The U.S. Supreme Court overturned the conviction of a former police officer for accessing an enforcement database in a case that tested the bounds of a federal anti-hacking law.
The justices favored a narrow reading of the Computer Fraud and Abuse Act, writing in a Thursday decision that a broad interpretation would attach criminal penalties to “a breathtaking amount of commonplace computer activity.”
The case, Van Buren v. United States, asked whether an officer who misused his authorized access to the database should be held liable under the Computer Fraud and Abuse Act. The law makes it a crime to access a computer without authorization, or in excess of authorization.
Appeals courts have split over the meaning of access and what counts as exceeding it. The Supreme Court’s decision could have implications for a wide range of computer use scenarios, though it’s likely most relevant to those involving alleged theft of company trade secrets.
Police officer Nathan Van Buren was convicted and sentenced to 18 months in prison for using an enforcement database to look up a strip club dancer’s license plate number as a favor in exchange for a loan.
“Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes,” the justices wrote. But it didn’t violate the CFAA, the court said in a 6-3 opinion.
The justices found that the police officer didn’t “exceed authorized access” to the database, as defined in the law, even though he obtained information from it for “an improper purpose.” Justice
The outcome could have implications for other instances where an insider’s data access is called into question, like with current or former employees in the public and private sectors.
Federal courts have been wrestling with how to apply the 1986 anti-hacking law to situations such as trade secrets claims brought against departing employees who take corporate information to competitors.
“It sharply limits the ability for companies to use the Computer Fraud and Abuse Act against employees who misuse company data,” said William Ridgway, a former federal prosecutor who’s a partner at Skadden, Arps, Slate, Meagher & Flom LLP, said of the high court’s decision.
Companies could be forced to change how data is held internally so that employees can’t access data they’re not entitled to, Ridgway said. He added that companies often have relied on banners for employees to click through, warning them of corporate policies.
“I don’t think in the wake of this decision banners will do it,” Ridgway said.
Employees who access data after they leave a company could still be held liable under the CFAA for lacking authorization, rather than exceeding it like Van Buren. Such cases usually arise when former employees access stolen copies of files, according to Matthew Prewitt, a partner at Schiff Hardin LLP who focuses on laws governing confidential business and personal information.
“By definition, an employee’s ‘authorized access’ almost always ends upon termination of employment,” Prewitt said in an email.
The Supreme Court didn’t answer some of the more complicated access questions raised by the Computer Fraud and Abuse Act, including those surrounding issues like web scraping, said Megan Iorio, counsel at the nonprofit Electronic Privacy Information Center, which filed a brief in the case.
“The court endorsed a general ‘gates-up-or-down approach,’ but left open the question whether the gates must be technical or whether they can be contract-based,” Iorio said in an email. According to the opinion, “gates-up-or-down” refers to whether someone can or can’t access a computer system, or certain areas within the system.
The ruling is a win for cybersecurity researchers who test computer systems for flaws, said Tarah Wheeler, a cyber fellow at Harvard University and think tank New America.
The Computer Fraud and Abuse Act has been used as a “strong arm tactic” to expose security researchers to criminal charges for violating a company’s policies or terms of service that penalize any unwanted behavior on their network, Wheeler said.
“This decision demonstrates and rebukes the chilling effect the CFAA has had on security researchers and the power it gives to corporate policy writers to have federal law on their side,” Wheeler said of the Supreme Court ruling.
The practical impact of the decision could be limited by other legal restrictions on the use of data, according to Trisha Anderson, a cybersecurity partner at Covington & Burling LLP who previously worked at the Justice Department, Treasury Department, and the Federal Bureau of Investigation.
People who misuse their access to information could still be found liable for a breach of contract or a violation of state tort law, she said.
“This doesn’t sweep away all potential legal restrictions on access to information for a purpose different from one you’re authorized to access it for,” Anderson said.
The case is Van Buren v. United States, U.S., No. 19-783, opinion 6/3/21.