Computer fraud and abuse act in civil litigation
On June 3, 2021, the United States Supreme Court (SCOTUS), by a vote of 6-3, ruled that the Computer Fraud and Abuse Act of 1986 (CFAA) applies to a person obtaining information from someone’s computer without the authority to access it, not to a person who has the authority but uses it for the wrong purpose.
In Van Buren v. United States, a police officer accessed the law enforcement database to run a license plate number in exchange for money and was convicted of violating the CFAA. He appealed his conviction all the way to the Supreme Court, and it was reversed.
Background
Nathan Van Buren was a police sergeant in Georgia who asked a private citizen, Andrew Albo, for a personal loan, despite knowing that Albo had been in trouble with the law. Albo recorded their conversation and gave the recording to the Sheriff’s department, alleging that Van Buren was trying to “shake him down” for money.
The recording was later passed on to the FBI which devised a plan for Albo to ask Van Buren to run a license plate number for $5,000.00. Van Buren agreed and ran the plate number using his patrol-car computer and his law enforcement credentials. Van Buren was charged with a felony.
At the trial, there was evidence that it was against police department policy to use the database for “an improper purpose.” Van Buren was convicted and sentenced to 18 months in prison. He appealed his conviction to the Eleventh Circuit, but they ruled against him.
The CFAA
It is a crime when a person “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. As with all laws, the language of the statute is key to determining a violation. Under the statute, there are two ways to unlawfully obtain information: (1) when an individual “accesses a computer without authorization,” and (2) when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain.” It is this second avenue that is at issue in the Van Buren case.
What Does it Mean?
The Supreme Court opinion spends a great deal of time analyzing the language of the statute and the definitions of the various relevant terms. Both sides of the case agreed that Van Buren “access[ed] a computer with authorization” by accessing his patrol-car computer, using his valid credentials, to run the license plate records. They also agree that Van Buren “obtain[ed] . . . information in the computer” when he ran the plate. The only real question is whether he was “entitled so to obtain” the record. To put it another way, the question is whether Van Buren exceeded his authorized access regardless of the purpose for which he did so.
After a thorough analysis of the terminology, the Supreme Court determined that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” As a result, they held that Van Buren did not “excee[d] authorized access” to the database “even though he obtained information from the database for an improper purpose.”
Based on this holding, the Supreme Court reversed the Eleventh Circuit’s decision and returned the case for further proceedings.
Comments are closed.