On June 3rd, 2021, the U.S. Supreme Court ruled on interpreting the Computer Fraud and Abuse Act (CFAA). Otherwise known as Van Buren v. United States, the court case addressed the improper use of computer-based information. Markedly, this ruling comes nearly a year after the Supreme Court ruled on Title VII provisions prohibiting LGBTQ discrimination.
Background of the Computer Fraud and Abuse Act and the Case
Generally, the CFAA prohibits two forms of “hacking”:
- Firstly, any “outside” hacking, achieved by “access[ing] a computer without authorization”; and
- Secondly, any “inside” hacking, where an individual “exceeds authorized access” by accessing a computer “with authorization.” Accordingly, the individual would then obtain any information they are “not entitled so to obtain.”
Given these points, the case involved a defendant who was a former police sergeant. As found during an FBI sting operation, the defendant used his credentials to obtain license information. In this case, the defendant provided the information to individuals in exchange for money. Authorities never disputed that the defendant accessed the computer “with authorization” when he acquired the license information. However, the issue hinged on whether the defendant was “not entitled to obtain” the information he accessed.
Previous Circuit Court Decisions
Before the Supreme Court heard the case, circuit courts had contradictory interpretations of the Computer Fraud and Abuse Act. The First, Fifth, Seventh, and Eleventh Circuits all adopted a broad construction of the CFAA. Basically, those courts allowed claims to go forward when an individual misused information they were otherwise permitted to access. The Second, Fourth, and Ninth Circuits, conversely, ruled to limit claims to situations where an individual accessed usually blocked information. Accordingly, any misuse of information that they had authorized access to could not constitute a violation. Thus, the Supreme Court agreed to hear the case to settle the split in the circuit courts.
Supreme Court Decision
Following arguments, the Supreme Court issued a 6-3 decision ruling against the United States. The ruling stated that an individual who uses an authorized computer to access permissible information does not violate the CFAA. Indeed, this includes situations when the individual uses the accessed data for a prohibited purpose. Should a person obtain information from an electronic source that they usually lack authorized access to, that would violate CFAA.
In conclusion, the Supreme Court decision places more responsibility on employers to protect crucial electronic information. For example, suppose employees have access to information and use that for personal gain. In that case, employers cannot sue under the CFAA. Employers can, however, claim violation of any contract that the employer might have created with workers involving digital-based information. Subsequently, employers should review policies to include safeguards to protect against actions like those in this case.
Personnel Concepts is expanding our delivery of employment law news into the audio space. Listen to the Labor Law Report, the podcast dedicated to timely HR and employment law news, powered by Personnel Concepts, your compliance partner! If you’re looking for the latest in labor law, we’ve got the report.
In the latest episode of the Labor Law Report, we start off with breaking news regarding the EEOC’s latest guidance on mandatory COVID-19 vaccinations for employees. Additionally, we discuss the Tip Regulations Final Rule Issued under the Fair Labor Standards Act, the recent guidance published by the IRS to address the new COBRA continuation coverage requirements, the Wage and Hour Division’s withdrawal of the Independent Contractor rule, and the updated CDC public health guidelines for vaccinated individuals. Don’t forget to stick around for our mandatory posting updates. Listen to the Labor Law Report below!