On June 3, 2021, the U.S. Supreme Court issued its decision in Van Buren v. U.S., No. 19-783. The issue for the Court was relatively straight forward – did a police officer with authorized access to his department’s license-plate database exceed his authorized access when he was given money to run a license plate and shared the results with the person who bribed him? In answering this question, the Court grappled with the language of the Computer Fraud and Abuse Act of 1986 (“CFAA”), see 18 U.S.C. 1030. The police officer was convicted at trial of exceeding his authority based on the language in the CFAA, and the Supreme Court overturned the conviction based on that same language.
The key phrase is found at 18 U.S.C. 1030(a)(2): “… intentionally accesses a computer without authorization or exceeds authorized access, …” Former Georgia police sergeant Van Buren used the computer in his patrol car to access a license plate database to which he had access, but did so with bad intent. The Supreme Court took the case in order to reconcile a split between the appellate circuits and said, since he had authority to access to the database via the computer on which he performed his search, he did not exceed his authorized access, even despite his illicit motive. In reaching its decision, the Court noted more than once, this case turned on the intent of the actor and is quite different from the situation where someone has access to only certain information (Database A) but then finds a way to overcome those limitations and accesses unauthorized information (Database B). The Court acknowledged that accessing Database B would be exceeding one’s authorized access. So, the use of the CFAA in convicting hackers is unchanged by this decision. However, the outcome raises potentially interesting challenges for employers.
First, does the company have a written policy which makes clear that all uses of company equipment are the property of the company? Second, does that policy make clear that personal use of company property is a violation of company policy and subjects one to consequences (and details those consequences)? The Van Buren case was a criminal case and the Court clearly did not want to be put in the position of declaring it to be a crime if, for example, an employee sent a personal email or accessed a website for personal reference while at work. The other challenge the Van Buren case presented was there was no damage to the Georgia State Police’s computer system. 18 U.S.C. 1030(a)(5) includes a provision which makes one liable for:
(A) knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer;
(B) intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally access[ing] a protected computer without authorization, and as a result of such conduct, causes damage and loss.
Instead, Van Buren referenced and shared with a third party certain information contained in the database. He did lose his job, but his criminal conviction was overturned. The outcome leaves one to wonder how the results might have differed if Van Buren had instead sought to remove from or alter the information in the department’s database.
The other steps for employers to make sure are in place include insisting each person have their own access code (user name, password and two factor authentication code) and that information is made available (i.e., access is granted) only on a need to know basis. Employers should also consider whether their policies and/or employment contracts limit the scope of employees’ authorized computer access to information needed for business purposes. Furthermore, even if an employee’s misuse of an employer’s computer systems is no longer a criminal violation of the CFAA, employers may still have other remedies (such as a breach of contract claim) and such behavior may still run afoul of applicable data privacy law.
With the ever-expanding impact of ransomware, the Van Buren case is another reminder that good cybersecurity hygiene is critical to the ability of employer’s to protect their own computer systems and the data it contains.