The U.S. Supreme Court determined Nathan Van Buren's actions do not violate the government's interpretation of "exceeds authorized access" within the Computer Fraud and Abuse Act (CFAA) on Thursday.
Because Van Buren had the authority to access the license plate information he sought — despite doing it for a personal purpose — the CFAA does not apply, the justices held.
Ruling in Van Buren's favor insulates cybersecurity professionals reaching beyond their accessibility rights, while complicating legal enforcement pathways for companies wanting to protect their data from nefarious use.
Had SCOTUS sided with the government, the excessive authorization clause would "attach criminal penalties to a breathtaking amount of commonplace computer activity," said Justice Amy Coney Barrett, who delivered the majority opinion. "On the government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA." Security experts were also concerned the case could implicate security researchers finding bugs for other companies.
The decision narrows the scope of the CFAA to only address individuals without any permission to access a computer system. "Previously, some circuits and district courts had held that defendants having improper motives for obtaining information on a computer system to which they were permitted access was sufficient for a CFAA claim," said Kayvan Ghaffari, counsel at Crowell & Moring.
Some companies may not see it as a win as the tech or security industry does, he said.
The CFAA's history is directly tied to unsolicited hacking, including computer intrusions, denial of service attacks, viruses and worms as variations of computer crimes. "The CFAA was passed as an anti-hacker statute," said Ghaffari. There was a rise in hacking in the 1980s, when the CFAA was passed, and "the Senate analogized hackers to trespassers."
The impact of the ruling is "relatively limited" for businesses, said Dawn Mertineit, partner at Seyfarth Shaw. The Defend Trade Secrets Act (DTSA) of 2016 "provided a federal cause of action for misappropriation, making it easier for employers to file suit in federal court for such conduct." Since then, "I've seen fewer and fewer CFAA claims," she said.
Businesses have a right to protect their data, even from employees with access privileges. Other laws, such as state privacy, misappropriation or contractractual, will cover the ambiguities left by the CFAA and the DTSA. For example, Van Buren was initially convicted of honest services wire fraud and computer fraud in 2017, though the ruling was overturned in the Eleventh Circuit.
The main concern for Mertineit is if the misuse of confidential information does not "rise to the level of a trade secret under the DTSA," limiting a company's ability to default to a law to protect their data from misguided employees, Mertineit said.
Companies could insulate themselves from actions like Van Buren's by clarifying contractual language, including non-disclosure agreements or articulating the appropriate circumstances an employee has rights to certain files, folders, or databases on computer systems, said Ghaffari.
The case is a combination of HR and cybersecurity policies. "Had Van Buren instead used his access credentials to, for example, review his supervisor's personnel file, this access would presumably have been outside his authorization for access regardless of the purposes," said Michelle A. Schaap, team leader of the privacy & data security practice, with Chiesa Shahinian & Giantomasi PC. In this hypothetical case, Van Buren would have been acting in a manner unapproved by his employer.
Setting parameters around employees will take policy and technological changes. "Written access and use policies are great, but access controls are key," said Tim Butler, partner at Troutman Pepper.
Focus on the act, not intent
During oral arguments in November, the justices hinged the case on the word "so" in the context of accessing a computer "with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter," by the Department of Justice's definition.
"Without 'so,' the statute could be read to incorporate all kinds of limitations on one's entitlement to information," the Court said.
Barrett focused on "the act" of accessing information as opposed to how the individual uses it, according to Ghaffari. "The CFAA is not about misusing data," or the intent of the person accessing the information.
The purpose of the individual ultimately swayed the Court's decision. The majority pointed out a deleted CFAA precursor, which read, "having accessed a computer with authorization, uses the opportunity such access provides for purposes for which such authorization does not extend," said Schaap. The omission was intentional from Congress, the Supreme Court held.
"While I do not personally agree with the ruling, I find this omission the most compelling support for the majority's ruling," said Schaap.
The dissenting opinion also sided with Van Buren's interpretation of "so," yet was caught up on the word "entitled." The dissenting justices interpreted "entitled" as demanding a "'circumstance dependent' analysis of whether access was proper," the Majority said. In other words, the dissent wished to include circumstances or purpose of the computer access.
For Schaap, improving the CFAA requires an amendment or another law to address the dissent's concerns. "Remember, CFAA was written more than 30 years ago, which is eons ago in the technology space."