This post was authored by Devin Chwastyk and Frank Lavery, II. Devin is the Chair of the Privacy & Data Security group at McNees. Frank is a Law Clerk with McNees. Frank is currently a student at the University of Notre Dame Law School and expects to earn his J.D. in May of 2022.
On June 3, 2021, the U.S. Supreme Court issued an important opinion in Van Buren v. United States, which provided important clarification of the scope of the Computer Fraud and Abuse Act (CFAA). The CFAA bars unauthorized access, or access that exceeds authorization, to any computer “used in or affecting interstate or foreign commerce or communication.” As the Supreme Court aptly explains, this extends protection—at a minimum—to all information from computers that connect to the internet. Thus, the implications of the CFAA are far reaching. The decision in Van Buren explored what constitutes “unauthorized access” and “access that exceeds authorization.”
Nathan Van Buren was a police sergeant who was provided access to a law enforcement database by the state of Georgia. Yet, he was only permitted to access the database for legitimate law enforcement purposes. Nonetheless, Van Buren searched that database for information about a woman with the intent to sell the results for $6,000 to a willing buyer. Unbeknownst to Van Buren, the buyer was a confidential FBI informant posing as a potential romantic partner of the woman. There was no dispute that Van Buren was prohibited by his Department’s policy from accessing the database for non-work-related purposes, and that he was provided appropriate training on the policy. Van Buren was arrested and criminally convicted under the CFAA.
Based on its precedent, the 11th Circuit affirmed the conviction, and the Supreme Court granted certiorari to resolve the stark split among the U.S. Courts of Appeal as to what constitutes “exceeding authorized use” under the CFAA. Van Buren argued that his conduct was not criminal, because he was authorized to access the law enforcement database. The government argued that his access exceeded his authorization because he was only allowed to access the database for work-related purposes.
The Supreme Court held that while Van Buren undeniably violated his department’s policy in his use of the law enforcement database for personal reasons, there was no ‘gate’ meant to keep Van Buren out of the database. He simply used his police credentials to access the system for a prohibited purpose. The Court explained that the CFAA is meant to keep out “outside hackers” through authorization, and “inside hackers” by restricting users from certain parts of a computer system. The Court went on to hold that “[i]n sum, an individual ‘exceeds authorized access’ when he [or she] accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him [or her].” Thus, the only relevant question was whether Van Buren could access the database, which both parties agreed he could. For that reason, Van Buren did not “exceed authorized access” to the law enforcement database as defined by the CFAA, even though he obtained information from the system for a prohibited purpose.
The holding in Van Buren has some very serious real-world implications for those who wish to protect their information from both outside and inside hackers. Designing access and restricting access are critical for a number of reasons, and a policy alone will not necessarily constitute adequate technical and procedural safeguards to cordon off data within that system. If your organization wants to properly restrict access to certain information, you must put in place “gates” to keep users out (including employees who are permitted limited access to the system). These technical IT infrastructure protections should be in addition to policies restricting access and training programs. Once these safeguards are in place, anyone that ‘hacks’ to gain access to the restricted information will have committed a criminal violation of the CFAA and could be liable to the organization or employer for civil damages.