So, Are the Gates Up or Down?: Liability under the Computer Fraud and Abuse Act in Van Buren v. United States and Your Business
Seeking to resolve a split among the Circuits “regarding the scope of liability under the [Computer Fraud and Abuse Act]’s “exceeds authorized access” clause, the Supreme Court granted certiorari to the appeal of Robert Van Buren, a former Georgia police sergeant whose criminal conviction for violating the act was upheld by the Eleventh Circuit in 2019.[1] Unbeknownst to Van Buren, after developing a “friendly relationship” with and seeking a “personal loan” from Albo, a repeat offender he met while working as a police sergeant, Albo recorded his request for money, informed authorities, and Van Buren subsequently became the target of an FBI sting operation.
As part of the sting, Albo offered Van Buren about $5,000 to look up the license plate of a woman he met to make sure she was not an undercover officer. Using the computer in his patrol car “to access the law enforcement database with his valid credentials”, Van Buren obtained the license plate information and informed Albo he had information.[2] The FBI arrested Van Buren, and he was charged with a felony violation of the Computer Fraud and Abuse Act of 1986’s, or CFAA’s, “exceeds authorized access” clause because his use of the law enforcement database was for an improper, non-law enforcement purpose which he knew violated department policy.[3]
The provision of the CFAA at issue in this case subjects to criminal, and potential civil, liability one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.”[4] The Supreme Court explained that this prohibition initially barred only access to “certain financial information” but has been broadened to include “at a minimum . . . all information from all computers that connect to the internet.”[5] The majority’s analysis of the interpretation of the applicable provision of the CFAA, in an opinion authored by Justice Barrett, turned on the interpretation of the statute’s text defining the phrase “exceeds authorized access” and how that phrase fit within the statutory structure.[6]
Say It Isn’t “So” . . . . It is
According to the CFAA, “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[7] The parties were in agreement that Van Buren accessed his patrol car computer system with authorization, obtained information in that computer, and was generally entitled by virtue of his position to obtain license plate information, but disputed whether, within the circumstances at issue and the statutory definition, he was “entitled so to obtain” the particular license plate information which gave rise to his criminal conviction for violating the CFAA.[8]
The parties’ arguments centered on the meaning of the word “so” within the statutory definition. Van Buren argued that “”so” serves as a term of reference that recalls “the same manner as has been stated” or “the way or manner described”” and reasoned “[t]he disputed phrase . . . thus asks whether one has the right . . . to obtain the relevant information” by accessing a computer he is authorized to access.[9] Therefore, according to Van Buren’s logic,
if a person has access to information stored in a computer – e.g., in “Folder Y,” from which the person could permissibly pull information – then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.[10]
The Government countered that the word “so” within the definition created a broader meaning of the phrase “so to obtain” which encompassed “information one was not allowed to obtain in the particular manner or circumstances in which he obtained it” taking into consideration “any “specifically and explicitly” communicated limits on one’s right to access information.”[11] Therefore, according to the Government’s logic,
an employee might lawfully pull information from Folder Y in the morning for a permissible purpose – say, to prepare for a business meeting – but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose – say, to help draft a resume to submit to a competitor employer.[12]
The Court reasoned that under the Government’s interpretation “”so” captures any circumstance-based limit appearing anywhere – in the United States Code, a state statute, a private agreement, or anywhere else” and that Van Buren’s interpretation of the effect of the word “so” within the statutory definition was more plausible and in agreement with both the ordinary usage of the word and the use of that word in many other federal statutes.[13] Agreeing with Van Buren’s argument, the Court stated “[t]he phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”[14] The Court explained that under the Government’s interpretation of the effect of “so” within the statutory definition, a person charged with violating the CFAA could
use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel files he is not entitled to obtain by using his computer. Such a person could argue that he was “entitled to obtain” the information if he had the right to access personnel files through another method (e.g., by requesting hard copies of the files from human resources). With “so,” the CFAA forecloses that theory of defense. The statute is concerned with what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have walked down the hall to pick up a physical copy. This clarification is significant because it underscores that one kind of entitlement to information counts: the right to access the information by using a computer. That can expand liability . . . But it narrows liability too. Without the word “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information.[15]
The Court continued, noting the phrase “so to obtain” in the definition modifies and narrows the scope of the word “entitled” within that definition such that the only entitlement that matters for purposes of the CFAA is what information one was entitled to obtain via a computer one was authorized to access.[16] The Court then turned to the structure of the language within §1030(a)(2) stating “[t]he interplay between the “without authorization” and “exceeds authorized access” clauses of subsection (a)(2) is particularly probative”, stating these phrases define two distinct ways a person could unlawfully obtain information – either by unauthorized access to a computer system or by accessing a computer with authorization but “then obtaining information he is “not entitled so to obtain.””[17] Adopting Van Buren’s interpretation of the statutory language, which the Court stated resulted in a harmonious interpretation of the two parts of the statute, the Court explained:
Van Buren’s account of subsection (a)(2) makes sense of the statutory structure because it treats the “without authorization” and “exceeds authorized access” clauses consistently . . . . liability under both clauses stems from a gates-up-or-down inquiry – one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.[18]
In contrast, according to the Court,
the Government reads the “exceeds authorized access” clause to incorporate purpose-based limits contained in contracts and workplace policies. Yet the Government does not read such limits into the threshold question whether someone uses a computer “without authorization” – even though similar purpose restrictions, like a rule against personal use, often govern one’s right to access a computer in the first place.[19]
Further, the Court continued, Congress’s subsequent amendment of the original statutory language removed the reference to purpose which would have encompassed within the CFAA’s prohibitions one who accessed information using a computer for an unauthorized purpose.[20] The Court concluded “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity” noting that by criminalizing
every violation of a computer-use policy, . . . millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.[21]
Purpose based limits on accessing information, generally contained in employment policies and contractual agreements, “are often designed with an eye toward information misuse,” the Court explained, and “can be expressed as either access or use restrictions” which can inject arbitrariness into what conduct may or may not be subject to criminal or civil liability under the CFAA.[22] “An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible,” the Court stated. Holding that “an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him,” the Court reversed the Eleventh Circuit’s ruling and remanded the case.[23]
So . . . . What Does This Mean For Your Business?
Under the gates-up or gates-down threshold established by this opinion, the access to information relevant to the question of civil or criminal liability under the CFAA is defined by IT permissions. Specifically, the question is now what files or folders within a computer system is an authorized user allowed to access and did that user exceed that authorized access?
Because limitations on what parts of a computer system an employee is authorized to access included in employment contracts or workplace policies are no longer relevant to determining civil or criminal violation of the CFAA, businesses that have previously relied on these methods to protect against and provide remedies for potential future harm incurred to their computer systems through the actions of insiders are now less protected from the costs of that future harm should it occur. While a business may still pursue a breach of contract claim against an inside actor who causes harm to their computer system following this opinion, recovery through the CFAA’s civil liability provision is no longer available if the only limits on an authorized user’s access are found in a contract or an employee handbook.
Business should enlist the help of their IT personnel to beef up, or create, a system for establishing file and folder permissions for all authorized users of their computer systems as part of their information governance program. If the business does not currently have an internal IT department, and has relied on contractors for such functions in the past, it may be time to create one. (For more on information governance, see my colleague Clara Skorstad’s discussion of the importance of businesses getting their electronic houses in order here.)
The system of file and folder permissions will vary for each business but should, at a minimum, include an effort to map where particular types of data are stored within the computer system, consideration of what files and folders include particularly sensitive information and should thus be accessible by very limited numbers of personnel, and which personnel need to access which types of data to effectively perform their job functions. Businesses should consider whether certain areas of the computer system should be accessible from personal devices under an existing Bring Your Own Device, or BYOD, policy. (See my colleague Russ Beets’ discussion of security challenges that can accompany BYOD policies here.)
If employees are traveling somewhere overseas, that is perhaps unfriendly or has insecure networks, who usually have access to sensitive intellectual property files or folders related to defense work, rather than relying on the individual employee’s compliance with a directive instructing them not to log into their work laptop or those sensitive areas of the computer system while they are away, the IT department should temporarily restrict that access until they return. Further, the system of file and folder permissions should be set up to respond quickly when a business receives notice that an employee plans to leave their position with the company. Permissions to files and folders not essential to performing the employee’s day-to-day tasks from the day they give notice until their final day with the company should be cut off, and their access to the system should be promptly shut down at the time of their termination or resignation.
Similar to the file and folder permissions system businesses will need to have in place to preserve potential remedies under the CFAA for damage to computer systems caused by personnel, companies should be mindful of permissions granted to vendors and other outside contractors to perform various services on or through use of their computer system. IT permissions for these vendors and contractors should limit access to only those areas of the computer system necessary to perform the work for which the access is granted, and, especially if access to the entire system is required, contractual agreements with those vendors and contractors should include robust provisions regarding remedies for any potential damage to the computer system or the files within it resulting from the contracted work. Like employees who are terminated or resign, the vendors’ and contractors’ access to the system should be promptly shut down as soon as their work is completed.
A program of well-crafted, thorough, and specific file and folder permissions, as part of a larger information governance program, are generally a good practice for businesses to protect their data and their computer systems. After this decision, unless Congress decides to swiftly amend the CFAA to encompass contractual limitations on computer system access within the definition of what actions “exceed authorized access”, businesses should be mindful that such a system is essential to preserving the remedies this act makes available to them.
DISCLAIMER: The information contained in this blog is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this blog or your existing LitSmart contact. The invitation to contact the author is not to be construed as a solicitation for legal work. Any new attorney/client relationship will be confirmed in writing.
[1] Van Buren v. United States, 593 U.S. ____, Slip. Op. at 4 – 5 (June 3, 2021), available at https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf.
[2] Id. at 3.
[3] Id. at 4.
[4] 18 U.S.C. §1030(a)(2) and §1030(g).
[5] Van Buren v. United States, 593 U.S. ____, Slip. Op. at 2 (citing 18 U.S.C. §1030(e)(2)(B) and §1030(a)(2)(C)).
[6] Id. at 5 – 16.
[7] 18 U.S.C. §1030(e)(6).
[8] Van Buren v. United States, 593 U.S. ____, Slip. Op. at 5.
[9] Id. at 5 – 6.
[10] Id. at 6.
[11] Id.
[12] Id.
[13] Id. at 7.
[14] Id. at 8.
[15] Id. at 9.
[16] Id. at 10.
[17] Id. at 13.
[18] Id.
[19] Id. at 14.
[20] Id. at 17.
[21] Id. at 17 – 18.
[22] Id. at 20.
[23] Id.