Background of the Case
The case pending before the Supreme Court concerns a 2015 incident involving a Georgia police officer, Nathan Van Buren, who was authorized to search the police department’s license plate database for law-enforcement purposes.2 However, Van Buren used the database outside of his law enforcement duties for his own “private financial gain” by searching a license plate number in exchange for payment from an acquaintance who turned out to be an FBI informant.3 The government charged Van Buren in the District Court of Georgia for felony computer fraud under 18 U.S.C. § 1030(a)(2), which makes it a violation to “intentionally access a computer without authorization or exceed authorized access” to obtain information from a protected computer.4 Van Buren was ultimately convicted and sentenced to eighteen months in prison.5 On appeal, Van Buren argued that he could not have “exceeded authorized access” because he limited his access to databases for which he had authority to access as a police officer.6 Although noting that other circuits interpret § 1030(a)(2) differently, the Eleventh Circuit Court of Appeals upheld the conviction under Eleventh Circuit precedent, finding that the CFAA prohibited accessing a computer for improper purposes even if the defendant had authority to use the database for other permitted purposes.7
Circuit Split Regarding the CFAA
The CFAA was originally enacted in 1986 to address the increased risk of computer hacking by providing criminal penalties and civil remedies for intrusions into protected computer information.8 However, critics of the law argue that a broad reading of the “exceeds authorized access” provision allows the CFAA to be invoked against ordinary activities that would be commonly viewed as typical computer use, e.g., against individuals who check personal email or social media on their work computer, because such activities technically violate workplace policies or terms of service agreements.
The circuits remain split in determining when an individual “exceeds authorized access” to a computer subjecting the individual to criminal or civil liability under the statute. The First, Fifth, and Seventh Circuits follow the Eleventh Circuit’s approach, and find that an individual violates § 1030(a)(2) if the individual who is otherwise authorized to access a computer is obtaining that information for an improper purpose.9 The Second, Fourth, and Ninth Circuits adopt a narrower reading of the statute.10 For example, in United States v. Nosal, the Ninth Circuit expressed doubt the broad application of the CFAA by other circuits, especially when it is common for employees to occasionally use work computers for personal purposes.11 The Ninth Circuit Court of Appeals cautioned that such a broad interpretation would “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved” and would invite “arbitrary and discriminatory enforcement” of rarely-enforced computer use policies against employees.12
Arguments Before the Supreme Court of the United States
The parties argued the case before the Supreme Court on November 30, 2020.13 Arguing on behalf of Van Buren, Jeffrey Fisher of Stanford Law School argued that the Eleventh Circuit’s broad interpretation “would brand most Americans criminals on a daily basis.”14 As an example, Fisher argued that an employee who uses log-in credentials for a work-provided Zoom account over the holidays to connect with distant relatives in violation of an employee handbook may be subject to prosecution under the CFAA.15 Deputy Solicitor General Eric Feigin, on behalf of the Department of Justice, argued that petitioner’s basis for the narrower interpretation relied upon “an imaginary avalanche of hypothetical prosecutions” that are not actually pursued in real world cases.16 However, Fisher responded that the Court should not “construe a statute simply on the assumption the government will use it responsibly.”17
Some of the justices appeared to express skepticism regarding whether Congress contemplated such a broad interpretation of the CFAA provision. For example, Justice Sotomayor noted that the government’s argument essentially asked the Court to “write definitions to narrow what could otherwise be viewed as a very broad statute, and dangerously vague.”18 On the other hand, Justice Alito questioned how a more narrow reading of the CFAA would serve privacy concerns, especially where certain government employees have access to various types of highly confidential personal information.19 Perhaps one of the more notable questions came from new Justice Amy Coney Barrett, who asked why the Court should view “authorization” as an “on/off switch” and not inherently dependent upon the purpose of the access.20 Fisher responded that the CFAA itself does not have a scope component, and in view of other statutes that do provide guidance regarding improper purposes, Congress did not intend to include any such scope or purpose-based restrictions here.21
Potential Implications of the Supreme Court’s Decision
In addition to the risk of over-penalizing individuals for innocuous computer activities, a broad reading of the CFAA may have a “chilling effect” on cybersecurity research, at least according to a coalition of computer security organizations that filed an amicus brief in support of Van Buren.22 If a broad interpretation is upheld by the Supreme Court, cybersecurity amici argue that good-faith security researchers who identify vulnerabilities for companies may be reluctant to identify threats without clear terms of service agreements in place.23 Their brief states that independent cybersecurity research is especially important in supporting the public interest, for example, in securing voting systems, medical fields, national infrastructure, and other essential sectors.24
Although the future of the CFAA may be uncertain, companies should continue to review their employee handbooks and other company policies to clearly define guidelines for general computer use. Companies should continue to monitor this case and any changes in the CFAA so that in the event of unauthorized intrusions into computer systems, they can determine whether the CFAA may provide a potential remedy.
1 18 U.S.C. § 1030.
2 United States v. Van Buren, 940 F.3d 1192, 1197-98 (11th Cir. 2019).
4 18 U.S.C. § 1030(a)(2).
5 United States v. Van Buren, 940 F.3d 1192, 1197-98 (11th Cir. 2019).
6 Id. at 1207.
7 Id. at 1208 (citing United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
8 S. REP. 99-432, at 6 (1986), as reprinted in 1986 U.S.C.C.A.N. 2479, 2483.
9 See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
10 See United States v. Valle, 807 F.3d 508 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
11 United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012) (en banc).
13 Transcript of Oral Argument, Van Buren v. United States, No. 19-783 (argued November 30, 2020).
14 Id. at 4:14-20.
16 Id. at 36:14-20.
17 Id. at 9:19-23.
18 Id. at 48:18-23.
19 Id. at 14:9-15.
20 Id. at 32:7-10.
21 Id. at 32:11-33:18.
22 Brief for Electronic Frontier Foundation et al. as Amici Curiae Supporting Petitioner, Van Buren v. United States, No. 19-783 (filed July 8, 2020).
23 Id. at 27.
24 Id. at 36.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the technology, energy, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.