On June 3, 2021, the U.S. Supreme Court issued its decision in Van Buren v. United States and narrowed the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects to criminal liability anyone who "intentionally accesses a computer without authorization or exceeds authorized access." 18 U. S. C. section 1030(a)(2). In Van Buren, the Court interpreted the meaning of "exceeds authorized access" and held that "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him." Van Buren v. United States, No. 19-783, 2021 WL 2229206 (U.S. June 3, 2021).
Van Buren involved a former police sergeant who ran a license plate search in a law enforcement computer database in exchange for money. His department policy authorized him to obtain database information only for law enforcement purposes, which Van Buren clearly violated. At issue, however, was whether Van Buren also violated the CFAA when he ran the license plate search in violation of department policy. The Court held that he did not and reversed his conviction.
In reaching its conclusion, the Court explained it was undisputed that Van Buren accessed the law enforcement database system with authorization (i.e. he used his patrol-car computer and valid credentials to log into the law enforcement database). The only question was whether he could use the system to retrieve license plate information, which both sides agreed he could. Accordingly, the Court found that he "did not 'exceed authorized access' to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose."
The Court further explained that "the government's interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity." For instance, in the workplace, employers frequently state that computers and electronic devices can be used only for business purposes. Under the government's interpretation, "an employee who sends a personal email or reads the news using a work computer has violated the CFAA." Many websites also authorize a user's access only upon his or her agreement to follow specified terms of service. Under the government's interpretation, the CFAA would "criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook."
Therefore, under Van Buren, if a person has access to information stored in a computer, he or she does not violate the CFAA by obtaining such information, regardless of whether he or she pulled the information for a prohibited purpose. For any questions please contact Ashleigh Singleton or any member of Baker Donelson's Government Enforcement and Investigations Group.