With cybercrimes in the news daily, the challenge is for the government to develop clear and specific laws about what types of actions are illegal. This is particularly true when an alleged perpetrator had legitimate access to the computer involved. Until the U.S. Supreme Court case of Van Buren v. U.S. in 2021, there was disagreement among federal courts as to when someone unlawfully exceeded their authorized access to a computer. While the decision clarified what actions may constitute a crime, many employers and employees still may not be taking the appropriate steps to protect themselves from being a victim or inadvertent perpetrator of a cybercrime.
Computer Fraud and Abuse Act (CFAA)
The CFAA was enacted in 1986 in response to the rise in hacking incidents and was intended to prohibit unlawful intrusions on computers. The statute imposes criminal liability for “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.” Criminal penalties include fines or imprisonment. The law also allows someone harmed by the perpetrator’s unauthorized access to sue for damages or seek injunctive or equitable relief in court.
A key issue that arose in interpreting the law was how to deal with individuals who had authorized access to a computer but used it for an improper purpose. The term “exceeds authorized access” in the statute means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Some courts found the law only applied to individuals who accessed portions of a computer they weren’t entitled to access. Other courts held it also prohibited someone from misusing information they had a right to access even if their use of the computer was contrary to an employer’s policy.
This split among federal courts was addressed in Van Buren.
Van Buren v. U.S.
In Van Buren, the defendant, a police sergeant, ran a license plate search in the Georgia Crime Information Center (GCIC) computer database in exchange for money in violation of police department policy. He was convicted of violating the CFAA. He appealed, arguing that he had authorized access to the GCIC and that using the computer for an improper purpose was not a violation of the “exceeds authorized access” clause of the CFAA.
The Supreme Court agreed with the defendant, finding that the law was limited to violating access restrictions, not use restrictions. The Justices reasoned that creating criminal liability for “any unauthorized use of information obtained from a computer,” would be too broad and make criminals of large groups of people who wouldn’t suspect they were committing a federal crime. The Court was not persuaded by the fact that the defendant violated his employer’s policy.
Impact of Van Buren
The case makes clear the need to take additional steps to secure computers. Employment policies and confidentiality agreements are not sufficient to protect employers from employees violating use restrictions under the CFAA unless they restrict access to the computer or electronically stored information. Employers should have security controls to limit access to data and/or clearly delineate what computer systems and files each employee has access to in writing. Note that employers may have other recourse against employees besides the CFAA.
Employees should also be mindful of complying with their employer’s rules, particularly with respect to access, because violations can result in criminal liability.
If you are facing allegations of committing a cybercrime, contact us for a consultation.