Access Granted: The Supreme Court Removes Curb on Employee Access to Computerized Sensitive Data
The United States Supreme Court has narrowed the scope of the Computer Fraud and Abuse Act ("CFAA"). In Van Buren v. United States, the Court held that, so long as a person has authorization to access a computer, the CFAA does not prohibit misuse of the accessed information therein. Previously, courts had construed the CFAA to prohibit misuse of data that a person had validly accessed. Employers had used this construction against former employees who had helped themselves to the employers’ computerized trade secrets or other confidential information before resigning. With this construction invalidated, employers will have to look elsewhere to protect their information.
The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” and obtaining information thereby. 18 U.S.C. § 1030(a)(2). One “exceeds authorized access” by “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). Because this prohibition covers any computer “used in or affecting interstate or foreign commerce or communication,” it now covers all information from all computers that connect to the internet. 18 U.S.C. §§ 1030(a)(2)(C), (e)(2)(B).
In the case before the Court, Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database and retrieve information therein in exchange for $5,000. Charged with a CFAA violation, the sergeant argued that the CFAA’s “exceeds authorized access” clause applied only to those who obtain information to which their computer access does not extend rather than to those who misuse their authorized access. He argued that the word “so” in the phrase “entitled so to obtain” means “the same manner as has been stated.” Because the only manner of obtaining information already stated is via a computer that one is otherwise authorized to access, he argued that his misuse of validly accessed information did not “exceed authorized access” under the CFAA.
The Government countered that the word “so” refers to information that one was not allowed to obtain in the particular manner or circumstances in which he or she obtained it. Under the Government’s view, “an employee might lawfully pull information from Folder Y in the morning for a permissible purpose — say, to prepare for a business meeting — but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purposes — say, to help draft a resume to submit to a competitor employer.” Both the district court and the Eleventh Circuit accepted this argument and rejected Van Buren’s construction.
The Supreme Court reversed. In a 6-3 decision, the Court found Van Buren’s reading “more plausible.” The word “so,” the Court held, “refers to a stated, identifiable proposition from the preceding text.” In this way, the Court ruled, “Van Buren’s reading places the provisions parts into an harmonious whole.” Thus, if a person has authorization to access the computer system, the CFAA does not prohibit misappropriate or misuse of information within that system.
Before the Court’s ruling, governments and companies used the CFAA to go after individuals who misused data that they had the authority to access. In particular, employers often sued employees and former employees under the CFAA for taking trade secrets or other confidential information to give to a competitor or for their own personal use. Now, if the employee obtained the information through authorized use of the computer network — even if the access was for an unauthorized purpose — the CFAA offers no relief.
Instead, employers must look to other statutes. The Federal Defend Trade Secrets Act enables the owner of a misappropriated trade secret to sue for an injunction, seizure of the information, and damages (provided the employer can show a nexus between the data and interstate commerce). Similarly, the Uniform Trade Secrets Act, which nearly every state has adopted, allows owners of misappropriated trade secrets to sue for an injunction and damages.
An employment agreement might also offer relief. If the employment agreement has a confidentiality provision, the employer may be able to sue for breach of that provision. An employment agreement can also prohibit an employee from accessing company information for non-company or personal use. Depending on the employment agreement’s language, the employer may be able to get an injunction as a remedy for breach.
Of course, suing to protect stolen information is like chasing your horse after it has galloped through an open barn door. Better to segment your computer network in the first instance, so employees can only access the portion of the computer network they need for their job. Employers should also ensure that employees have access to necessary information for as long as they need it. (Such measures can also help against ransomware and other cyber attacks.) With appropriate privacy measures in place, a company can worry less about employees it cannot trust and focus on helping the employees it can.