On Monday, the Supreme Court finally heard oral argument in Van Buren v. United States, a case that will determine once and for all the scope of the Computer Fraud and Abuse Act.
The CFAA: a tale of two interpretations
The CFAA was enacted nearly 40 years ago, primarily as an anti-hacking law. The statute prohibits individuals from obtaining information from protected computers without authorization or by “exceeding authorized access.” But a deep split in the Circuit Courts of Appeal developed early on over the meaning of “exceeds authorized access.” The law unhelpfully defines this term as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” (emphasis added to highlight a key feature of the arguments before SCOTUS, discussed below). The First, Fifth, Seventh, and Eleventh Circuits have determined that a party “exceeds authorized access” and violates the CFAA when they use information to which they have may have legitimate access, but use it for an improper purpose. As an example germane to practitioners in the restrictive covenants and trade secrets space, an employee may have access to customer data for work purposes on behalf of their employer, but they are not entitled to use that data to assist a competitor. In the foregoing circuits, if the employee used such data to surreptitiously compete with their employer, that conduct would violate the CFAA (assuming of course that all elements were met). But in other circuits, such as the Second, Fourth, and Ninth, and in some district courts in the Third, Eight, and Tenth Circuits, such access would not be a CFAA violation, because the individual legitimately had access to the data, and in those circuits, whether the use was for a proper or improper purpose is irrelevant. This decades-long split has resulted in inconsistent application of the statute and arguably encourages forum shopping.
The Van Buren case, on appeal from the Eleventh Circuit, squarely addresses this split, albeit in the criminal context. Van Buren was convicted of violating the CFAA by “exceeding his authorized access” when he used his law enforcement database credentials to obtain information about an exotic dancer for personal reasons. Van Buren’s attorneys argued that he was entitled to access the police database, and that his use of that database—even for a purpose unrelated to his work as a police officer—thus did not exceed his authorized access such that he was guilty of violating the CFAA. The Eleventh Circuit upheld his conviction, although it appeared to do so somewhat reluctantly, pointedly noting that it was constrained by prior Eleventh Circuit precedent and that only the Supreme Court could resolve the issue in Van Buren’s favor.
The view from SCOTUS
On Monday, the Supreme Court finally got the chance to tackle this thorny issue once and for all. While all nine justices had an opportunity to question both sides on a variety of issues, a few key themes emerged:
- First, much of the argument centered around the government’s claim that the word “so” in the statutory definition of “exceeds authorized access” dictates an interpretation that the CFAA should be construed broadly. Justice Sotomayor was audibly frustrated with this argument, telling the government that it was “giving definitions that narrow the statute that the statute doesn’t have. You’re asking us to write definitions to narrow what could otherwise be viewed as a very broad statute and dangerously vague.” Justice Kagan similarly pressed the government as to the meaning of “so” in the statute, pointing out that both parties had different interpretations of the word, and asking the solicitor general, “why is it that we should pick your choice … rather than [Van Buren’s] choice … ?” The newest addition to the Court, Justice Barrett, also raised questions about the government’s reliance on the word “so” to support its position. Most likely, the decision will include some discussion about the potential ambiguity of the statute’s language—whether it is in the majority decision or a dissenting one.
- While readers of this blog are likely more concerned about the impact of the Court’s forthcoming decision on civil remedies under the CFAA, civil litigation was mentioned just once, when Van Buren’s lawyer pointed out that even if the federal government could be trusted to wield its prosecutorial discretion responsibly, there’s no guarantee that private parties will be so constrained. For example, Van Buren argued that a vindictive employer could sue an employee under the CFAA for violation of workforce policies against using company computers to check personal email.
In contrast, several justices expressed concern that the government’s broad interpretation of the CFAA criminalize everyday conduct of millions of Americans. The virtually singular focus on criminal prosecutions as opposed to civil suits should come as no surprise, however, as we predicted that the Court would be more concerned with the criminal repercussions of an alleged CFAA violation. Justice Gorsuch and Justice Kavanaugh in particular appeared skeptical of the government’s argument and its impact on federal prosecutors’ domain. Justice Gorsuch conveyed his concern that the case was “the latest … in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction, in pretty significantly contestable ways that this Court has rejected,” and wondered—perhaps rhetorically—“why we’re back here again on a rather small state crime that is prosecutable under state law, and perhaps under other federal laws, to try and address conduct that would be rather remarkable, perhaps making a federal criminal of us all.” Following those comments, Justice Kavanaugh likewise expressed concern about what he saw as “a fairly substantial expansion of federal criminal liability based on one word”—again, a reference to the government’s tortured definition of “so.”
- On the other hand, not every justice was so critical of the government’s position. Justice Alito noted his concern that adopting a narrow interpretation of the CFAA might de-criminalize certain privacy violations (although he and other justices acknowledged that other state or federal statutes might arguably cover such conduct). In fact, Justice Alito candidly stated that he found the case to be “very difficult … to decide based on the briefs that we’ve received” and seemed to suggest that additional briefing might be useful (although the government’s solicitor general indicated that he did not believe such additional briefing to be necessary or helpful). Likewise, Justice Thomas referred to the proverbial “parade of horribles” that Van Buren suggested could come to pass if the federal government were granted the wide discretion to prosecute under the CFAA, and implied that, contrary to Van Buren’s arguments, they were unlikely to occur.
- A few justices asked about the effect of the 1986 amendments, which replaced language that more explicitly prohibited access for an improper purpose with the current language that has led to the current circuit split. Regardless of how the Court rules, the decision will likely address such amendments and whether they narrowed the scope of criminal liability, as Van Buren has suggested, or whether they merely “clarified” the prohibition on improper use of one’s access, as the government contends.
Reading the tea leaves: what next?
It is, of course, not possible to determine how the Court will rule based simply on oral argument. However, based on the justices’ commentary, we suspect that the broad interpretation of the CFAA that currently remains viable in a handful of circuits may not be so for very long. It seems likely that Van Buren will obtain the support of Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh (and possibly more!) in limiting the scope of “exceeds authorized access.”
If our prognostications are correct and the Court favors the narrow interpretation of “exceeds authorized access,” what does that mean? Perhaps most relevant to our readers, employers will no longer be able to use the CFAA as a tool to pursue employees who misappropriate trade secrets or otherwise improperly use confidential information to assist a competitor. Of course, the Defend Trade Secrets Act of 2016 provides at least some protection on this front, as that law confers federal jurisdiction over most trade secret misappropriation claims. However, as we pointed out previously, where an employee’s bad acts do not meet the definition of unlawful misappropriation under the DTSA—for example, if they abscond with confidential information that does not meet the statutory definition of a trade secret—employers will be deprived of their ability to press claims in federal court, unless they find another “hook” to get there (whether violation of another federal statute or diversity jurisdiction).
Regardless, we’ll finally know one way or another how this saga ends by the end of June 2021, when the Court’s current term ends. Stay tuned for our report once the Court issues its decision.