The Computer Fraud and Abuse Act deems certain uses of a computer to be unlawful (civilly and criminally).
But, the Act is not the picture of clarity.
The language that has created the most significant confusion is the prohibition on accessing a computer “without authorization or exceeding authorized access.”
The 9th circuit summarized the problem as follows:
Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
U.S. v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012) (en banc).
Over the years, a split in the circuits had developed concerning the meaning and scope of that language.
As framed by the Ninth Circuit (in an en banc opinion issued in 2012), the competing interpretations are as follows:
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, . . . it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[ ] authorized access” if he looks at the customer lists. Second, . . . the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.
Nosal, 676 F.3d at 856-57.
The Second, Fourth, and Ninth Circuits have each adopted a version of the narrow approach, while the Fifth, Seventh, and Eleventh Circuits, arguably joined by the First Circuit, have all adopted broader interpretations.
Back in 2013, many of us had been hopeful that the Supreme Court would accept a certiorari petition from the Fourth Circuit’s decision in WEC Carolina Energy Solutions LLC v. Miller and resolve the split in the circuits. Unfortunately, the parties withdrew their petition, and the Supreme Court never resolved the split.
Similarly, from around 2013 to 2015, we were hopeful that some legislative efforts to clarify the language (primarily from Representative Zoe Lofgren) or a suggestion to modify the Act by the Obama Administration would revolve the split. None succeeded.
However, in 2016, the CFAA became significantly less critical following the enactment of the Defend Trade Secrets Act. The reason is that the DTSA created a federal private right of action for trade secret misappropriation, meaning that trade secret plaintiffs no longer needed to rely on the CFAA as a means to obtain federal court jurisdiction. Nevertheless, the CFAA remained (and remains) an important tool to combat conduct falling within the scope of the Act (as interpreted in the particular Circuit).
And now we may finally have a resolution in the Circuit split.
On April 20, 2020, the United State Supreme Court granted certiorari in Van Buren v. United States out of the 11th Circuit. The question presented is the following:
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
We will be monitoring the progress of the case and keep you posted.