By Erik Halvorson and Thomas W. Shumate IV
Intro
In a pair of dueling opinions fit for a law school exam on statutory construction, members of the Supreme Court debated the meaning of the words “so” and “entitled” in a recent 6-3 decision, which resolved a circuit split concerning the scope of the Computer Fraud and Abuse Act (“CFAA”). In the majority opinion, authored by Justice Barrett, the Court held that an individual does not violate the CFAA when he misuses his access to a computer to obtain information for personal gain. The Court interpreted the statute narrowly and held that the CFAA only prohibits the unauthorized obtaining of protected information, not the authorized use of protected information. While this case concerned a (hopefully) not often repeated fact pattern, its interpretation of the CFAA has wide-reaching implications, particularly in the context of departing employee cases.
Background
What is the CFAA? In a nutshell, the CFAA is a federal law that prohibits an individual from accessing information on a computer “without authorization” or in a manner that “exceeds authorized access.” The law imposes criminal penalties and civil damages for violations.
The term “exceeds authorized access” has split lower courts for years. On one side, the First, Fifth, Seventh, and Eleventh Circuits had adopted a broad construction of the phrase. They held that the CFAA prohibits individuals from misappropriating information they otherwise were entitled to access. On the other, the Second, Fourth, and Ninth Circuits interpreted the statute more narrowly and held that the CFAA only prohibited the unauthorized access of information, not its inappropriate use.
Before the Supreme Court’s Van Buren decision, the split profoundly impacted trade secret and restrictive covenant litigation. Employers in the latter jurisdictions had to prove that employees obtained information from sources they were not authorized to access. In contrast, employers in the former jurisdictions had a much easier path, only needing to prove that employees misused information that they were otherwise authorized to access. As a result, the Court’s decision limits an approach some employers would otherwise use to take restrictive covenant and trade secret cases to federal court.
Van Buren Facts
This case arose from defendant Van Buren’s time as a police sergeant in Georgia. Following a questionable interaction with a shady character in the community, Van Buren came onto the FBI’s radar as a potentially corrupt officer. As a result, the FBI set up a sting operation whereby a person would offer officer Van Buren $5,000 to search the state law enforcement database for a license plate to ensure that the plate in question did not belong to an undercover police officer. Even though this use of the database was against department policy, Van Buren used his valid credentials and ran the plate through the database on his patrol-car computer. His actions resulted in a felony charge from the federal government for violation of the CFAA.
At trial, a jury convicted Van Buren, finding that his use of the database for a non-law-enforcement purpose violated the CFAA. The trial court subsequently sentenced him to 18 months in prison. On appeal, the Eleventh Circuit applied its broad construction of the CFAA and held that Van Buren’s misuse of the database exceeded his authorization and thus violated the CFAA. The Supreme Court granted certiorari and reversed the Eleventh Circuit, electing to adopt the narrower construction of “exceeds authorized access” utilized by the Second, Fourth, and Ninth Circuits.
Van Buren Reasoning
In her majority opinion, Justice Barrett focused on a “gates-up-or-down inquiry” in which a person only violates the CFAA if he obtains information from a location in a computer system he is not authorized to access. Accordingly, those like Van Buren who have access to information for another purpose, (i.e., for whom the gate is up), do not violate the CFAA when they use that information for an unauthorized purpose. Thus, the inquiry is now a binary one. Either a person is entitled to access information, or he is not, and his purpose for accessing the information is irrelevant to his liability under the CFAA.
Writing for the dissent, Justice Thomas took a broader approach, comparing those like Van Buren to a valet driver who takes a car for a joyride rather than parking it as expected. Under the dissent’s interpretation, a person “exceeds authorized access” when he oversteps the scope of his authorization to access the information, not only when he obtains information from a location in a computer he is not authorized to access. Ultimately, however, Justice Thomas’s context-oriented approach did not win the day. From now on, the liability inquiry under the CFAA is restricted to whether the person is permitted to access the information for any purpose. If he is permitted access, there is no liability under the CFAA, regardless of how he uses the information in the future.
What’s Next?
This decision will have a significant impact on litigation strategy for departing employee cases. In the past, employers could allege that an employee’s misuse of company data violated the CFAA and thus bring such cases in federal court. After this decision, however, that avenue is no longer available, at least in those cases like Van Buren where an employee is permitted to access information for some purposes but not others.
That said, misappropriation of data still violates a host of other laws, including the federal Defend Trade Secrets Act. This law could act as an alternative pathway to federal court in many situations. An employee’s misuse of company information can still serve as the basis for breach of contract claims, even if such action no longer constitutes a violation of the CFAA.
Because the inquiry under the CFAA now addresses what information employees may obtain, not how they may use the information, employers should think strategically about how employees may potentially misuse information before they are permitted access. Conversely, employees should remain aware of how their use of company information may coincide with their employment agreement or violate state or federal laws such as those involving the breach of their duty of loyalty to their employer or misappropriation of trade secrets, even if such use no longer violates the CFAA.