Criminal Enforcement Against Data Breaches Under the Computer Fraud and Abuse Act
On April 20, 2020, the U.S. Supreme Court granted writ of certiorari in Van Buren v. United States to consider whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act (“CFAA”) if he accesses the same information for an improper purpose. Oral argument before the Supreme Court will be held on November 30, 2020.
Under the CFAA, a person commits a crime if he “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from the computer. See 18 U.S.C. § 1030(a)(2)(C) (emphasis added). The dispute in this case revolves around the meaning of the phrase “exceeds authorized access.” In his opening brief, petitioner Nathan Van Buren urges the Supreme Court to interpret the CFAA “to criminalize accessing information via computer only where an individual is not entitled for any purpose to access that information . . . .”
Van Buren was a police officer with the Cumming, Georgia, Police Department. While on duty, Van Buren became familiar with a man named Andrew Albo, who allegedly paid prostitutes to spend time with him and then later accused them of stealing his money. Van Buren developed a relationship with Albo and asked for a loan when he faced financial hardship. Unbeknownst to Van Buren, his request for a loan drew the attention of the Federal Bureau of Investigation (“FBI”), who created a sting operation to investigate his activities. During their relationship, Albo asked Van Buren to find out if a woman he met at a strip club was an undercover officer. Van Buren obliged and ran a license plate search for the woman in the Georgia Crime Information Center database. While Van Buren had authorization to access the database, the Government claimed that he “misused” the database by running an inappropriate search. Van Buren was subsequently charged and convicted of computer fraud under the CFAA.
The Eleventh Circuit affirmed Van Buren’s conviction, following its own precedent that “even a person with authority to access a computer can be guilty of computer fraud if that person subsequently misuses the computer.” United States v Van Buren¸ 940 F. 3d 1192, 1197 (11th Cir. 2019) (citing United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)). While some of its sister circuits have agreed with the Eleventh Circuit’s approach, the Second, Fourth, and Ninth Circuits have adopted narrower interpretations of “exceeds authorized access.” For example, the Ninth Circuit has held that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on use.” United States v. Nosal, 676 F.3d 854, 863-64 (9th Cir. 2012) (emphasis in original).