The U.S. Supreme Court took much of the sting out of the 1986 U.S. Computer Fraud and Abuse Act (CFAA) by clearly ruling on what exceeds authorized access to proprietary computer systems. A divided court on June 3, 2021 ruled in favor of the defendant in Van Buren v. United States by ruling that accessing authorized areas of a proprietary computer system or database does not violate the CFAA.
The 11th Circuit previously upheld a lower federal court’s ruling of a CFAA violation against the defendant, who was a police sergeant at the time of the alleged crime. The defendant allegedly accepted $5,000 to obtain and share information on another person via a law enforcement database. The defendant had full access to the information due to their law enforcement duties as a sergeant.
The employer filed a CFAA complaint against the defendant and argued that they were not authorized to look up the information and share it. A lower court found the defendant guilty, and the 11th Circuit upheld the ruling upon appeal.
Organizations like the Electronic Frontier Foundation filed briefs supporting the U.S. Supreme Court accepting the case. The Electronic Frontier Foundation argued the CFAA is vague and overly broad, which enables abuse of the exceeds authorized access prohibition. It says virtually anyone who goes online could become a criminal by unknowingly violating terms of service for a website, database, or other informational sources.
The Supreme Court agreed to hear the case in order to clarify just what qualifies as exceeds authorized access. It clearly determined that authorized access generally refers to anything the authorized person could access any file or document for virtually any purpose. If the file, folder, database, or other information source is open and available to the worker, they are authorized to access it.
A worker or other person only can exceed authorized access by going where they are not supposed to go. Any file, document, database, or other information that is off-limits to the worker and cannot normally be accessed. Doing so would be a clear case of exceeding authorized access and would be a violation of the CFAA, the Court ruled.
CFAA violations could carry very severe financial penalties and imprisonment of up to five years for each count. Repeat violations are punishable by up to 10 years per violation, and extreme cases that might involve criminal computer system hacking and similar bad acts could be punished by up to life in prison. For help with complex litigation regarding CFAA violations, an individual should speak to a lawyer.
If you accessed information that is available to you through a normal part of your job and with full access privileges in place, the Supreme Court ruling says that is not a CFAA violation. You would have to access information that normally is off-limits to actually exceed the authorized limits of your informational access. If you are accused of a CFAA violation, a Philadelphia employment lawyer at Sidkoff, Pincus & Green P.C. can help devise the best possible defense. Contact us online or call us 215-574-0600 for an initial consultation. Located in Philadelphia, we serve clients throughout Pennsylvania and New Jersey.