On June 3, 2021, in Van Buren v. United States, No. 1-783, 2021 WL 2229206, the U.S. Supreme Court resolved a long-standing circuit split regarding the reach of the Computer Fraud and Abuse Act (“CFAA”). Among other things, the CFAA allows civil damages and criminal penalties against those who “intentionally accesses a computer without authorization or exceeds authorized access” and obtains information from any protected company. On occasion, employers have used the CFAA to pursue claims against employees who misappropriated their trade secrets or other confidential information from their computer systems or misused such information.
Prior to Van Buren, the federal circuits have disagreed on how to interpret the phrase “exceeds authorized access.” The First, Fifth, Seventh, and Eleventh Circuits had interpreted this phrase broadly, holding that an individual “exceeds authorized access” if he or she uses the information obtained for an improper purpose and/or against his employer’s policies, even if he or she was generally authorized to access such information. The Second, Fourth, Sixth, and Ninth Circuits had taken a narrower view. These Circuits held that, as long as an individual is authorized to access the information obtained, the individual’s later use of the information for an unauthorized purpose is not a violation of the CFAA.
In Van Buren, the U.S. Supreme Court sided with the Second, Fourth, Sixth, and Ninth Circuits, concluding that an individual “exceeds authorized access” under the CFAA only when he or she accesses a computer with authorization, but then obtains information located in particular areas of the computer that are off-limits to him or her. In other words, the CFAA does not cover individuals who may have had improper motives for obtaining information from a computer or who used that information for an unauthorized purpose, as long as these individuals were allowed to access such information.
The Court’s decision forecloses employers’ ability to bring CFAA claims against employees who misappropriated their confidential information from their computer systems or otherwise misused such information, assuming that these employees were authorized to access it. While there are certainly other claims that employers can assert against such employees, the Van Buren decision means that there may be one less claim in the employer’s toolbox.
©2022 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. This publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended solely for informational purposes and you should not act or rely upon information contained herein without consulting a lawyer for advice. This publication may constitute Advertising Material.