CFAA Narrow Reading Redefines “Authorized Access” in Computer Fraud Cases

Ignoring partisan lines, the Supreme Court voted to narrow the reach of the Computer Fraud and Abuse Act (“CFAA”) this month in Van Buren v. United States. The 1986 American technology law has long been the cornerstone of cybersecurity prosecution, but the High Court significantly narrowed the scope of the CFAA by redefining what “authorized access” means.

CFAA and “Authorized Access”

The CFAA makes it illegal for a person to access a computer without authorization and provides both criminal and civil penalties for such violations. Until the recent Supreme Court decision, the key CFAA language, “intentionally accesses a computer without authorization or exceeds authorized access,” had been interpreted broadly by some courts to mean that the CFAA would apply to a person who had authorized access but exceeded their authorization to access such information. 

In Van Buren v. United States, Nathan Van Buren was a police officer who used his authorized access to the police database for unauthorized purposes. Specifically, Van Buren was running license plates in return for money. Arrested during a FBI sting operation, Van Buren was charged with criminally violating the CFAA. Van Buren appealed and argued that the narrow reading of the CFAA should apply.  The appellate court disagreed, upholding his conviction. 

CFAA Narrow Reading

On appeal to the Supreme Court, Van Buren’s conviction was reversed. The Supreme Court reasoned that the narrower interpretation of the CFAA should prevail. The Supreme Court held that because Van Buren already had access to the system, he was “entitled” to the information that his access had already granted him. Although Van Buren was gathering information for an unauthorized purpose, he was still accessing the same database that he would have on a day-to-day basis. In essence, Van Buren had not gained any “unauthorized access” to any databases he would not have already been able to peruse. By contrast, if Van Buren had somehow gained illegal access to a database that he should not have had access to, such as Internal Affairs, then the CFAA language would have applied.

The new Supreme Court ruling should encourage brand owners to consult experienced data privacy and technology attorneys that can draft proper terms of service/use agreements as the CFAA could potentially have now lost its teeth. 

Key Takeaways on the CFAA Narrow Reading

The Supreme Court significantly narrowed the reach of the CFAA in Van Buren v. United States. The CFAA’s narrow reading means:

• that the CFAA no longer applies to a person who had authorized access but was using it for an unauthorized purpose;

• that data-scraping bots may be immune to the CFAA now; and

• companies and organizations may have to rely on other means like terms of use/terms of service to protect their systems.

For more information on trademark litigation, see our Trademark Services and Industry Focused Legal Solutions pages.