A Supreme Court case involving computer fraud could raise risks for businesses

Editor’s note: Sarah Hutchins, Alli Davidson, and Eric Frick are attorneys at Parker Poe in Charlotte.

CHARLOTTE – The U.S. Supreme Court is set to rule in a case that could dramatically increase litigation and criminal risks tied to employees’ computer use.

On November 30, 2020, the Supreme Court heard oral arguments for Nathan Van Buren v. United States, a case discussing the Computer Fraud and Abuse Act and what is determined to “exceed authorized access” under that law. Congress enacted the CFAA in 1984 to provide federal government agencies with a viable option for prosecuting computer crimes, such as hackers stealing information. The CFAA prohibits the intentional accesses of computers “without authorization” or “exceeding authorizing access” causing loss of $5,000 or more, and has been used as the basis for criminal charges as well as in civil litigation.

Van Buren, then a police sergeant, logged into a police database he was authorized to use in order to look up the license plate number of an individual at the request of a third party in exchange for a cash payment. The issue the Supreme Court agreed to settle is whether “a person who is authorized to access information on a computer for certain purposes” violates the CFAA “if he accesses the same information for an improper purpose.”

The government urges the court to take a broad view of the CFAA, finding that Van Buren exceeded his access when viewing the information for an improper purpose. This view of “exceeds authorized access” would provide one of the most sweeping tools for criminal and civil claims related to the unauthorized access of computers.

Van Buren argued the U.S. government’s interpretation “would brand most Americans criminals on a daily basis” for online activity they are technically not authorized to do, such as checking their social media accounts on their work computer. A broad reading of the law could limit common uses of the internet and raise the risks of litigation and criminal penalties for those uses.

Attorneys for Van Buren also argue that technology companies would be among those “imperiled” by that result.  Technology companies also argued through a friend-of-the-court brief that the government’s interpretation would “hurt rather than help computer security.” A broad reading of the CFAA would impair companies who often consult with outsiders to test security, as that activity may be interpreted to exceed authorization.

Chief Justice John Roberts summarized concerns of criminalizing certain internet activity by asking the government’s counsel if “everyone who violates a website’s terms of service or a workplace computer use policy is violating the CFAA?” The government’s attorney said no, Congress was aiming at “people who were specifically trusted, people akin to employees” who receive authorization that is more specific than accepting a website’s terms of service. Roberts replied that counsel “just talked about what Congress was aiming at. I’m concerned with the text of the statute.” That was a theme, as Justice Sonia Sotomayor called the CFAA “dangerously vague,” and Justice Samuel Alito said, “I don’t really understand the potential scope of this statute.”

Justice Neil Gorsuch seemed to take issue with how the government is using that ambiguity. “This case does seem to be the latest,” Gorsuch said, “in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction.” Gorsuch also argued the government does not need to broaden this one law out to prosecute “a rather small state crime that is prosecutable under state law, and perhaps under other federal laws.”

By the end of the argument, it appeared that a majority of the justices had serious questions about the government’s interpretation of the CFAA. That said, the questions at oral argument are no guarantee of the Supreme Court’s eventual ruling. If the Supreme Court upholds the government’s approach, companies will need to reassess their terms of use, workplace computer policies, and internet business practices to limit the risk of criminal prosecution and private lawsuits. If the court rejects the government’s interpretation, companies would still be wise to review exactly how the justices limit the scope of the law to make sure their business policies remain inbounds and their interests remain protected.

About the authors

Sarah Hutchins, Alli Davidson, and Eric Frick are attorneys at Parker Poe in Charlotte. They can be reached at sarahhutchins@parkerpoe.com, allidavidson@parkerpoe.com, and ericfrick@parkerpoe.com.