In a June 3 decision in Van Buren v. United States, the U.S. Supreme Court, with Justice Amy Coney Barrett writing for a 6-3 majority, limited the pertinent provision of the Computer Fraud and Abuse Act (CFAA), holding that the statute requires a “gates-up-or-down inquiry—one either can or cannot [permissibly] access a computer system, and one either can or cannot access certain [authorized] areas within the system” in determining who has violated the statute.
In particular, the court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him.”
The court did not address whether exceeding authorized access means that the limitation, the “gate,” has to be code-based (containing technological limitations on access) or the “gate” could be contract- or policy-based. We discuss the key takeaways from the decision.
Relief for Most Computer Users
First, those who may use their work computers to send a personal email, or to read the news, in contravention of their employers’ written warnings that such use is unauthorized, are not (without more) felons under the CFAA.
As most people are authorized to access the email and internet functions, it is now highly unlikely that they have “exceeded authorized access” in using those functions. They may, of course, be subject to other disciplinary actions, but there will likely be no federal case.
Barrett also specified “embellishing an online-dating profile” and “using a pseudonym on Facebook” or otherwise violating a website’s terms of service as not violating the CFAA. Thus, ordinary users of websites will not face felony prosecution by violating one or more of the terms of service; terms that the user has most likely not even read.
Current Restrictions May Not Protect Key Data
If employers have information on their computers that only a specific, limited group of employees should have access to, they should consider segregating the information into separate, password-protected files or folders. If an unauthorized employee enters such protected files or folders—essentially, an internal hacking—CFAA sanction may apply.
At minimum, employers are well-advised to ensure that contractual language limiting access to information stored in a computer is specific and separately agreed to by each employee. However, even contract- or policy-based limitations may not provide certainty that CFAA proscription will apply to employees who exceed such limitations because, given the limited reach of the Supreme Court’s ruling, individual courts may plausibly rule that the limitations must be code-based.
Similarly, website operators are now on notice that their terms of service may not penalize those using the service in unauthorized fashion. Once a website provides access to the public, as a practical matter all such information should be considered “fair game.”
Because the CFAA will no longer provide felony exposure to an individual who violates those terms of service without more, website operators will be challenged to protect their information in ways beyond mere terms of service. A particular fallout from the Van Buren decision is that data “scrapers” (i.e., using automatic programs to take information from websites) may not be viewed as violating the CFAA.
Congress Could Act to Broaden CFAA
Third, be on the lookout for congressional action addressing protection of information in computers. Given that Big Tech is already under congressional scrutiny, there could well be legislation introduced to broaden the CFAA to cover “improper purpose” access to information in protected computers. Depending on the legislation, action may be required to tighten restrictive language in policies and contracts.
Other Laws May Apply
Finally, despite this ruling, other portions of the CFAA are subject to violation in the event of fraud or other defined acts, such as intentionally damaging a computer. In addition, other federal and state criminal statutes may apply to unauthorized access to computer information.
The court’s ruling has limited the statute in ways that will affect not only criminal application of the statute, but also potential civil enforcement by companies. To the extent that Congress allows it to stand, employers and website operators should make a close review of information that they would like to protect from otherwise-authorized employees and users, and fashion a prophylactic approach to preventing such unauthorized access.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Mark Srere is a partner and leader of Bryan Cave Leighton Paisner LLP’s White Collar Practice group.
Ben Clark is senior trial counsel with Bryan Cave Leighton Paisner LLP and a former federal prosecutor.