The U.S. Supreme Court heard oral arguments Nov. 30 in a case involving whether a person who is authorized to access information on a computer for certain purposes violates the Computer Fraud and Abuse Act (CFAA) if that person accesses the same information for unauthorized reasons.
"This is a common concern in business settings, where employees have daily access to work computers and proprietary data," said Scott Wenner, an attorney with Schnader in New York City and San Francisco.
The case involved an Atlanta-area police officer who was caught in an FBI-run sting operation allegedly soliciting payment from a criminal in exchange for information maintained on a database available only to law enforcement. After texting his criminal contact that he had the promised information, the police officer was arrested and charged with violating the CFAA, as he purportedly accessed the restricted database for an unauthorized reason.
Split in the Appeals Courts
The 2nd, 4th and 9th U.S. Circuit Courts of Appeals criminalize only unauthorized access to company-owned computers by employees, regardless of the purpose of the use. The 1st, 5th, 7th and 11th Circuits have more broadly interpreted "exceeds authorized access" to include misuse of data, even if the offender gained access to the information permissibly.
A finding by the Supreme Court against the police officer would provide employers "with an added weapon in their arsenal to seek punishment for employees and former employees who disclose trade secrets and other confidential business information," Wenner said.
Employers can't sue criminally under the CFAA but can refer matters to federal authorities for criminal prosecution, noted Mark Srere, an attorney with Bryan Cave Leighton Paisner in Washington, D.C. Or, employers can sue civilly where damages are $5,000 or more.
Police Officer's Arguments
Arguing on behalf of the police officer, Jeffrey L. Fisher, an attorney at Stanford Law School in Stanford, Calif., said the CFAA is an anti-hacking statute.
A broad interpretation of the CFAA "would brand most Americans criminals on a daily basis," he said. "The scenarios are practically limitless, but a few examples will suffice."
Imagine, for example, an administrative assistant whose employee handbook says his or her e-mail or Zoom account may be used only for business purposes. If a broad interpretation of the CFAA is correct, any employee who used an employer's Zoom account over Thanksgiving to connect with distant relatives would be subject to the prosecutorial discretion of federal authorities, Fisher stated.
The CFAA should not be interpreted to be "a sweeping Internet police mandate," he said.
"You give a brief list—a parade of horribles," Justice Clarence Thomas said. "Can you give us some actual examples of that happening, someone violating this provision because of accessing Zoom or something like that, or Facebook?"
In the 9th Circuit, there was a case where somebody was prosecuted for misusing MySpace, Fisher said. There's also a case involving Ticketmaster that was mentioned in a brief. But, he added, "You can't construe a statute simply on the assumption the government will use it responsibly."
Justice Samuel Alito Jr. asked what a narrow interpretation of the CFAA would mean for personal privacy. "There are many government employees who are given access to all sorts of highly personal information for use in performing their jobs," Alito said. "But if they use that for personal purposes to make money, protect or carry out criminal activity, to harass people they don't like, they can do enormous damage.
"And the same thing for people who work for private entities," Alito continued. "Think of the person in the fraud detection section of a bank who has access to credit card numbers and uses that information to sell for a personal profit." Alito asked if none of this was contemplated by Congress when it enacted the CFAA.
"I do not think it was," Fisher responded. "What Congress was concerned about was computer hacking."
Justice Sonia Sotomayor asked whether the police officer might be prosecuted under other statutes, if not under the CFAA.
"My client in this case was prosecuted also under a separate count that's pending," Fisher answered.
"Why should we understand entitlement or authorization to be just an on/off switch and not to have a scope component?" Justice Amy Coney Barrett asked.
"The statute itself doesn't have a scope component," Fisher said.
"But doesn't the idea of entitlement or authorization itself have a scope component?" she asked.
Not necessarily, he answered.
[SHRM's small-business legal solution resource: SHRM LegalNetwork.]
Government's Position
Arguing for the government, Eric J. Feigin, deputy solicitor general at the Department of Justice in Washington, D.C., said that Fisher didn't spend much time on the text of the CFAA. "In the words of Section 1030 [of the CFAA], petitioner used his access—that is, the credentials entrusted to him as a police officer—to obtain database information that he was 'not entitled so to obtain' when he looked up a license plate in return for a bribe," Feigin said.
Fisher was relying on "a wild caricature of our position that tries to bury his own heartland statutory violations beneath an imaginary avalanche of hypothetical prosecutions that he can't actually identify in the real world for seemingly innocent cases."
Chief Justice John Roberts Jr. asked if everyone who violates a workplace computer use policy is violating the CFAA.
"Absolutely not," Feigin said, adding, "Services like Facebook and Hotmail that will give accounts to anybody who has a pulse—and even people who don't, because they don't really check—those aren't authorization-based systems."
"My problem is that you are giving definitions that narrow the statute that the statute doesn't have," Sotomayor said. "You're asking us to write definitions to narrow what is—could otherwise be viewed as—a very broad statute and dangerously vague."
But Feigin said, "The main danger that insiders present is the precise danger that this case exemplifies."
This case is Van Buren v. United States, No. 19-783.