CFAA conviction requires some kind of a "hack," Supreme Court says

Mere "misuse" of information is not enough.

The U.S. Supreme Court decided yesterday that a criminal conviction under the Computer Fraud and Abuse Act cannot be based merely on misusing information obtained through a computer system. Instead, the defendant must have either had no legitimate access, or exceeded the legitimate access that he had.

The Court's decision could have implications in cases involving theft of an employer's trade secrets, or misuse of an employer's customer lists or other confidential and proprietary information. If the employee or former employee had access to the computer system from which the information was obtained, then there will be no violation of the CFAA, even if that information was later misused.

Of course, employers will still have remedies under applicable trade secret protection statutes and other causes of action, including breach of non-compete agreements. And misuse of an employer's confidential information remains a legitimate ground for termination of employment.

In Van Buren v. United States, a police sergeant in Cumming, Georgia, had been under investigation by the FBI. As part of his normal job responsibilities, he had access to a law enforcement database with license plate information. An FBI informant offered him money to access the database and find out whether a woman the informant supposedly knew was an undercover officer. The sergeant accepted payment, accessed the database, obtained the requested information, and told the informant he had it. (As you might have guessed, this was all a set-up.) Then the sergeant was arrested and ultimately convicted of violating the CFAA. 

The sergeant appealed to the U.S. Court of Appeals for the Eleventh Circuit, arguing, among other things, that the CFAA did not apply because he had legitimate access to the database. The Eleventh Circuit affirmed the CFAA conviction in 2019, finding that the sergeant's misuse of the information to which he had access violated the CFAA. The Supreme Court agreed to review the decision in April 2020.

Yesterday's majority opinion, written by Justice Amy Coney Barrett, and joined by a "bipartisan" group that included Justices Stephen Breyer, Neil Gorsuch, Elena Kagan, Brett Kavanaugh, and Sonia Sotomayor, parsed the language of the statute and determined that it applied only to individuals who lacked legitimate access to either the computer or system, or to a portion of the system, such as a secure file. The CFAA does not apply to individuals who have legitimate access but then use the data obtained for an improper purpose, according to the Court.

U.S. Courts of Appeal for the Second and Ninth Circuits had already issued decisions consistent with yesterday's Supreme Court decision.

Justice Clarence Thomas, joined by Chief Justice John Roberts and Justice Samuel Alito, dissented.

Don't go away! Ron Sarian, chair of our Digital Workplace & Data Privacy practice group, will have a more in-depth article about the Van Buren decision, and recommendations for employers seeking to protect their data and information.

Image Credit: Caricature of Justice Amy Coney Barrett from flickr, Creative Commons license, by DonkeyHotey. First image from Adobe Stock.

Robin Shea has 30 years' experience in employment litigation, including Title VII and the Age Discrimination in Employment Act, the Americans with Disabilities Act (including the Amendments Act). 
Continue Reading



Back to Page