Supreme Court Resolved CFAA Circuit Split!

As we discussed back in April, the split in the Circuits over the proper scope of the Computer Fraud and Abuse Act went up at the U.S. Supreme Court. Oral argument was on November 21, 2020 — and the decision is out today. Defendant/petitioner Van Buren wins.

Here is a summary of the background — straight from the Court:

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes.

Of course, given that truth is often stranger than fiction, here are the details (as laid out by the Court):

This case stems from Van Buren’s time as a police sergeant in Georgia. In the course of his duties, Van Buren crossed paths with a man named Andrew Albo. The deputy chief of Van Buren’s department considered Albo to be “very volatile” and warned officers in the department to deal with him carefully. Notwithstanding that warning, Van Buren developed a friendly relationship with Albo. Or so Van Buren thought when he went to Albo to ask for a personal loan. Unbeknownst to Van Buren, Albo secretly recorded that request and took it to the local sheriff ’s office, where he complained that Van Buren had sought to “shake him down” for cash.

The taped conversation made its way to the Federal Bureau of Investigation (FBI), which devised an operation to see how far Van Buren would go for money. The steps were straightforward: Albo would ask Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo, no stranger to legal troubles, would tell Van Buren that he wanted to ensure that the woman was not in fact an undercover officer. In return for the search, Albo would pay Van Buren around $5,000.

Things went according to plan. Van Buren used his patrol-car computer to access the law enforcement database with his valid credentials. He searched the database for the license plate that Albo had provided. After obtaining the FBI-created license-plate entry, Van Buren told Albo that he had information to share.

The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate for Albo violated the “exceeds authorized access” clause of 18 U. S. C. §1030(a)(2).

Here’s the issue — straight from the Court:

We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

Here’s the answer — straight from the Court:

He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

So, the Court took a narrow view on the scope of the CFAA, resolving key aspects of the circuit split, and eliminating the concern that every breach of fiduciary duties by an employee or violation by an employee of the terms of their employer’s computer use policy can be a criminal act.

 

*A huge thank you to Erika Hahn for checking for this decision nonstop and finding it before I did.