Supreme Court Limits Scope of Claims under the Computer Fraud and Abuse Act

On June 3, the U.S. Supreme Court adopted a narrow reading of the Computer Fraud and Abuse Act of 1986, limiting its criminal and civil application to circumstances where a person accesses data from a computer system, or portion of a computer system, to which the person has no authorized or permitted access rights. As a result of this ruling, employers can no longer rely on the CFAA as a basis for seeking recovery from a former employee who uses their permitted access to the employer’s computer system to misappropriate the employer’s proprietary information or otherwise use the employer’s data for improper purposes.

Prior to the Supreme Court’s ruling in Van Buren v. United States, No. 19-783 (June 3, 2021), the federal appellate courts were split in their application of the statute, disagreeing as to when an employee “exceeds authorized access” — some courts allowed an employer’s civil claims for damages under the CFAA when an employee used their legitimate access to the employer’s computer systems to steal trade secrets or access information for another improper purpose; other courts restricted the statute to situations where an employee wrongfully obtained information from a portion of the employer’s computer system to which the employee did not have authorized access.

In Van Buren, the criminal defendant, a former police officer, was charged under the CFAA for using his approved access to a police database to obtain information in exchange for a bribe. The Court reversed his conviction, holding the CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who . . . have improper motives for obtaining information that is otherwise available to them.” This holding applies equally to civil CFAA claims and prevents an employer from asserting a CFAA claim against a former employee who had technical access rights to information on the employer’s computer system and abused those rights by accessing the data for improper purposes.

In light of the Van Buren decision, employers should evaluate their technical access control and user access practices. Limiting employees’ access privileges to the information or portions of a computer system necessary for the employee’s job duties is considered a good information security control and is a practical way to protect confidential or sensitive information. Password-protecting specific materials can also be used to limit access to those employees with a business need to access the materials. Employers could also benefit from reviewing their employee confidentiality agreements and considering revisions to address the scope and extent of an employee’s authorization to access computer-based information. Going forward, technical access rights — not the terms of an employer’s computer system use policy — will likely be the measure of “authorization” for CFAA claims against a former employee.

Placing limits on electronic access to certain information has benefits, as well, for reasons separate from the CFAA. Those limits can be meaningful proof that an employer has taken reasonable measures to maintain the secrecy of that information — a prerequisite for invoking trade secret protection under state and federal law.

For assistance on protecting your company’s information or strategizing regarding your approach to access control, contact any member of Robinson Bradshaw’s Employment and Labor Practice Group.