The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C § 1030, creates criminal liability in a variety of circumstances, including when the government alleges that any person, including an individual, firm, or corporate entity, “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains”: (1) certain financial and consumer records; (2) “information from any department or agency of the United States”; or (3) “information from any protected computer.” Among other acts, the statute also criminalizes intentionally accessing federal government computers without authorization; fraud involving unauthorized access to protected computers; damaging protected computers; trafficking in passwords through which a computer may be accessed without authorization; and extortion involving protected computers. See id. at §§ 1030(a)(3)-1030(a)(7).
The statute defines “exceed[ing] authorized access” as accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. at § 1030(e)(6). The criminal penalties for a violation of the CFAA include potential fines and imprisonment, whereas, in certain cases, the statute also provides for civil enforcement by private parties to obtain compensatory damages and injunctive or other equitable relief. Id. at § 1030(g). “To state a [civil] claim under the CFAA, a plaintiff must allege (1) a defendant intentionally accessed a protected computer; (2) without authorization or exceeding authorized access; (3) the defendant thereby obtained information; and (4) the plaintiff suffered damage or loss of at least $5,000.00.” 777 Partners LLC v. Pagnanelli, No. 20-20172-CIV, 2021 WL 2038175, at *5 (S.D. Fla. Mar. 8, 2021).
Van Buren and the meaning of “exceeds authorized access”
Van Buren arose from an FBI fraud and bribery investigation targeting a police sergeant with the Cumming, Georgia police department. See United States v. Van Buren, 940 F.3d 1192, 1197 (11th Cir. 2019), cert. granted, 140 S. Ct. 2667, 206 L. Ed. 2d 822 (2020), and rev’d and remanded, 141 S. Ct. 1648 (2021). The evidence at trial showed that, in the course of his duties, the officer agreed to accept as much as $6,000 in exchange for running the purported license plate number of a vehicle in violation of police department policy. After the transaction, the FBI arrested the officer and the government charged him with honest-services wire fraud (bribery), in violation of 18 U.S.C. §§ 1343 and 1346, and a felony violation of the CFAA on the basis that he allegedly exceeded his authorized access to the license plate database. See id. After a trial, the jury convicted the officer and the District Court sentenced him to 18 months in prison.Van Buren v. United States, 141 S.Ct. 1648, 1653 (2021).
On appeal, the officer challenged United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), where the Eleventh Circuit “held that even a person with authority to access a computer can be guilty of computer fraud if that person subsequently misuses the computer.” Van Buren, 940 F.3d at 1207. Ultimately, the Eleventh Circuit rejected the defendant’s argument and upheld his CFAA conviction, reasoning that “under Rodriguez, there [was] no question that the record contained enough evidence for a jury to convict [him] of computer fraud,” and reaffirming that, in the 11th Circuit, misusing databases a “defendant lawfully can access” constitute[d] computer fraud. Id. at 1208.
Given that several Circuits disagreed with the Eleventh Circuit’s interpretation of the CFAA, the Supreme Court granted certiorari to resolve the split regarding the scope of liability under the “exceeds authorized access” clause. Concluding that the Van Buren defendant’s alleged conduct did not violate the CFAA, the Court reversed his conviction, overturning Rodriguez.
Effect on criminal and civil CFAA actions in the Eleventh Circuit
In reaching its holding in Van Buren, the Court addressed a number of policy concerns implicated by the government’s interpretation of the statute which, according to the Court, would attach criminal liability to common workplace activity. By limiting the scope of the “exceeds authorized access” clause, the Court removed the specter of criminal prosecution for an individual’s use of a computer, albeit a “protected computer” for an “improper purpose,” where that individual is otherwise permitted to access the computer and the particular folders, files, or databases accessed. This decision will affect civil cases, where CFAA litigation often arises between companies and their former executives or employees who are accused of stealing or diverting confidential information or trade secrets from a company computer. In 777 Partners LLC, for example, the plaintiffs alleged that the defendant, a former employee, violated the CFAA when he “used a company computer to access, copy, and email various company files to his father and others not affiliated with the company.” 2021 WL 2038175, at *2 (S.D. Florida March 8, 2021). The employer further alleged that the files “contained proprietary trade secret information.” Id. The former employee moved to dismiss the CFAA claim arguing that plaintiffs could not “establish that [his] access was unauthorized or was exceeded,” contending that he “was given access to the computer and files at issue.” Id. at 5. Following Rodriguez, which was then binding, the district court found plaintiffs “ha[d] sufficiently alleged that [the defendant] was aware of the restrictions, and therefore, knew he was exceeding his authorized use of company computers when he accessed and distributed the confidential documents.” Id. As explained above, the Supreme Court’s ruling in Van Buren widens the potential defenses available to former employees facing a CFAA claim for allegedly violating a company computer-use policy.
Gunster 2021 Summer Associate Teresa Muñiz contributed to this Publication.