Prison Time for Personal Use of Company Computers? Supreme Court Grants Cert to Decide Whether Noncompliance With a Company’s Terms of Use Constitutes a Violation of the Computer Fraud and Abuse Act


On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA):  Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company).

The CFAA makes it a federal crime to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] information from any protected computer.”  18 U.S.C. § 1030(a)(2)(C).  The statute defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. 1030(e)(6).  The scope of authorized access is an issue of vigorous debate, resulting in a split among the federal courts of appeals on the issue.

On one side of the split, the First, Fifth, Seventh, and Eleventh Circuits have broadly construed the prohibition on exceeding authorized access, allowing criminal (as well as civil) CFAA liability to attach where an individual is authorized to access a computer, but uses that access inconsistent with the purpose for which access was authorized in the first place (e.g., contrary to an acceptable use policy or website terms of service).  United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).  On the other side of the split, the Second, Fourth, and Ninth Circuits have interpreted the prohibition on exceeding authorized access narrowly, determining that liability cannot attach under this provision based upon the intended use of the information.  Rather, the individual must traverse some technical barrier.  United States v. Valle, 807 F.3d 508, 511-513 (2d Cir. 2015); United States v. Nosal, 676 F.3d 854, 856-857, 863-864 (9th Cir. 2012) (en banc); see also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012).

In the Van Buren decision to be reviewed by the Supreme Court, the Eleventh Circuit acknowledged the split, but reiterated its position that one’s purpose in accessing the information is relevant to the authorization inquiry.  In the case, Mr. Van Buren, a Georgia police officer, used the Georgia Crime Information Center database to run a license plate number in exchange for cash from an acquaintance.  He was charged and convicted of a CFAA violation based on the theory that his use of the database to look up information in exchange for cash exceeded his authorized access, as dictated by state law.  Specifically, Georgia law imposes criminal responsibility on any officer who uses the database for personal reasons and Mr. Van Buren had received training that the database was to be used only for law-enforcement purposes.  In upholding the conviction, the Eleventh Circuit followed its 2010 holding in United States v. Rodriguez that a person with authority to access a computer can be guilty of a crime under the CFAA if he or she uses the computer in a manner beyond which he or she has been authorized.  In Rodriguez, a social security administration employee was convicted of CFAA violations for looking up personal information of seventeen people in social security administration records for personal reasons.

Even if it seems like the misuse of government resources for personal gain is rightly treated as criminal conduct, some groups are worried about broader consequences if such conduct is found by the Supreme Court to be a violation of CFAA.  Would a private company be able to bring civil CFAA claims premised on violations of its terms of use?  Would a security researcher be subject to civil and criminal liability if he or she violated terms of service in connection with a security investigation?  Would an employee be subject to criminal penalties if the employee handbook says not to use personal email on his computer at work but he does?  Given that two different organizations filed amicus curiae briefs urging the Court to accept cert based on such concerns, it is worth keeping a close eye on Van Buren v. United States as it proceeds (just maybe do it from your personal computer).