Understanding the Bounds of the Computer Fraud and Abuse Act in the Wake of Van Buren.

• Author: Chase-Sosnoff, Emily

The Computer Fraud and Abuse Act, 18 U.S.C. [section]1030 (the CFAA), imposes criminal and civil liability on individuals who access a computer without authorization or exceed authorized access. Until recently, there was a circuit split among the federal courts of appeal regarding the meaning of "exceeds authorized access" in the CFAA and whether an employee, with authorization to access information on a computer, violates the CFAA by using the information for an improper purpose. The U.S. Supreme Court resolved this circuit split in Va n Buren v. U.S., 141 S. Ct. 1648 (2021), providing clarity to prosecutors, employers, and other organizations with sensitive data. This article provides historical background on the CFAA and an overview of the CFAA's legal framework. It then provides a detailed account of the circuit split, including a summary of key cases. Finally, this article explains the Supreme Court's ruling in Van Buren and the implications of this ruling for entities that want to protect their data from unauthorized use.

Historical Background

When computers and electronic databases began proliferating in American workplaces, concerns about hacking were not far behind. As the U.S. Supreme Court noted in Van Buren, Congress enacted the first computer crime statutes in the early 1980s "[a]fter a series of highly publicized hackings captured the public's attention" and highlighted the fact that "traditional theft and trespass statutes were ill suited to address cybercrimes that did not deprive computer owners of property in the traditional sense." (1) In response to these high-profile data breaches by outside hackers, Congress enacted the first federal computer crime statute as part of the Comprehensive Crime Control Act of 1984. (2) Two years later, in 1986, Congress passed the CFAA to impose criminal liability on anyone who obtains information from a computer by "intentionally access[ing] a computer without authorization or exceed[ing] authorized access." (3) In addition to criminal liability, the CFAA provides a civil cause of action, in certain circumstances. (4)

The U.S. Court of Appeals for the Ninth Circuit has noted that Congress enacted the CFAA "primarily to address the growing problem of computer hacking, recognizing that, '[i]n intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into the computer system.'" (5) The House report on the CFAA analogized the conduct prohibited by the law to breaking and entering into a dwelling, and the legislative history makes clear that the CFAA was "designed to prevent unlawful intrusion into otherwise inaccessible computers." (6)

The CFAA originally prohibited accessing certain financial information from computers, but "has since expanded to cover any information from any computer 'used in or affecting interstate or foreign commerce or communication.'" (7) Accordingly, the statute "now applies--at a minimum --to all information from all computers that connect to the [i]nternet." (8)

Overview of the CFAA's Legal Framework

The CFAA broadly prohibits unauthorized access to nearly all computers connected to the internet. The law imposes both criminal and civil penalties on anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...information from any protected computer," or who conspires or attempts to do so. (9) The law broadly defines "computer" to include any electronic device "performing logical, arithmetic, or storage functions," excluding only typewriters, handheld calculators, and similarly simple devices. (10) In other words, a "computer" includes not just a desktop or laptop computer, but also a "smart-phone, iPad, Kindle, Nook, X-box, Blu--Ray player or any other [i]nternet-enabled device." (11)

The CFAA grants the Federal Bureau of Investigation (FBI) and the Secret Service authority to investigate offenses under the CFAA in accordance with an agreement entered into by the secretary of the treasury and the attorney general. (12)

The criminal penalties imposed by the CFAA for obtaining information from a protected computer without authorization or by exceeding authorized access are as follows: 1) a fine or imprisonment for not more than one year, or both, for a violation that does not occur after a conviction for another violation of the CFAA; (13) 2) a fine or imprisonment for not more than five years, or both, if "the offense was committed for purposes of commercial advantage of private financial gain," "the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any [s]tate," or "the value of the information exceeds $5,000"; (14) 3) a fine or imprisonment for not more than 10 years, or both, in the case of a violation that occurs after a conviction for another violation of the CFAA. (15)

In imposing a sentence, courts shall order that the perpetrator forfeits to the United States their "interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation," and "any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation." (16)

In addition to imposing criminal penalties, the CFAA provides a private, civil cause of action for persons or entities harmed by a perpetrator's unauthorized access. As a jurisdictional prerequisite to bringing such an action, a plaintiff must show one of the following four factors: 1) "loss to [one] or more persons during any 1-year period...aggregating at least $5,000 in value"; 2) "the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of [one] or more individuals"; 3) "physical injury to any person"; or 4) "a threat to public health or safety." (17)

The statute states, "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive or equitable relief." (18) However, damages for a violation involving only the first factor (losses aggregating at least $5,000 in value) are limited to economic damages. (19) The statute of limitations for bringing a civil action is two years from the later of the date of the unauthorized access or the date of the discovery of the breach. (20)

The Circuit Split Over the Meaning of "Exceeds Authorized Access"

To successfully litigate a civil CFAA claim, a plaintiff must prove that the defendant "intentionally accesse[d] a computer without authorization or exceed[ed] authorized access, and thereby obtain[ed]... information from any protected computer." (21) The question of what it means to "exceed authorized access" has been the subject of much debate in recent years, as well as a split of authority between the courts of appeal. The CFAA defines the term "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." (22)

Until recently, there was a circuit split among the federal courts of appeal over whether "exceeds authorized access" applies only to individuals who access portions of a computer or database that they are not permitted to access, or whether the phrase also applies to individuals who misuse information obtained from databases they are allowed to access.

In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), the U.S. Court of Appeals for the Ninth Circuit acknowledged that the CFAA's definition of "exceeds authorized access" could be interpreted two different ways:

First...it could refer to someone who's authorized to access only certain data or files but accesses unauthorized data or files --what is colloquially known as "hacking." For example, assume an employee is permitted to access only product information on the company's computer but accesses customer data: He would "exceed authorized access" if he looks at the customer lists. Second...the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor. (23)

Until recently, the First, Fifth, and 11th circuits took the position that an individual violated the CFAA by using, for an improper purpose, data to which the individual had authorized access. On the other hand, the Second, Fourth, and Ninth...