Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

INSIGHT: Cop’s Conviction for License Plate Search Gives SCOTUS Chance to Settle Split Over Hacking Law

March 12, 2020, 8:01 AM

What does a police officer’s search of an exotic dancer’s license plate have to do with businesses’ efforts to curb misappropriation of confidential information? Potentially, a lot.

Former Georgia police sergeant Nathan Van Buren filed a petition in December 2019 for review with the U.S. Supreme Court seeking to overturn his conviction for violating the Computer Fraud and Abuse Act. Specifically, Van Buren was convicted of exceeding his authorized access to the Georgia Crime Information Center database after he searched it for a reason other than for law enforcement purposes.

The Supreme Court has a chance to answer a question without an easy answer: What does it mean to “exceed authorized access”? The circuit split on this question has endured for years, so the time is ripe for the Supreme Court to accept Van Buren’s petition and weigh in.

Employers should be carefully watching for the answer. Regardless of which way the court tips, it is likely to have a profound impact on civil litigation involving employees accessing confidential information for an improper purpose.

CFAA Prohibits Variety of Conduct

The CFAA prohibits a wide variety of conduct, including the use of a protected computer without authorization or in excess of one’s authorized access to fraudulently obtain something of value.

The CFAA is a criminal statute, but also provides for a civil cause of action for any person suffering damage or loss by a violation of the statute. It has been used by employers as an entrée into federal court when diversity jurisdiction was lacking, particularly prior to 2016, when the federal Defend Trade Secrets Act was enacted.

Although the DTSA may provide a more straightforward vehicle for employers seeking to punish misappropriators, the CFAA still offers another alternative, and could support a federal suit where the DTSA wouldn’t—such as where information accessed by a rogue employee is confidential, but does not rise to the level of a trade secret under the DTSA.

Unlike the DTSA, which allows a court to award attorneys’ fees to a defendant if a claim was made in bad faith, the CFAA contains no fee-shifting provision.

Circuit Split Over ‘Exceeds Authorized Access’

The interpretation of what, exactly, constitutes computer use that “exceeds authorized access” has been the subject of much debate over the years.

Certain circuits, such as the First, Fifth, Seventh, and Eleventh Circuits, interpret this clause broadly, finding that even where an individual has access to a protected computer or certain data on it, the individual can “exceed” authorized access by using that data for an improper purpose (for example, an employee misappropriating confidential information to which he or she has access and sharing that information with a competitor).

Others, like the Second, Fourth, and Ninth Circuits, construe it narrowly and only find a violation under the “exceeds authorized access” language if the defendant accessed information which he or she was not authorized to access for any purpose—essentially, hacking.

Surprisingly, the Eleventh Circuit’s decision upholding Van Buren’s conviction hardly reads as a full-throated defense of the broad interpretation of “exceeds authorized access.” Instead, the decision acknowledges the varying interpretations, and tepidly notes that under its “prior-precedent rule,” its previous decision interpreting the CFAA broadly is binding “unless and until it is overruled or undermined to the point of abrogation by the Supreme Court or by this court sitting en banc.”

Reading the tea leaves, it appears that the Eleventh Circuit is skeptical of the continued viability of the broad interpretation, but feels its hands are tied by its prior jurisprudence, unless and until the Supreme Court weighs in.

Van Buren’s counsel urges in his petition, “there is an entrenched four-to-three split,” and at this point, it appears that “courts are just choosing sides.” It seems obvious that the split will endure absent a decision from the high court (or legislative action to clarify the CFAA’s scope, which seems unlikely).

This deep Circuit split leads to inconsistent results—conduct that is a violation in the First Circuit may not be one in the Ninth Circuit. This inconsistency leads, in turn, to forum shopping, particularly in the civil context, given the increasingly multijurisdictional nature of business. For example, a Dallas-based employer looking to sue its Los Angeles-based employee under the CFAA for improperly accessing confidential information to help a competitor would have a viable CFAA claim if brought in Texas, but not in California.

And there is not only incentive for plaintiffs to forum shop—there is also an incentive for defendants to seek a transfer to another venue. Using the same example above, a Californian is much likelier to move to transfer a CFAA claim pending in Texas to California, knowing that the Ninth Circuit will construe the claim much more favorably against him or her than the Fifth Circuit will.

The Potential Impact on Businesses

So what happens if the Supreme Court does agree to review Van Buren’s conviction? It’s unclear whether the justices would adopt the expansive interpretation of “exceeds authorized access” or the narrower one.

The court may be swayed by the criminal justice position espoused by Van Buren’s attorneys. In his petition, Van Buren’s counsel urged the court that "[r]eading the statute more broadly would criminalize ordinary computer use throughout the country.”

Yet employers may lose an important arrow in their quiver when it comes to pursuing former employees in federal court, especially if their conduct does not rise to the level of unlawful misappropriation under the DTSA.

Either way, businesses should be keeping a close eye on this case to see how the court rules.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Dawn Mertineit is a litigation partner in the Boston office of Seyfarth Shaw LLP. She is a member of the firm’s Trade Secrets, Computer Fraud & Non-Competes group.