Do employees who are authorized to access information on a work computer violate the Computer Fraud and Abuse Act (CFAA) if they use such information for unauthorized purposes?
In a 6-3 decision, the U.S. Supreme Court found that a person violates the CFAA when he or she accesses a computer with authorization but obtains information—such as files, folders or databases—located in areas of the computer that are off-limits to him or her.
However, the court said, the act does not cover people who misuse information that is otherwise available to them.
"This is a common concern in business settings, where employees have daily access to work computers and proprietary data," noted Scott Wenner, an attorney with Schnader in New York City and San Francisco.
Here's what employers need to know about the ruling.
When Is Authorized Access Exceeded?
The dispute in Van Buren v. United States focuses on how to interpret the CFAA, which generally targets computer hackers and makes it a crime to intentionally access a computer without authorization or to exceed authorized access.
In this case, a police officer allegedly accepted money from a criminal to log into a law-enforcement database and search for a license plate number. He used valid credentials to access information he was authorized to obtain, but he did so for non-law-enforcement purposes, which violated a department policy.
The question in the case was whether the officer's conduct "exceeds authorized access" under the CFAA. The term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter," according to the statute.
The officer and the government agreed that the officer accessed the computer with authorization, but they disagreed on whether he was "entitled so to obtain" the information.
The Supreme Court found that, while the officer's conduct "plainly flouted his department's policy," it did not violate the CFAA. The act "does not cover those who … have improper motives for obtaining information that is otherwise available to them," the court said.
So what does the ruling mean for employers? Employers can't sue criminally under the CFAA but can refer matters to federal authorities for criminal prosecution, noted Mark Srere, an attorney with Bryan Cave Leighton Paisner in Washington, D.C. Or, employers can sue civilly where damages are $5,000 or more.
"Ultimately, employers will not be able to use the CFAA to gain a 'hook' into federal court where an employee or former employee misappropriates confidential information, if the employee had access to such information for proper business purposes," explained Dawn Mertineit, an attorney with Seyfarth Shaw in Boston. However, she said, "the impact of this decision is lessened by the fact that the Defend Trade Secrets Act (DTSA) of 2016 confers federal jurisdiction on trade-secret misappropriation claims."
For employers, the main concern is when an employee absconds with confidential information that does not meet the DTSA's definition of a "trade secret." In that case, she said, the employer will need to rely on any contractual provisions prohibiting disclosure or misuse of confidential information.
Workplace Implications
The Supreme Court cautioned that if the CFAA's "exceeds authorized access" clause criminalized every violation of an employer's computer-use policy, "then millions of otherwise law-abiding citizens" would be criminals, perhaps by checking sports scores or paying bills on a work computer.
"Employers commonly state that computers and electronic devices can be used only for business purposes," Justice Amy Coney Barrett wrote for the court. So "an employee who sends a personal e-mail or reads the news using her work computer" would violate the CFAA under the government's reading of the statute.
The court said that the only question in the case was whether the officer could use the department's system to retrieve license-plate data. "Both sides agree that he could," the court noted. Accordingly, the officer did not exceed authorized access to the database, even though he obtained the data for an improper purpose.
"This case is a good reminder that employers should make sure that they strictly limit their employees' computer access solely to the information that they need for business purposes," Mertineit said. Employers can still bring CFAA claims against employees who access information that they aren't authorized to access (which is known as internal hacking), but it will no longer be sufficient under the CFAA to say that employees lawfully accessed information and used it for an improper purpose, she explained.
Allen Smith, J.D., manager of workplace law content for SHRM, contributed to this article.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.