A significant opinion concerning computer security was one of those the United States Supreme Court (“SCOTUS”) issued during its end-of-term flurry this year. Employers and others who permit computer access to sensitive information for business or other defined purposes may want to take note. Spoiler alert: the opinion undercuts use of the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. §1030 et seq., to obtain federal jurisdiction in employer-employee disputes. (As a practical matter, the Defend Trade Secrets Act of 2016 had already filled the gap for many circumstances).
As we reported here last December shortly after the oral argument, SCOTUS accepted certiorari for Van Buren v. United States, No. 19-783, a case from the Court of Appeals for the Eleventh Circuit requiring interpretation of a specific part of the CFAA, a federal anti-hacking statute which generally prohibits obtaining or altering computer information without authorization, or by exceeding authorized access. SCOTUS has now reversed the Eleventh Circuit judgment, holding that the CFAA “covers those who obtain information from particular areas in the computer – such as files, folders, or databases – to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” Van Buren v. United States, 593 U.S. , [at 1] (2021).
In other words, SCOTUS settled upon the narrower of the proffered readings of the CFAA, such that a smaller sphere of behaviors will be found to violate the statute. The decision suggests that, in order to maintain the possibility of a CFAA action, which confers federal jurisdiction, as part of its available arsenal to protect confidential information, a wise employer will review its computer use policies with special attention to which computer databases, files, and folders employees and other users are entitled, or permitted, to access for any purpose.
The critical question before SCOTUS in Van Buren was how to interpret the phrase “exceeds authorized access” in the statute, which provides for criminal penalties…