In June, the U.S. Supreme Court resolved an important issue under the Federal Computer Fraud and Abuse Act (CFAA), which has been used by companies as they battle hackers, rogue employees, and terminated employees. The CFAA imposes criminal and civil liability when a person accesses a computer “without authorization or exceeds authorized access.” Rogue employees who obtain company information without a business need often find themselves facing a suit that seeks, among other things, damages under the CFAA. A company that can invoke a federal statute — especially one that also could create criminal liability — can create significant leverage in litigation.
The Court held that one “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer — such as files, folders, or databases — that are off limits from a security standpoint. In other words, the employee needs to hack into an internal database in order to exceed the access provided by the employer.
The case before the Court arose out of a sting operation directed at police misconduct. A police officer agreed to take cash in exchange for running a license plate. The police officer was authorized to access the database, but department policy required the database be run only for legitimate police business. The officer was arrested, charged, and convicted of violating the CFAA. Because of the Court’s ruling, his conviction was overturned. While he ran the plate in violation of department policy, he did not violate the CFAA because he did not exceed authorized access to the database.
This decision stands for a proposition security professionals have been touting for years: if you want to keep employees from going through a door, a lock is far better than a sign. Most corporate acceptable use polices bar employees from accessing data or using computer resources except when necessary for business purposes. While such policies are necessary and valuable, they are not a substitute for security. A company that truly wants to prevent internal snooping will implement robust access control measures. Security professionals trying to make the case internally for more robust access control can find support in this decision.
The Court also recognized that, practically, company policies are not always intended to be applied strictly, and it was not inclined to believe that Congress wanted all such violations to be federal crimes:
“Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has [committed a federal crime].”
The Court chose not to read the law to make “millions of otherwise law-abiding citizens … criminals.”
The Court’s decision does not dictate or mandate any particular corporate action. At most, it may take one “tool” out of the lawyer’s tool belt when an employee goes rogue. Companies can still terminate employees for violating policy, and may be able to assert other claims if civil litigation is necessary. Nor does the decision benefit terminated employees whose access is no longer authorized. And, regardless of the remedial rights that might exist, an ounce of prevention will always be more valuable from an information security standpoint than a pound of cure.
Van Buren v. U.S. was authored by Justice Barrett, and you can read the decision on the Supreme Court’s web site.