USSC to resolve Circuit split: Is a violation of your organization's computer use policy a federal crime under the Computer Fraud and Abuse Act
Written by: Josh Roberts and Michael Decembrino with Holland and Knight LLP
Is the breach of your organization's computer use policy a federal crime? The United States Supreme Court is poised to answer that question when it decides Van Buren v. United States, a case scheduled for oral argument on November 30, 2020. In Van Buren, the nine justices will decide the meaning of a federal statutory term that could be interpreted to criminalize conduct that violates an organization's computer use policy.
Van Buren requires the Supreme Court to interpret what it means to "exceed authorized access" to a computer under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("CFAA"). Among other things, CFAA creates criminal and civil liability for any person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” The statute defines the term "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Whether a citizen can be criminally convicted of a federal felony, or subject to a civil judgment, hinges on whether the phrase "exceeds authorized access" is interpreted broadly or narrowly—a question which has sharply divided the Circuit Courts of Appeal over the last decade. The broad interpretation adopted by the Eleventh Circuit, which is arguably consistent with the statute's text, has far reaching implications by which obscure, private computer use policies determine whether a federal crime has been committed.
The Eleventh Circuit's broad interpretation.
In Van Buren, a case decided by the Eleventh Circuit, a Georgia police officer used the Georgia Crime Information Center ("GCIC") database to search for a woman's identity on behalf of a friend. The GCIC is an official government database maintained by the Georgia Bureau of Investigation and connected to the National Crime Information Center. Although Van Buren was authorized to use the GCIC for law-enforcement purposes, the government argued that he was not permitted to use the database to perform searches for his friend. Van Buren was tried and convicted of a felony under the CFAA on the basis that he "exceeded authorized access." On appeal to the Eleventh Circuit, Van Buren argued that obtaining information from a computer that one is authorized to access does not violate CFAA, even if the information was obtained for a nonbusiness or inappropriate reason. Bound by its decision in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the Eleventh Circuit affirmed Van Buren's conviction.
In Rodriguez, a Social Security Administration ("SSA") employee was convicted of seventeen misdemeanors under CFAA for accessing the personal records of private individuals for nonbusiness reasons—actions that were in direct violation of the SSA's computer use policy. Although he had the authority to access the computer and the information that it contained, Rodriguez gathered the information for an improper purpose. In affirming the conviction, the Eleventh Circuit held that "even a person with authority to access a computer can be guilty of computer fraud if that person subsequently misuses the computer," thus cementing within the Eleventh Circuit a broad interpretation of what it means to "exceed authorized access."
Put simply, here in the Eleventh Circuit, one "exceeds authorized access" to a computer under CFAA when she obtains or alters information in violation of her organization's rules, restrictions, or policies governing use of the computer and data. Van Buren was authorized to access the GCIC to run the plates of a car pulled over for a traffic stop, but when he entered the same GCIC database to do research on a person for purposes unrelated to his professional duties, he exceeded authorized access. Similarly, Rodriguez had authorization to access the SSA database, but only for purposes related to his official duties. Once he started looking people up for personal reasons, he too exceeded his authorized access.
Could filling out a March Madness bracket from work create criminal or civil liability? The Society of Human Resource Management predicted that more than two-thirds of workers fill out NCAA brackets. While the actions in Rodriguez and Van Buren are a far cry from filling out a March Madness bracket, they illustrate the serious ramifications for criminal and civil liability under CFAA should the Supreme Court implement a broad interpretation of what it means to "exceed authorized access." Whenever a computer user visits a website, the user's computer automatically obtains information from that website by downloading digital content and other data from the host server to the company's computer system even if the user doesn't click the mouse a single time. If the organization's computer use policy prohibits content retrieval from any website outside of an "approved" list, or for non-business purposes, the user will almost always be in violation of CFAA if courts employ a broad interpretation. So, if you are permitted to log into your computer to conduct legal research, but you visit ESPN.com to check sports scores and fill out a fantasy football lineup in violation of your organization's computer use policy, you may have committed a federal crime under this broad interpretation. You may even be "exceeding authorized access" of your organization's computer infrastructure by reading this article right now. But you are likely the company's attorneys, so you would know it if you were. Right? But what about your employees who innocently detour from their assigned responsibilities for a few minutes during the work day?
The Eleventh Circuit is not alone in its broad interpretation of CFAA. It is joined by the First Circuit in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (2001), the Fifth Circuit in United States v. John, 597 F.3d 263 (2010), and the Seventh Circuit in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (2006). These circuits subscribe to the view that this is a plainly written statute under which an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has "exceed[ed] authorized access." In other words, under the broad interpretation of "exceeding authorized access," one's authority to obtain information can be conditional, based upon the reason or purposes for which the person is accessing the information and how the information is eventually used.
Royal Truck: The current trend toward a narrow interpretation.
In the more current trend on the other side of the circuit split are judges who contend that the statute indicates a much more restrictive meaning: that "one who is authorized to access a computer does not exceed her authorized access by violating an employer's restrictions on the use of information once it is validly accessed." In other words, these circuits interpret the phrase as an all-or-nothing proposition where, if one has authorization to access a computer or file for any reason, her use of the information that she obtains from that computer or file is irrelevant.
Most recently, in Royal Truck & Trailer Sales & Service, Inc. v. Kraft, 974 F.3d 756 (6th Cir. 2020), petition for cert. filed, ---- U.S.L.W. --- (U.S. Oct. 30, 2020) (20-575), the Sixth Circuit adopted a narrow interpretation of the phrase, relying on the statute's text alone. In doing so, it joined the Second Circuit in United States v. Valle, 807 F.3d 508 (2015), the Fourth Circuit in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (2012), and the Ninth Circuit in United States v. Nosal, 676 F.3d 854 (2012). In Royal Truck, two employees sent confidential sales information from their work email accounts to their personal accounts and then deleted and reinstalled their computer applications to cover their tracks before leaving the company. The court held that although the defendants misused information in violation of the company's policy, they did not "exceed their authorized access" because they had authorization to access the information in the first place. The court reasoned that a CFAA inquiry ends once it has been determined whether the defendant had authorization to access the information. If he had authorization, then there is no CFAA liability, even if the defendant eventually misuses the information that he accessed.
As the Valle court stated, if this sharp division among the circuits' interpretation of "exceeds authorized access" means anything, "it is that the statute is readily susceptible to different interpretations" among the courts. And, the courts certainly have had a lot to say about what it means to "exceed authorized access." But what did Congress have in mind when it wrote the phrase in the first place? Congress enacted the predecessor to CFAA in 1984 to address "computer crime,'' which was then principally understood as "hacking" or trespassing into computer systems or data. To put the timing of this law in context, CFAA was originally enacted in 1984. At that time, a standard protocol for the internet had yet to be established, and Apple had just introduced its Macintosh computer, which was the first mouse-driven computer with a graphical user interface.
The House Committee Report to the original bill warned of "'hackers' who have been able to access (trespass into) both private and public computer systems," (ii) noted the "recent flurry of electronic trespassing incidents," (iii) described one instance of "computer crime" in which an individual "stole confidential software by tapping into the computer system of a previous employer from [the] defendant's remote terminal," and (iv) advised that "section 1030 deals with an 'unauthorized access' concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of 'breaking and entering' . . . ."
The Senate Committee Report had similar findings. There, the Senate: (i) described "exceeds authorized access" in terms of trespassing into computer systems or files, (ii) clarified that it did not want to hold liable those "who inadvertently 'stumble into' someone else's computer file or computer data . . . in those cases where an individual is authorized to sign onto and use a particular computer, but subsequently exceeds his authorized access by mistakenly entering another computer or data file that happens to be accessible from the same terminal," and (iii) explained that the premise of § 1030(a)(2) is privacy protection, and physical removal of the data from its original location need not be proved to establish a violation of the subsection.
In short, the legislative history indicates that the computer crime Congress sought to address was one of criminal trespass into a company's systems or data . Throughout the Senate and House Reports, reference is made to accessing computer terminals that one is not permitted to access. This tips in favor of the narrow interpretation, focused on the right of access to the computer or data in the first place, and punishing any unauthorized access akin to the crimes of trespassing, or breaking and entering. In light of the legislative history, one wonders whether Congress would have approved of the broad interpretation that some circuits give to the statutory language. Although legislative history does not definitively resolve the issue, especially for a Court in which the majority is guided by a textualist philosophy, it is no doubt a factor that the justices will consider when deciding Van Buren.
A broad interpretation goes too far.
The hand-wringing over the interpretation of "exceeds authorized access" is due in large part to the unfortunate ramifications of a broad interpretation of the phrase. It is reasonable to believe that entitlement to obtain or alter information can be conditional on one's purpose for obtaining or altering the information, and that one exceeds authorized access when they obtain or alter the information for an unpermitted purpose. However, when applied in the real world, the broad interpretation often goes too far, creating problems with vagueness and notice, which in turn allows federal criminal and civil liability to stem from the fine print in private corporate policies that are subject to change without notice.
These fairness concerns played a prominent role in the Nosal, WEC, and Valle decisions, in which the courts found that a broad interpretation "would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute" and "would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer." Worried about "the effect on millions of ordinary citizens," those courts were "unwilling to contravene Congress's intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy." The Nosal court was even concerned that such an interpretation would "make criminals of large groups of people who would have little reason to suspect they are committing a federal crime." For example, you send commands to other computers at remote locations whenever you do even the most routine things online. As the Nosal court pointed out, access to those computers is often governed by private policies. The court provided examples accurate at that time, such as Google's prohibition on minors using its services, Facebook's policies prohibiting anyone other than the account owner to login to that account, and eBay's prohibition on posting items in the wrong category. Arguably, under a broad interpretation, inadvertently violating any one of those policies could subject one to criminal liability.
So what does all of this mean for an organization, its employees, and its computer use policy? The Nosal court hinted at this question when it asked readers to "[c]onsider the typical corporate policy that computers can be used only for business purposes. What exactly is a 'nonbusiness purpose'? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability"? In 1984, Congress could not have imagined what nearly thirty-five years of technological advancements would bring. It is unlikely that it anticipated that logging into a computer would put a seemingly infinite world of information at your fingertips.
As the Royal Truck court pointed out, a broad interpretation has "the odd effect of allowing employers, rather than Congress, to define the scope of criminal liability by operation of their employee computer-use policies." Is that a just result? If the Court applies a broad interpretation, your organization's computer use policy will take on a new significance nationwide in determining the potential criminal or civil liability of your employees' computer-based actions. It would also provide another arrow in your quiver for protecting your organization's trade secrets. On the other hand, a narrow interpretation would favor well-defined parameters completely restricting access to certain computers, files and information. If the Supreme Court adopts a broad interpretation, for the sake of your employees, make sure to exclude March Madness brackets from the list of unauthorized activities, lest you create potential federal criminals of the majority of your workforce.