Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

“Authorized Access”: The Supreme Court’s First Foray Into The Computer Fraud and Abuse Act

By Stephen M. Byers, Jeffrey L. Poston, Gabriel M. Ramsey, Paul M. Rosen, Joshua M. Rychlinski & Kayvan M. Ghaffari on April 22, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

On April 20, 2020, the Supreme Court granted cert in Van Buren v. United States, to resolve an important circuit split over the meaning of “authorized access” under the Computer Fraud and Abuse Act (CFAA). This is the Court’s first foray into analyzing the precise contours of CFAA liability. Van Buren may have far-reaching implications for any individual or business operating in the digital domain, as the scope of civil and criminal liability under the CFAA can impact just about any sort of relationship involving access to computer systems, whether it be employer-employee relationships or third-party relationships.

The CFAA was enacted in 1986 as a first-of-its-kind statute designed to combat computer-related crimes, and has become an important and powerful tool for not only for the government but any business seeking to protect its intellectual property and computer systems. The CFAA imposes criminal liability on any person who “intentionally accesses a computer without authorization” or “exceeds authorized access” and, in doing so, obtains information from any protected computer. The CFAA also provides a civil cause of action for similar conduct. See 18 U.S.C. §§ 1030(a)(2), 1030(a)(4), 1030(a)(5)(B)-(C).

The term “without authorization” is undefined, but the CFAA defines “exceeds authorized access” as “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” 18 U.S.C. § 1030(e)(6). As can be expected, there has been extensive litigation over the interpretation of “without authorization” and “exceeds authorized access.” This has led to a circuit split on what type of conduct actually constitutes a CFAA violation. In particular, courts have grappled with whether the language of the CFAA places the focus on how the individual accessed the information, rather than how or under what circumstances the individual used the information.

For example, the First, Fifth, Seventh, and Eleventh Circuits broadly interpret “exceeding authorized access” to include using information on a computer in violation of a confidentiality agreement, or accessing information on a computer for a purpose prohibited by an employer. Specifically, the Eleventh Circuit has held that a defendant “exceeded his authorized access” under the CFAA by improperly using information that he was authorized to access. U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In Rodriguez, a former employee of the Social Security Administration accessed the personal records of 17 different individuals for nonbusiness reasons while employed by the SSA. Id. There is no dispute that he was authorized to access those personal records. Id. However, the Eleventh Circuit held that the defendant “exceeded his authorized access and violated the [CFAA] when he obtained personal information for a nonbusiness reason” in violation of an established SSA policy. Id; see also Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) (holding that when an employee of a real estate business deleted data regarding potential acquisition properties from his company laptop, the destruction of information breached the defendant’s duty of loyalty and therefore terminated the employee’s authorization to access the computer).

In contrast, the Second, Fourth, and Ninth Circuits have adopted a narrower interpretation of “exceeding authorized access”: liability cannot be imposed on a person with permission to access information on a computer who then uses that information for an improper purpose. In the seminal case U.S. v. Nosal, the Ninth Circuit held that subsequent improper use of information that was acquired by individuals with authorization to access such information is not a CFAA violation. 676 F.3d 854 (9th Cir. 2012). In Nosal, an ex-employee was charged with violating the CFAA on a theory that he induced former colleagues to use legitimate credentials—i.e., authorized credentials—to access the company’s infrastructure and provide the former employee with information. Id. While the ex-employees’ use of the information was clearly improper, the Ninth Circuit refused to extend the CFAA to this conduct because the accomplices were authorized to access the information, regardless of the subsequent use of that information. See also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (holding that improper use of information validly accessed did not qualify as “unauthorized access” or “exceeding authorized access” within the meaning of the statute).

This brings us back to the case pending before the Supreme Court. Mr. Van Buren was a state police officer in Georgia. As part of a sting operation, the FBI used a third-party informant to ask Mr. Van Buren to obtain information from the Georgia Crime Information Center database. Mr. Van Buren had authorization to access this database for “law enforcement purposes” and, accordingly, accessed the database and provided the information to the third-party informant. The FBI arrested him for a CFAA violation (among other offenses) the next day. Though Mr. Van Buren had authorized access to the database, he had exceeded that authorization when he accessed the database to provide information to the third-party informant (i.e., not for law enforcement purposes). The Eleventh Circuit affirmed Van Buren’s CFAA conviction, rejecting his argument that he was “innocent of computer fraud because he accessed only databases that he was authorized” to access.

The Eleventh Circuit’s decision recognized that “other courts have rejected Rodriguez’s interpretation of ‘exceeds authorized access’” and invited the Supreme Court to resolve this split. The Supreme Court’s decision will reverberate in the digital domain, in both the context of criminal enforcement of the CFAA and civil liability under that statute. If the Supreme Court adopts the narrower view, then businesses seeking to curb unauthorized use of information by employees and others will have a narrower set of legal tools and must rely on theories apart from the access itself. For example, the federal Defend Trade Secrets Act (DTSA) and state trade secret, tort, trespass and contract law will take on more significance in holding individuals liable for access to and use of the information. If the broader view prevails, then more expansive theories of CFAA enforcement and liability will be available.

In addition to Van Buren, a second CFAA case, HiQ v. LinkedIn, is pending before the Supreme Court. That case involves a business using automated bots to scrape information from public LinkedIn profiles including name, work history, job titles and skills, and using the information to yield “people analytics” in order to sell such information to its clients. LinkedIn is asking the Supreme Court to consider whether the use of automated bots to harvest personal data from public-facing websites—even after the computer servers’ owners have expressly denied permission to access the data—constitutes “intentionally access[ing] a computer without authorization” in violation of the CFAA. Like Van Buren, a decision in HiQ could have far-reaching implications for companies relying on, or opposing, data scraping (or other technical measures to obtain information) to support a business.

Crowell & Moring’s technology practice is devoted to litigating highly complex and ground-breaking technology issues in a variety of domains, including the CFAA. We will continue to monitor developments in Van Buren and HiQ and provide updates that will position businesses to adequately protect their systems and information in the rapidly changing legal technological landscape, and also avoid running afoul of the CFAA.

Photo of Stephen M. Byers Stephen M. Byers

Stephen M. Byers is a partner in the firm’s White Collar & Regulatory Enforcement Group and serves on the group’s steering committee. He is also a member of the firm’s Government Contracts Group and E-Discovery & Information Management Group. Mr. Byers’s practice involves…

Stephen M. Byers is a partner in the firm’s White Collar & Regulatory Enforcement Group and serves on the group’s steering committee. He is also a member of the firm’s Government Contracts Group and E-Discovery & Information Management Group. Mr. Byers’s practice involves counseling and representation of corporate and individual clients in all phases of white collar criminal and related civil matters, including: internal corporate investigations; federal grand jury, inspector general, civil enforcement and congressional investigations; and trials and appeals.

Mr. Byers’s practice focuses on matters involving procurement fraud, health care fraud and abuse, trade secrets theft, foreign bribery, computer crimes and cybersecurity, and antitrust conspiracies. He has extensive experience with the federal False Claims Act and qui tam litigation, the Foreign Corrupt Practices Act, the Economic Espionage Act, and the Computer Fraud and Abuse Act. In addition to defense of government investigations and prosecutions, Mr. Byers has represented corporate victims of trade secrets theft, cybercrime, and other offenses. For example, he represented a Fortune 100 U.S. company in parallel civil and criminal proceedings that resulted in a $275 million criminal restitution order against a foreign competitor upon its conviction for trade secrets theft.

Read more about Stephen M. ByersEmail
Show more Show less
Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Read more about Jeffrey L. PostonEmail
Show more Show less
Photo of Gabriel M. Ramsey Gabriel M. Ramsey
Read more about Gabriel M. RamseyEmail
Photo of Paul M. Rosen Paul M. Rosen
Read more about Paul M. RosenEmail
Photo of Joshua M. Rychlinski Joshua M. Rychlinski
Read more about Joshua M. RychlinskiEmail
Photo of Kayvan M. Ghaffari Kayvan M. Ghaffari
Read more about Kayvan M. GhaffariEmail
  • Posted in:
    Intellectual Property, Privacy & Data Security
  • Blog:
    Trade Secrets Trends
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Pro Policyholder
  • The Way on FDA
  • Crypto Digest
  • Inside Cybersecurity & Privacy Law
  • La Oficina Legal Ayala Hernández
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo