Criminal Enforcement Against Data Breaches Under the Computer Fraud and Abuse Act

| Ari FeinsteinAndrew I. Kimmel

On April 20, 2020, the U.S. Supreme Court granted writ of certiorari in Van Buren v. United States to consider whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act (“CFAA”) if he accesses the same information for an improper purpose. Oral argument before the Supreme Court will be held on November 30, 2020.

Under the CFAA, a person commits a crime if he “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from the computer. See 18 U.S.C. § 1030(a)(2)(C) (emphasis added). The dispute in this case revolves around the meaning of the phrase “exceeds authorized access.” In his opening brief, petitioner Nathan Van Buren urges the Supreme Court to interpret the CFAA “to criminalize accessing information via computer only where an individual is not entitled for any purpose to access that information . . . .”

Van Buren was a police officer with the Cumming, Georgia, Police Department. While on duty, Van Buren became familiar with a man named Andrew Albo, who allegedly paid prostitutes to spend time with him and then later accused them of stealing his money. Van Buren developed a relationship with Albo and asked for a loan when he faced financial hardship. Unbeknownst to Van Buren, his request for a loan drew the attention of the Federal Bureau of Investigation (“FBI”), who created a sting operation to investigate his activities. During their relationship, Albo asked Van Buren to find out if a woman he met at a strip club was an undercover officer. Van Buren obliged and ran a license plate search for the woman in the Georgia Crime Information Center database. While Van Buren had authorization to access the database, the Government claimed that he “misused” the database by running an inappropriate search. Van Buren was subsequently charged and convicted of computer fraud under the CFAA.

The Eleventh Circuit affirmed Van Buren’s conviction, following its own precedent that “even a person with authority to access a computer can be guilty of computer fraud if that person subsequently misuses the computer.” United States v Van Buren¸ 940 F. 3d 1192, 1197 (11th Cir. 2019) (citing United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)). While some of its sister circuits have agreed with the Eleventh Circuit’s approach, the Second, Fourth, and Ninth Circuits have adopted narrower interpretations of “exceeds authorized access.” For example, the Ninth Circuit has held that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on use.” United States v. Nosal, 676 F.3d 854, 863-64 (9th Cir. 2012) (emphasis in original).

In his writ petition, Van Buren requests the Supreme Court to adopt the narrower interpretation of “exceeds authorized access” consistent with the Second, Fourth, and Ninth Circuits. In an amicus brief, Professor Orin Kerr describes two interesting interpretations of potential CFAA violations: a “code-based theory” and a “contract-based theory.” Under the code-based theory, “conduct becomes unauthorized when it circumvents a technological restriction on access” (e.g., stealing a user’s password, traditional hacking). Courts generally agree that the CFAA criminalizes this type of access. Under a contract-based theory, conduct becomes unauthorized when a person merely violates a rule regarding the use of the website—such as a rule in the terms of use. This much broader theory, which focuses on use, arguably resembles the Eleventh Circuit’s misuse-based interpretation taken to its logical conclusion. The contract-based theory has significant ramifications because, if this interpretation is adopted, computer users could be subject to criminal liability for even relatively innocuous violations of a website’s terms of use. For example, this broad reading of the statute could potentially criminalize using information from a dating site for marketing research, instead of meeting a companion, if the website’s terms of use limit using dating profiles to only meet people.

Ultimately, it is uncertain which interpretation of Section 1030(a)(2) of the CFAA the Supreme Court will adopt. The Supreme Court may adopt the narrow interpretation of the CFAA endorsed by the Second, Fourth, and Ninth Circuits, or it may adopt the broader interpretation endorsed by the Eleventh Circuit. However, as Professor Kerr’s amicus brief explains, a broader interpretation could possibly lead to criminalization of perhaps widespread and routine failure to comply with terms of use published by private actors.