Matt McDonald, a partner in Klehr Harrison’s labor & employment practice group, discussed the implication of this holding for employers. From a criminal law perspective, the Court’s opinion resolved an important circuit split, but it is also left open issues that will have an impact on federal criminal prosecutions in the coming years.
Under the CFAA, it is a violation to knowingly access a computer without authorization or to knowingly exceed authorized access to a computer. In Van Buren, the Court addressed the scope of what it means to “exceed authorized access.” Van Buren was a criminal prosecution involving a former police sergeant who obtained license plate information from his workplace database in exchange for a bribe. The federal prosecutors argued that he exceeded his authorized use under the CFAA because he used the database for personal use in violation of the department’s policy.
The Court disagreed with the government’s broad reading of the CFAA. The Court held that the phrase, “exceed authorized access,” prohibits individuals from accessing areas in the computer to which their authorized computer access does not extend, but it does not incorporate purpose-based restrictions contained in contracts and workplace policies. The sergeant did not exceed his authorized computer access under the CFAA because he was authorized to access license plate information in the database, notwithstanding the restrictions on the use of the information under his employer’s policies.
The government’s reading, the Court explained, would criminalize everything from sending personal emails on a work computer in violation of a computer-use policy to embellishing an online dating profile in violation of the website’s terms of service. Such an interpretation would criminalize “millions of otherwise law-abiding citizens.”
1. The definition of “authorized access” continues to hang in the balance.
While Van Buren resolved an oft-litigated issue under the CFAA, the Court expressly reserved the issue of whether the scope of an individual’s “authorized access” turns on technological limitations or limitations expressed in policies or contracts. From a criminal liability perspective, the Court’s aversion to basing liability on the “fine distinction controlled by the drafting practices of private parties” suggests that “authorization” likely turns on technological limitations, rather than on restrictions expressed in contracts and policies. Federal district and circuit courts will surely grapple with this issue moving forward.
In the meantime, individuals should continue to be mindful of computer-use policies and companies should revisit their computer-use policies and internal access to computers from a technological perspective.
2. The Van Buren opinion is a continuation of the Court’s precedent restraining federal prosecutors from using federal criminal statutes to prosecute commonplace behaviors.
The Van Buren opinion is reminiscent of Bridgegate – another relatively recent opinion that we discussed wherein the Court unanimously declined to adopt the government’s broad reading of wire fraud under 18 U.S.C. § 1343. Similar to the Bridgegate opinion, the Court in Van Buren rejected a reading of a criminal statute that would have “far-reaching consequences” and “inject arbitrariness into the assessment of criminal liability.” That the five newest members on the bench – Justices Barrett, Gorsuch, Kavanaugh, Sotomayor and Kagan – joined the majority opinion in Van Buren suggests that the Court will continue to curtail the government’s broad reading of criminal statutes for years to come.
3. The government will continue to use other federal criminal statutes to prosecute computer-related misconduct.
The CFAA is not the only federal criminal statute at the government’s disposal to prosecute individuals who misuse electronic information in violation of computer-use policies. For example, the sergeant in Van Buren was also convicted of honest-services wire fraud in violation of 18 U.S.C. § 1343 and § 1346 for defrauding the public by using the police database in exchange for a bribe. Depending on the factual circumstances of each case, the unauthorized use of a computer and information stored therein may lead to charges under other criminal statutes, including, for example, wire fraud (18 U.S.C. § 1343), theft of trade secrets (18 U.S.C. § 1832), economic espionage (18 U.S.C. § 1831) and extortion under the Hobbs Act (18 U.S.C. § 1951).
Author Meredith Lowry is an associate in the white-collar defense & government investigations practice group in the litigation department at Klehr Harrison.