willtHeSupreMeCourtliMittHereaCHoFtHeCFaa?
labor & employment law Section
Chairs:AmandaBiondolino-SassLawFirm&JasonPill-PhelpsDunbarLLP
Cybersecurityexperts
anxiouslyawaitananswer
tothequestionwhether
thehighcourtwilladopt
abroadornarrow
interpretationofthestatute.
For the past 34 years,
criminal prosecutors have
relied upon the Computer
Fraud and Abuse Act 1
(CFAA) as the principal federal law
aimed at hackers who break into
government or private computer
networks. However, due to its broad
language, the CFAA is also utilized
in civil contexts, particularly in
unfair competition matters when
employees misappropriate or
tamper with electronically-stored
confidential information as they
depart their employment to engage
in a competitive business.
Under the CFAA, access to
a computer is unauthorized if
one either lacks authorization
altogether, or if the access is
“in excess of the authorization.”
Even though the statute defines
the term “exceeds authorized
access” as “to access a computer
with authorization and to use
such access to obtain or alter
information in the computer that
the accesser is not entitled so to
obtain or alter,” 2 the interpretation
of this term has plagued the analysis
of the CFAA since its enactment.
This fall, the United States
Supreme Court will review the
Eleventh Circuit case Van Buren v.
United States. The Petitioner is a
former Georgia police officer who
was convicted of breaching the
CFAA for “exceeding his
authorized access” to a work
computer by using police systems
to improperly look up a woman’s
license plate number. 3 Van Buren
gives the high court an opportunity
to finally resolve the circuit split
regarding whether employees
should face criminal or civil
liability under the act for abusing
their authorizations to access an
employer’s computers. Cybersecurity
experts and attorneys alike anxiously
wait to see whether the high court
will adopt a broad or narrow
interpretation of the statute.
Under the Eleventh Circuit’s
broad view of the CFAA,
announced in United States v.
Rodriguez, 4 when an employee is
authorized to access or change
information on a company’s
computer, but accesses that
information in a way that violates
company policy, the employee has
exceeded his or her authorized
access. 5 Other circuit courts have
rejected this broad interpretation
on the grounds that it would turn
seemingly innocent activities such
as “[Google]-chatting with friends,
playing games, shopping or
watching sports highlights” on a
work computer — all routinely
prohibited by the internal
computer-use policies of many
employers — into federal crimes.” 6
Interestingly, in Van Buren, the
Eleventh Circuit acknowledged
other circuits’ rejections of its
broad interpretation set forth in
Rodriguez, but explained it must
stand by its holding because of
the prior-precedent rule — perhaps
subtly hinting that modification
of its precedent would not be
entirely unwelcome? 7
The Supreme Court is expected
to decide Van Buren v. United States
next year. n
1
18 U.S.C. § 1030.
2
18 U.S.C. § 1030(e)(6).
3
United States v. Van Buren, 940
F. 3d 1192, 1208 (11th Cir. 2019).
4
United States v. Rodriguez, 628 F. 3d
1258 (11th Cir. 2010).
5
Id., 628 F. 3d at 1263.
6
United States v. Nosal, 676 F. 3d
854, 860 (9th Cir. 2012); see also
United States v.
Valle, 807 F. 3d
508, 528 (2d
Cir. 2015).
7
Van Buren,
940 F. 3d at
1208.
Authors:
Maja A.
Hartzell and
Peter W. Zinober
- Ogletree,
Deakins, Nash,
Smoak &
Stuart, P.C.
4 4 S E P T - O C T 2 0 2 0 | H C B A L A W Y E R