June 3, 2021
Decided June 3, 2021
Van Buren v. United States, No. 19-783
Today, the Supreme Court held 6-3 that the Computer Fraud and Abuse Act does not cover obtaining information for an improper purpose if the user is otherwise authorized to access that information.
The Computer Fraud and Abuse Act of 1986 (CFAA) creates criminal and civil liability for “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information.” 18 U.S.C. § 1030(a)(2). The phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).
Van Buren, a police officer, used his access to a law-enforcement database to run an unauthorized license-plate search in exchange for money, and was charged under the CFAA. The Eleventh Circuit, applying a broad view of the CFAA, held that Van Buren had exceeded his authorized access because he accessed the database for an improper purpose, in violation of his department’s policies.
The Supreme Court granted certiorari to resolve the split between the narrow approach of the Second, Fourth, and Ninth Circuits, which hold that a person “exceeds authorized access” only if he accesses information on a computer that he is prohibited from accessing, and the broader approach of the First, Fifth, Seventh, and Eleventh Circuits, which hold that a person “exceeds authorized access” if he accesses otherwise available information for an unauthorized purpose.
Whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if he accesses the same information for an unauthorized purpose.
No. The CFAA proscribes only obtaining information from computers, files, folders, or databases that a person is not authorized to access. It does not create liability for those who, like Van Buren, obtain information otherwise available to them for an unauthorized purpose.
The CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who . . . have improper motives for obtaining information that is otherwise available to them.”
Justice Barrett, writing for the Court
What It Means:
The Court’s opinion is available here.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:
Appellate and Constitutional Law Practice
|Allyson N. Ho
|Mark A. Perry
|Lucas C. Townsend
|Bradley J. Hamburger
Related Practice: Privacy, Cybersecurity and Data Innovation
|Alexander H. Southwell
|S. Ashlie Beringer
+33 (0)1 56 43 13 50
Related Practice: White Collar Defense and Investigations
|Joel M. Cohen
|Nicola T. Hanna
|F. Joseph Warin