In 1986, Congress enacted the Computer Fraud and Abuse Act (“CFAA”). See 18 U.S.C. § 1030, et seq. The CFAA is one of the major federal statutes that empowers the federal government to seek criminal penalties against hackers and cybercriminals. The statute has also been used to punish employees and others who “misuse” computers to which they have access. Civil parties can also use the CFAA to obtain civil penalties against those who commit computer fraud and misuse.
The CFAA has been a focus of news reports lately for two reasons. First, in April 2020, the United States Department of Justice (“DOJ”) announced a crackdown on computer hacking, cybercrime, fraud, scams and phishing schemes related to COVID-19 pandemic. Reprehensibly, hackers and cybercriminals have been exploiting the pandemic to scam donations and access to technology from businesses, universities, and individuals. During its announcement of its crackdown efforts, the DOJ highlighted examples like of a fake website pretending to be the Red Cross soliciting donations to fight COVID-19 and various fake websites and using look-alike domain names mimicking government websites tricking victims into turning over their bank account information and other personal information.
During the announcement, the DOJ also highlighted its powers under the CFAA and promised vigorous and tenacious prosecution of cybercriminals seeking to take advantage of the COVID-19 crisis. The CFAA makes computer hacking a crime. In particular, the CFAA makes it a crime to intentionally access a computer “without authorization” or by exceeding “authorized access” and, as a result, obtaining “information from any department or agency of the United States.” 18 U.S.C. § 1030(a)(2)(B). Originally, the CFAA only applied to hacking or unauthorized access of government computers, but the Act now applies to what are called “protected computers” which essentially mean all computers that are connected to the internet. Depending on the severity of the violation of the CFAA, the DOJ can seek substantial monetary fines and prison terms from as low as one year to as many as 20 years.
The CFAA has also been in the news lately because the US Supreme Court has agreed to hear an appeal related to a criminal conviction under the CFAA in the case of US v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019). The DOJ has long taken the view that the CFAA can be used to criminally punish employees who abuse their employer’s computer by exceeding the authority granted to them as employees. In Van Buren, the defendant — Nathan Van Buren — was a sergeant with the Police Department in Cumming, Georgia. As a police officer, Van Buren had authorized access to the Department’s computer system for police-related operations. However, Van Buren used the computer system for personal — criminal — business. In exchange for a “loan” by a man interested in a woman he met at a strip club, Van Buren ran a search for a woman’s vehicle license plate number in the police database.
Unfortunately for Van Buren, the whole thing was an FBI sting operation. Van Buren was eventually arrested, charged with violating the CFAA and was convicted. On appeal to the Eleventh Circuit, Van Buren argued that the CFAA did not apply to situations, like his, where an employee violates an employer’s use-of-computer policies.
On this particular legal point, there is a split among the Federal Circuit Courts of Appeal. Like the First, Fifth and Seventh Circuits, the Eleventh Circuit agrees with the DOJ that the CFAA criminalizes using data for unauthorized purposes even if accessing the data was otherwise authorized. That is what Van Buren did. As a police officer, he was authorized to access license plate related information. However, he was not authorized to personally use that information and, obviously, not authorized to give the information to another in exchange for a “loan.”
By contrast, three Circuit Courts — the Second, Fourth, and Ninth Circuits — disagree with the DOJ’s interpretation. Those Circuits interpret the CFAA to only criminalize access to data that the employee was not authorized to access (regardless of what the data was ultimately used for). These Circuits are concerned about potential overreach and about criminalizing common employee behaviors. Imagine that a workplace provides work email addresses and the email-use policy states that the email addresses can only be used for company business. If an employee uses the email for personal business, under the broad interpretation of the FCAA, that employee has committed a crime.
The US Supreme Court is expected to hear arguments on the Van Buren case later this year. We, here at Revision Legal will be following the case with interest.
If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.