A significant opinion concerning computer security was one of those the U.S. Supreme
Court issued during its end-of-term flurry this year. Employers and others who permit computer access to sensitive information for business or other defined purposes may want to take note of the ruling, Van Buren v. United States.
Spoiler alert: The opinion undercuts use of the Computer Fraud and Abuse Act of 1986 (“CFAA”) to obtain federal jurisdiction in employer-employee disputes. (As a practical matter, however, the Defend Trade Secrets Act of 2016 had already filled the gap for many circumstances). …
The critical question before the Supreme Court in Van Buren was how to interpret the phrase exceeds authorized access” in the statute, which provides for criminal penalties and/or a private right of action against someone who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby causes damage.
Petitioner Nathan Van Buren was a police sergeant in Cumming, Georgia, who used his valid credentials to access the patrol car computer, and, from that computer, the law enforcement database maintained by the Georgia Crime Information Center (“GCIC”), in order to obtain information about a license plate. Van Buren was led to believe that the license plate belonged to a woman in whom an acquaintance of his was romantically interested, and that the acquaintance would pay him about $5,000 to check the license plate information.
There was no dispute that Van Buren was authorized to access both the computer and the database involved, and there was also no dispute that he sought the license plate information for an improper purpose, outside his job duties; that is, to find out, on behalf of another individual and for his own personal gain, whether the owner of the license plate was an undercover police officer.
Van Buren was charged with and convicted of various offenses, including violation of the CFAA, and sentenced to 18 months in prison.
The Circuit Court Decision
Van Buren appealed the CFAA conviction, arguing, inter alia, that he did not “exceed  authorized access” because he was authorized to access the GCIC database, even if he violated department and other policies by searching the database for personal gain rather than police business. The Eleventh Circuit affirmed the conviction, based on its precedent adhering to the broader interpretation of “exceeds authorized access” – that is, as prohibiting an individual from using his or her authorized access to databases or computer folders for purposes that are not authorized.
The circuits had split on whether that interpretation or the narrower view, whereby the CFAA is only violated if the user is not authorized to access the database or computer folder in the first place, was right.