In a decision handed down yesterday, the Supreme Court held that civil liability under the Computer Fraud and Abuse Act (“CFAA”) does not attach for employees who abuse or misuse their access credentials in accessing their current or former employers’ computer networks. Rather, to be liable under the CFAA, the employees must access databases or other electronic materials that are outside of their access rights and otherwise off-limits to them.
The case, Van Buren v. United States, arose out of the actions of a former police sergeant. The former officer, Van Buren, used his valid login credentials to search his police department database for a particular license plate number in exchange for a bribe, but was caught by an FBI sting operation. Van Buren was charged with a felony violation of the CFAA—18 U.S.C. § 1030(a)(2). An individual is liable under this section (which can carry both civil and criminal penalties) if he “intentionally accesses a computer without authorization or exceeds authorized access.” The statute defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
The question facing the court in Van Buren was whether the defendant “exceeded authorized access” when he used his valid login credentials to access information on the police department network (which he was otherwise authorized to access) for an unauthorized purpose. Until now, the Circuit Courts have been split on this question, with the majority finding that using valid login credentials for an unauthorized purpose is not “exceeding authorized access.” Rather, the individual must “obtain information from particular areas of the computer—such as files, folders, or databases—to which their computer access does not extend” in order to face liability under this section of the CFAA. A minority of Circuits, however, have held that any time an individual uses his valid login credentials for an unauthorized purpose, that individual has “exceeded” authorized access and therefore violated § 1030(a)(2).
In a 6–3 decision, the Supreme Court sided with the majority of Circuits and found that Van Buren did not violate the CFAA when he used his valid access credentials “for an inappropriate reason.” The Court found that the “exceeds authorized access” portion of § 1030(a)(2) targets “so-called inside hackers—those who access a computer with permission, but then ‘exceed’ the parameters of authorized access by entering an area of the computer to which that authorization does not extend.” The majority found that the text of the CFAA was written to limit “exceeds authorized access” to situations where the individual is authorized to access the computer, but bypasses some limit on his authorization within the computer (such as encryption, password protection or a firewall).
Applying Van Buren to the Employment World
Even though Van Buren dealt with criminal liability under the CFAA, the Court’s interpretation of “exceeds authorized access” has far-reaching consequences for civil liability under the CFAA—especially in the employment law context, where CFAA issues often arise. As an example, imagine the following scenario:
Fred and Steve both work as salespersons at Megacorp. Due to conflicts with their boss, Bill, Steve leaves Megacorp to start his own company. Fred, meanwhile, remains in his job. A few months later, Steve calls Fred and offers him a job with the new company, but requests that Fred send him Megacorp’s client lists before Fred resigns. Megacorp’s Computer Access Policy forbids using company computers for competitive purposes. Nevertheless, Fred logs in to his work computer using his valid login credentials, downloads Megacorp’s client lists (which he is normally authorized to access) and sends them to Steve. One month later, Fred resigns from Megacorp to work for Steve. Upon investigation, Megacorp discovers Fred’s actions and brings legal action against him.
Prior to Van Buren, Megacorp would have been able to bring a civil CFAA claim against Fred in certain (but not most) federal courts, arguing that Fred’s use of his computer to download the client lists and send them to Steve for competitive purposes in violation of the Company’s Computer Access Policy was “unauthorized,” and therefore Fred “exceeded authorized access” when he sent the client lists. After Van Buren, however, Fred’s use of his work computer to access files he is normally authorized to access does not violate the CFAA, even if it violated the Computer Access Policy and was for an improper purpose, because he did not access part of the computer or network that he was not otherwise authorized to access.
Now imagine that when Fred was searching Megacorp’s network for the client lists, he finds a document called “Bill’s Best Leads”—but it is password protected. Late one night, Fred sneaks in to Bill’s office and finds a Post-it that contains the password for the document. Fred returns to his work computer, puts in the password for the document, accesses it and sends it to Steve.
In this scenario, Megacorp could bring a valid civil CFAA claim against Fred under Van Buren. Even though Fred accessed his computer with valid credentials, he “exceeded authorized access” by “entering an area of the computer to which that authorization does not extend”—the password-protected document on the network. Van Buren limits civil liability under the “exceeding authorized access” clause of § 1030(a)(2) to these types of scenarios.
What Does Van Buren Mean for Employers?
In certain respects, Van Buren does not change the landscape as a practical matter, as even in the first hypothetical scenario described above, Megacorp would have claims against both Fred and Steve, and potentially Steve’s company. However, the CFAA, with its enhanced penalties and access to federal court, has been an additional tool for employers, and the Van Buren decision makes that tool unavailable in common employee misconduct scenarios.
Van Buren is also a good reminder of what we already know. That is, instead of access policies, digital access controls are much more important to controlling and limiting employees’ access to, and ultimately controlling the improper disclosure and use of, sensitive information. The enhanced use of such controls will not only better protect sensitive information, but also provide employers with a better potential for relief under the CFAA.
In this regard, employers should consider working with their IT departments to segment their networks to ensure that sensitive documents are only accessible to those employees with the authorization to view them. Employers should also ensure that network access login credentials are revoked—and work computers and other devices are collected—as soon as possible after an employee’s termination.