In a decision dated June 3 in Van Buren versus United States, The US Supreme Court, with Judge Amy Coney Barrett advocating a 6: 3 majority, limited the relevant provision of the Computer Fraud and Abuse Act (CFAA), stating that the law was a “goals-up-or-down.” Examination “required. you can or you can’t [permissibly] access a computer system, and certain ones can either be accessed or not [authorized] Areas within the system ”in determining who has broken the law.
Specifically, the court ruled that “a person transgresses authorized access” if they access a computer with authorization but then receive information that is in certain areas of the computer – such as files, folders, or databases – that are relevant to them are not accessible. ”
The court did not discuss whether exceeding authorized access means that the restriction, the “gate”, must be code-based (with technological access restrictions) or that the “gate” could be contract-based or policy-based. We discuss the most important findings from the decision.
Relief for most computer users
First, those who use their work computers to send personal email or read messages, contrary to written warnings from their employers that such use is unauthorized, are not (without any more) criminals under the CFAA.
With most people authorized to access the e-mail and Internet features, it is now very unlikely that they have “exceeded authorized access” using these features. You can of course be subject to other disciplinary measures, but there probably won’t be a federal case.
Current restrictions may not protect key data
Second, website owners and employers have now realized that the current restrictions in their terms of service or warnings to employees may not be sufficient to protect important information contained on their computers as required by the CFAA.
If employers have information on their computers that only a certain, limited group of employees should have access to, they should consider breaking the information into separate, password-protected files or folders. If an unauthorized employee enters such protected files or folders – essentially internal hacking – the CFAA sanction can be applied.
Employers are at least well advised to ensure that the contractual language that restricts access to information stored on a computer is specific and agreed separately by each employee. However, even contract or policy-based restrictions cannot provide assurance that the CFAA ban will apply to employees who exceed those restrictions, given the limited scope of the Supreme Court ruling, given the limited scope of the Supreme Court ruling, individual courts can plausibly rule that the restrictions must be code-based .
Congress could expand the CFAA
Third, look out for measures taken by Congress to protect information in computers. Given that Big Tech is already under the control of Congress, there may well be a law passed to expand the CFAA to cover access to information in protected computers for “inappropriate purposes”. Depending on the legislation, measures may be necessary to tighten restrictive wording in guidelines and contracts.
Other laws may apply
Finally, despite this ruling, other parts of the CFAA are subject to fraud or other defined acts, such as B. deliberate damage to a computer, an injury. In addition, other federal and state criminal laws may apply to unauthorized access to computer information.
The court’s ruling has restricted the law in a way that affects not only the criminal application of the law but also the possible civil enforcement by corporations. As far as Congress allows, employers and website owners should carefully examine the information they want to protect from otherwise authorized employees and users and develop a prophylactic approach to prevent such unauthorized access.
This column does not necessarily represent the opinion of the Bureau of National Affairs, Inc. or its owners.
Information about the author
Mark Srere is partner and leader of the White Collar Practice Group of Bryan Cave Leighton Paisner LLP.
Ben Clark is senior litigator at Bryan Cave Leighton Paisner LLP and a former federal prosecutor.