Aime Dempsey, Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the firm’s New York office, authored an article in the Intellectual Property & Technology Law Journal, titled “U.S. Supreme Court Favors Narrower Reading of Computer Fraud and Abuse Act “So” It Does Not Cover Misuse of Authorized Access.”

Following is an excerpt (see below to download the full version in PDF format):

A significant opinion concerning computer security was one of those the U.S. Supreme

Court issued during its end-of-term flurry this year. Employers and others who permit computer access to sensitive information for business or other defined purposes may want to take note of the ruling, Van Buren v. United States.

Spoiler alert: The opinion undercuts use of the Computer Fraud and Abuse Act of 1986 (“CFAA”) to obtain federal jurisdiction in employer-employee disputes. (As a practical matter, however, the Defend Trade Secrets Act of 2016 had already filled the gap for many circumstances). …

The Issue

The critical question before the Supreme Court in Van Buren was how to interpret the phrase exceeds authorized access” in the statute, which provides for criminal penalties and/or a private right of action against someone who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby causes damage.

Petitioner Nathan Van Buren was a police sergeant in Cumming, Georgia, who used his valid credentials to access the patrol car computer, and, from that computer, the law enforcement database maintained by the Georgia Crime Information Center (“GCIC”), in order to obtain information about a license plate. Van Buren was led to believe that the license plate belonged to a woman in whom an acquaintance of his was romantically interested, and that the acquaintance would pay him about $5,000 to check the license plate information.

There was no dispute that Van Buren was authorized to access both the computer and the database involved, and there was also no dispute that he sought the license plate information for an improper purpose, outside his job duties; that is, to find out, on behalf of another individual and for his own personal gain, whether the owner of the license plate was an undercover police officer.

Van Buren was charged with and convicted of various offenses, including violation of the CFAA, and sentenced to 18 months in prison.

The Circuit Court Decision

Van Buren appealed the CFAA conviction, arguing, inter alia, that he did not “exceed [] authorized access” because he was authorized to access the GCIC database, even if he violated department and other policies by searching the database for personal gain rather than police business. The Eleventh Circuit affirmed the conviction, based on its precedent adhering to the broader interpretation of “exceeds authorized access” – that is, as prohibiting an individual from using his or her authorized access to databases or computer folders for purposes that are not authorized.

The circuits had split on whether that interpretation or the narrower view, whereby the CFAA is only violated if the user is not authorized to access the database or computer folder in the first place, was right.

PDF: U.S. Supreme Court Favors Narrower Reading of Computer Fraud and Abuse Act “So” It Does Not Cover Misuse of Authorized AccessDownload

Services

Industries

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.