How the Supreme Court's Decision in Van Buren Impacts Mobile Employees and Computer Data Theft in Florida.

• Author: Kain, Robert

Computer data theft at the federal level is generally addressed under the Computer Fraud and Abuse Act, 18 U.S.C. [section]1030 (CFAA), although Florida's Computer Abuse and Data Recovery Act, F.S. [section]668.801 (CADRA), enables business owners to protect computer data in a similar manner to the CFAA. (1)

In June 2021, the U. S. Supreme Court in Van Buren v. U.S., 141 S. Ct. 1648 (2021), resolved a significant circuit court split regarding the scope of liability under the CFAA's "exceeds authorized access" clause. (2) The Court held that "[t]his [CFAA] provision covers those who obtain information from particular areas in the computer--such as files, folders or databases--to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them." (3) The result being that if an employee has password access to sensitive business information and he or she makes a copy of that information while employed, and then later transfers that data to a competitor, this nefarious act does not trigger liability under the CFAA. This is a dramatic change in the scope and breadth of the CFAA. For decades, the 11th Circuit Court of Appeals took a broader view of the CFAA and such behavior would have resulted in both civil and criminal liability.

The facts in Van Buren highlight the narrowed scope of the CFAA. In an FBI sting operation, police sergeant Van Buren used his valid law enforcement credentials to access Georgia's Crime Center database. He ran a license plate search at the request of an informant who offered to pay Van Buren to determine if a woman was an undercover officer. Van Buren was convicted based upon the informant's testimony, and the 11th Circuit upheld the conviction. (4)

Before the Supreme Court, the parties agreed that Van Buren 1) accessed a computer with authorization when he used his patrol-car computer and valid password credentials to log into the law enforcement database; and 2) "obtain[ed]...information in the computer" when he acquired the license-plate record for the FBI informant. (5) "The dispute [was] whether Van Buren was 'entitled so to obtain' the [computer data] record." (6)

The Supreme Court acknowledged a split in authority between circuits on the scope of liability under the CFAA's "exceeds authorized access" clause. "While several [c]ircuits see the clause [in] Van Buren's [narrower] way, the [11th] Circuit is among those that have taken a broader view." (7) The Second, Fourth, and Ninth (8) circuits had adopted a narrow reading of the CFAA. (9)

Ultimately, the Court adopted the narrower view, and held that "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer--such as files, folders, or databases--that are off limits to him." (10) Because both parties agreed Van Buren was authorized to access the data, he did not "exceed authorized access" to the database, "even though he obtained information from the database for an improper purpose." (11)

The majority in Van Buren criticized the dissent and the government's position that the broader application of the CFAA should be based upon circumstances surrounding the access to computer data. (12) The Court was concerned that the broader interpretation of the CFAA's "without authorized access" would...