” Van Buren, 141 S.Ct. at 1654. The manner or circumstances in which one has a right to obtain information, the government argued, are “defined by any specifically and explicitly communicated limits on one’s right to access information.” Id. at 1654-55.

The court rejected the government’s interpretation. The word “so” in the phrase “entitled to so obtain” is not a free-floating term that provides a hook for any limitation stated anywhere. Van Buren, 141 S.Ct. at 1655. Rather, “so” refers to a stated, identifiable proposition from the preceding text. Id. And here, the phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access. Id.

The court also relied on the CFAA’s statutory structure to support its interpretation. Section 1030(a)(2) “specifies two distinct ways of obtaining information unlawfully.” Van Buren, 141 S.Ct. at 1658. First, an individual violates the provision when he “accesses a computer without authorization.” §1030(a)(2). Second, “an individual violates the provision when he ‘exceeds authorized access’ by accessing a computer ‘with authorization’ and then obtaining information he is ‘not entitled so to obtain.’” Van Buren, 141 S.Ct. at 1658 (quoting §§1030(a)(2), (e)(6)). This interpretation “makes sense of the statutory structure” because it treats the “without authorization” and “exceeds authorized access” clauses consistently, giving both clauses “a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Id. at 1658-59.

The court also relied on the civil liability sections of the CFAA to support its interpretation. Provisions defining “damage” and “loss” specify what a plaintiff in a civil suit can recover. Van Buren, 141 S.Ct. at 1659. “[D]amage,” the statute provides, means “any impairment to the integrity or availability of data, a program, a system, or information.” §1030(e)(8). The term “loss” likewise “relates to costs caused by harm to computer data, programs, systems, or information services.” Van Buren, 141 S.Ct. at 1659-60 (citing §1030(e)(11)). The statutory definitions of “damage” and “loss” thus “focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” Van Buren, 141 S.Ct. 1660. The term’s definitions are “ill fitted … to remediating misuse of sensitive information that employees may permissibly access using their computers.” Id. (quotations omitted).

Lastly, the court relied on policy to support its interpretation. If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, the court posited, “then millions of otherwise law-abiding citizens are criminals.” Van Buren, 141 S.Ct. at 1661.

Thus, the court held that an individual “exceeds authorized access” when “he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren, 141 S.Ct. at 1662. “The parties agree[d] that Van Buren accessed the law enforcement database system with authorization.” Id. “Van Buren accordingly did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.” Id. So the Supreme Court reversed and remanded. Id.

Although the decision concerned the CFAA, Van Buren will have broad implications for trade secret litigation in federal court. A plaintiff-employer can no longer establish a CFAA violation based solely on an employee’s downloading, destroying, or misappropriating confidential employer information in violation of a computer-use policy. Indeed, at least one district court in the Third Circuit has already relied on Van Buren to dismiss CFAA claims based on misuse of confidential information. KBS Pharmacy v. Patel, No. 21-1339, 2021 U.S. Dist. LEXIS 107779, at *6 (E.D. Pa. June 9, 2021) (dismissing CFAA claim because “[t]he CFAA simply does not encompass the employee’s misuse of the information if the employee had authorized access to the information in the computer in the first place.”) Employers may have valid state law remedies against departing employees for breach of confidentiality agreements and for misuse of confidential information. But Van Buren is nonetheless significant because such plaintiffs will no longer be able to rely on the CFAA to obtain subject-matter jurisdiction in federal court for misuse of information that does not rise to the level of protected trade secrets under the Defend Trade Secrets Act.

In light of Van Buren, employers may wish to take this opportunity to review and improve how they protect their confidential, proprietary digital information against rogue employees. First, employers should consider adding authentication points to restricted areas on their computer systems, files, and databases to limit access to certain sensitive and confidential information on a need-to-know basis. Second, employers should consider reviewing and bolstering any confidentiality, data security, and computer terms of use agreements with their employees to ensure state law protections remain available.


Reprinted with permission from the September 30, 2021 issue of the New Jersey Law Journal. © 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.