Hackers, Cybersecurity, and The Computer Fraud & Abuse Act: An Employer’s Toolkit

Technology & Software

by | Jan 19, 2021

  1. What Is The Computer Fraud & Abuse Act?

In 1986, Congress created the Computer Fraud and Abuse Act (“CFAA”) to combat computer “hackers” by creating criminal penalties for individuals that “intentionally access a computer without authorization or exceed[] authorized access” to obtain information from a computer.[1]  The term “exceeds authorized access” is further defined as “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[2]

Although the CFAA was created to combat computer hacking, federal circuit courts were quickly divided over what actions “exceed authorized access” of a computer for purposes of the CFAA.  Courts in the First, Fifth, Seventh, and Eleventh Circuits concluded that a person violates the CFAA anytime they use a computer, which they are authorized to access, but accesses such information with an improper purpose.[3]  For example, in EF Cultural Travel BV, the First Circuit concluded that an employee exceeded his authorized use when he collected data from his employer’s website and used it to aid a competitor.[4]  Later, in Int’l Airport Ctrs., L.L.C. v. Citrin, the Seventh Circuit concluded that an employee violated the CFAA by accessing data on her work computer that violated her employer’s policy.[5]  These Circuits have strictly construed the language of the CFAA to allow for prosecution of employees that violate their employer’s computer use restrictions.

By contrast, the Second, Fourth, and Ninth Circuits concluded that a person does not “exceed[] authorized access” when a person with permission to access information, does so for an improper purpose.[6]  The Ninth Circuit explained that allowing the CFAA to include a “use restriction” would reach activities, routinely prohibited by employers’ computer use-policies.[7]  This would “improperly turn millions of ordinary citizens” into criminals.[8]

The CFAA guides employers’ computer use policies, including acknowledgements when employees sign into their work computers, nondisclosure agreements, confidentiality agreements, and other written computer use policies.  As a result, the CFAA is frequently invoked in civil actions against employees and competitors, and it provides teeth to otherwise innocuous employer computer use policies.

  1. Van Buren v. United States: The Supreme Court’s Opportunity To Resolve The Circuit Split.

In April of 2020, the Supreme Court granted certiorari to hear Van Buren v. United States, a case appealed from the Eleventh Circuit.  Van Buren involved a police officer that was convicted under the CFAA for exceeding his authorized use to access police computer systems.  Van Buren (“Petitioner”), accessed license plate and vehicle identification information in exchange for personal financial gain.[9]  According to Petitioner’s Brief, he told an acquaintance, Andrew Albo, that he was having financial troubles.[10]  Albo allegedly recorded the conversation and provided it to the FBI, which then devised a sting operation “to test how far [Petitioner] was willing to go for money.”[11]  Through Albo, the FBI enticed Petitioner to run a law enforcement database search for a license plate number of a “dancer at a local strip club” in exchange for $6,000.[12]  Petitioner retrieved the information through the the police database and was subsequently arrested by the FBI.[13]  Petitioner was later convicted of violating the CFAA, and the Eleventh Circuit affirmed.

Pouncing on the opportunity to finally resolve the circuit split, Petitioner promptly filed a writ of certiorari requesting review from the Supreme Court.  He argued that the Court should adopt a similar interpretation of what “exceeds authorized use” under the CFAA as the Second, Fourth, and Ninth Circuits, asserting that a strict interpretation of the CFAA will encourage criminal prosecutions of any employee or student that violates a computer use policy.[14]

The government, on the other hand, argued that the CFAA is aimed at prosecuting “insider” conduct accessing computer information that the Petitioner was “not entitled so to obtain.”[15]  The government argued that use of the word “so” in the statute only allows individuals to do something “when [they have] been granted the right to do it in a particular manner or circumstance.”[16]

The Supreme Court heard oral arguments on November 30, 2020, which focused, in part, on the use of the word “so” in the CFAA.  Justices from both the liberal and conservative sides of the bench appeared unpersuaded by the arguments of the government, suggesting that an expansive view of the CFAA that allowed prosecution for any use that may exceed a policy could invite seemingly endless prosecution of minor computer use violations.  Other justices suggested that the government was inappropriately attempting to ascribe a particular meaning to a word that was not previously defined, creating more ambiguity in an already patently vague statute.  Although some justices were not persuaded that the Petitioner should not be prosecuted under the CFAA, others gave credence to the Petitioner’s suggestion that other state laws prosecuting trade secrets, misappropriation, cybersecurity violations, and other crimes were more appropriate penal codes for the type of crimes sought to be prosecuted under the CFAA. The Supreme Court has taken the matter under submission, and an opinion is expected in early 2021.

  1. Preventing Improper Use of Computer Access: An Employer’s Toolkit.

Van Buren’s situation likely happens more frequently than employers know – during a typical workday, an employee accesses information through work-issued computers or technology for personal use.  Surfing social media, online shopping, watching YouTube, or using a computer software program for personal use rather than for business – although typically frowned upon, these activities do not typically result in disciplinary measures or punishment.  However, whether the Supreme Court decides to take a narrow or expansive view of what constitutes “exceed[ing] authorized access,” employers should pay attention to the language contained in employment handbooks, confidentiality and nondisclosure agreements, and licenses with third-parties regarding computer use.

To prevent improper computer use, employers should implement a robust computer policy outlining misuse and misappropriation of the employer’s confidential and/or proprietary information.  Employee handbooks should include provisions regarding confidentiality, nondisclosure, and work product, which should be acknowledged in writing by employees.  Requiring employees to execute confidentiality and/or nondisclosure agreements may also curb potential improper distribution of an employer’s confidential and/or proprietary information.  For employment-issued computers, requiring the employee to agree to an acknowledgment before signing in and commencing work may provide a reminder to employees that the information being accessed is confidential.  In the unfortunate event that an employee violates any of these policies, the employer will have numerous avenues to pursue relief aside from the CFAA.

*              Marian Massey is an associate attorney at TALG.  Ms. Massey received her juris doctorate in 2017 from the University of San Diego, School of Law, and is admitted to practice in state and federal courts in Nevada.  Ms. Massey’s legal practice focuses on business litigation, employment law, corporate governance, and intellectual property.

[1] 18 U.S.C. § 1030(a)(2).

[2] 18 U.S.C. § 1030(e)(6).

[3] EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263, 272 (5th Cir. 2010), cert. denied, 568 U.S. 1163 (2013).

[4] 274 F.3d at 582-83.

[5] 440 F.3d at 420-21.

[6] United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202 (4th Cir. 2012); United States v. Valle, 807 F.3d 508 (2d Cir. 2015).

[7] Nosal, 676 F.3d at 860-63.

[8] Id.

[9] Van Buren v. United States, Brief for Petitioner, Supreme Court, No. 19-783, filed July 1, 2020, available at: https://www.supremecourt.gov/DocketPDF/19/19-783/146727/20200701130402295_19-783BriefForPetitioner.pdf.

[10] Id. at 10.

[11] Id.

[12] Id. at 11.

[13] Id.

[14] Id. at 16-41.

[15] 18 U.S.C. § 1030(a)(2); Van Buren v. United States, Brief of Respondent, Supreme Court, No. 19-783, filed August 27, 2020, available at: https://www.supremecourt.gov/DocketPDF/19/19-783/151518/20200827161906264_19-783bsUnitedStates.pdf.

[16] Id. at 18.

Author

  • Ismail Amin

    Ismail’s legal experience encompasses serving Fortune 500 companies, mid-sized privately held companies, and entrepreneurs. He presently serves as Corporate and Litigation Counsel to large and mid-sized businesses throughout California, Nevada, Texas, North Carolina, and New York as well as General and Personal Counsel to high-profile hospitality operators in California and Nevada. Ismail’s practice emphasizes Business and Intellectual Property matters, with a focus on healthcare, biopharmaceuticals, biotechnology, and hospitality. Ismail has counseled the firm’s healthcare provider clients in acquiring or selling assets while maximizing return and minimizing risk. He has helped clients acquire or sell over $1 billion worth of healthcare-related assets, including hospitals.

    View all posts