Supreme Court Holds Computer Fraud Act No Longer Applies to Computer Use Policies And Confidentiality Agreements

---

In 2014, Agency Checklists advised its readers about the need for insurance agencies and insurers to protect their confidential information using the Computer Fraud and Abuse Act (“FCAA”), Title 18 U.S.C. § 1030(a)(4).

In that article, we opined that the FCAA might offer organizations legal remedies and rights beyond existing common law rights and remedies for employees and others accessing confidential information with fraudulent intent held on business computers t. See Agency Checklists’ article of  March 30, 2014, “Why Every Business Needs An Enforceable Computer Access Policy.”

That prior article dealt with the broad scope of the FCAA, which had civil and criminal penalties for violations. Besides criminal sanctions, a company could file a civil suit under the FCAA in either state or federal court to recover both damages and injunctive relief.

To prevail under the FCAA, a victimized company had to allege that (most commonly) a former employee:

• has accessed a protected computer;
• has done so without authorization or by exceeding such authorization as was granted;
• has done so knowingly and with intent to defraud; and
• as a result, has furthered the intended fraud and obtained anything of value.

For purposes of the FCAA, a “protected computer” is any computer “which is used in or affecting interstate or foreign commerce or communication.” Since federal courts hold that the Internet is a channel of interstate commerce, effectively, any computing device from a smartphone to a mainframe is within the scope of the FCAA.

The only caveat is that the loss to the company exceeds $5,000. However, for calculating this threshold amount and damages, the FCAA states that “loss” includes “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

---

Some federal courts had interpreted the FCAA to punish employees using computers in violation of an employer’s interests.

We advised in that article under the heading, “Make sure you have in place confidentiality or user agreements for your firm’s computers,” because Federal courts in Massachusetts broadly construed the FCAA to include violations of confidentiality agreements. We stated:

[T]he majority view applicable in the Massachusetts federal courts is that an employee’s computer authorization is terminated the moment that an employee acts contrary to his employer’s interest. Typically, in the employment context this occurs when employees breach their fiduciary duty to act in their employers’ interests by downloading and converting their present employers’ confidential information for their own benefit or the benefit of their next employer.

Based on these federal court rulings, we advised that:

Therefore, until either the Supreme Court changes the First Circuit’s decision or Congress amends the Act, all businesses should consider documenting their computer use and data confidentiality protocols. Documentation by way of a formal data or computer use policy or by way of signed confidentiality agreements will give companies the basis for using the Act to protect their proprietary and confidential business data.

This advice, while sound when given, no longer applies. The Supreme Court has ruled, and it has changed the First Circuit Court of Appeals decision and watered down the effect of the FCAA.

---

Supreme Court limits the scope of the Computer Fraud and Abuse Act

Now, however, the United States Supreme Court, in a six to three decision, has removed violations of confidentiality agreements and other violations involving claims that an employed or an otherwise authorized computer user “exceed[ed] authorized access” when they acted contrary to a protocol, rule or contract. Now to exceed authorized access, an individual “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”

Under the Supreme Court’s ruling, a person who takes information to which they have access and uses it for a purpose in violation of the rules or policies of the company or entity for improper purposes has not violated the FCAA.

---

The fact of the Van Buren case and the “exceed authorized access” ruling.

This Supreme Court decision came about from a case where A Georgia police sergeant, Nathan Van Buren, came to the attention of the FBI as possibly being on the take.

The FBI arranged a sting operation offering Van Buren $5,000 to search a law enforcement database for information about a particular license plate to see if it belonged to an undercover police officer. Van Buren used his access codes to the databases to search for information about the plate. When he gave the information about the plate to the person who offered him the money, The FBI arrested him and charged him with violating the criminal provision of the FCAA.

He was charged with a felony violation of the CFAA, which subjected to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

A jury convicted Van Buren, and the federal judge presiding over his case sentenced him to 18 months in prison. Van Buren appealed to the federal circuit court of appeals for Georgia, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who, like him, misuse access that they otherwise have.

After the circuit court of appeals ruled against him, the Supreme Court granted certiorari to rule on the scope of the FCAA.

---

Supreme Court rules to limit the scope of the FCAA

A six-judge majority made up of three conservative justices and three liberal justices found that Van Buren had not violated the FCAA. They ruled that the interpretation used by most federal courts, including the federal courts in Massachusetts, was too broad and indefinite.

The majority justice noted that the interpretation of the FCAA that made violations dependent upon the corporate policy of various companies, agencies, or entities was too broad. The majority stated as an example:

Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.

The majority ruled:

In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.

---

What does the Van Buren decision mean for protecting confidential information?

The FCAA is still in full force and effect. However, its scope is narrowed, and companies that wish to protect access to confidential information consistent with the Supreme Court’s interpretation of the FCAA should work on defining what information people can access.

The one point that is presently clear is that persons who have access to a company’s computers and databases no longer can be sued or prosecuted under the FCAA if they misuse any information to which the company has allowed them access. The fact their misuse may violate company policies, rules, regulations, or their agreements with the company no longer is punishable criminally or civilly under the FCAA.

Only when such persons go beyond the access given, and access files, databases, or servers for which they have no permission would the FCAA apply.

As a first step, companies should consider how they will document what computer files, databases, and computers each employee may access. This is not an easy task. According to a 2016 survey of 3,027 employees in the U.S., U.K., France, and Germany (1,371 end-users and 1,656 IT professionals), “fully 62 percent of end-users acknowledged that they have access to company data they probably shouldn’t be able to see.”

---