Four lessons from the Supreme Court ruling on the federal law against hacker attacks


In a decision dated June 3 in Van Buren versus United States, The US Supreme Court, with Judge Amy Coney Barrett advocating a 6: 3 majority, limited the relevant provision of the Computer Fraud and Abuse Act (CFAA), stating that the law was a “goals-up-or-down.” Examination “required. you can or you can’t [permissibly] access a computer system, and certain ones can either be accessed or not [authorized] Areas within the system ”in determining who has broken the law.

Specifically, the court ruled that “a person transgresses authorized access” if they access a computer with authorization but then receive information that is in certain areas of the computer – such as files, folders, or databases – that are relevant to them are not accessible. ”

The court did not discuss whether exceeding authorized access means that the restriction, the “gate”, must be code-based (with technological access restrictions) or that the “gate” could be contract-based or policy-based. We discuss the most important findings from the decision.

Relief for most computer users

First, those who use their work computers to send personal email or read messages, contrary to written warnings from their employers that such use is unauthorized, are not (without any more) criminals under the CFAA.

With most people authorized to access the e-mail and Internet features, it is now very unlikely that they have “exceeded authorized access” using these features. You can of course be subject to other disciplinary measures, but there probably won’t be a federal case.

Barrett also called “decorating an online dating profile” and “using a pseudonym on Facebook” or any other violation of a website’s terms of use as not against the CFAA. Therefore, ordinary website users will not be prosecuted for violating one or more of the Terms of Use; Terms that the user most likely didn’t even read.

Current restrictions may not protect key data

Second, website owners and employers have now realized that the current restrictions in their terms of service or warnings to employees may not be sufficient to protect important information contained on their computers as required by the CFAA.

If employers have information on their computers that only a certain, limited group of employees should have access to, they should consider breaking the information into separate, password-protected files or folders. If an unauthorized employee enters such protected files or folders – essentially internal hacking – the CFAA sanction can be applied.

Employers are at least well advised to ensure that the contractual language that restricts access to information stored on a computer is specific and agreed separately by each employee. However, even contract or policy-based restrictions cannot provide assurance that the CFAA ban will apply to employees who exceed those restrictions, given the limited scope of the Supreme Court ruling, given the limited scope of the Supreme Court ruling, individual courts can plausibly rule that the restrictions must be code-based .

Likewise, website owners are now advised that their terms of use must not punish those who use the service in an unauthorized manner. Once a website is made available to the public, all this information should be considered “fair game” for practical reasons.

Because the CFAA no longer readily exposes a person violating these Terms of Use, website owners are encouraged to protect their information in ways that go beyond the mere Terms of Use. A special fallout from the Van Buren The decision is that “data scratches” (ie the use of automatic programs to extract information from websites) should not be viewed as a violation of the CFAA.

Congress could expand the CFAA

Third, look out for measures taken by Congress to protect information in computers. Given that Big Tech is already under the control of Congress, there may well be a law passed to expand the CFAA to cover access to information in protected computers for “inappropriate purposes”. Depending on the legislation, measures may be necessary to tighten restrictive wording in guidelines and contracts.

Other laws may apply

Finally, despite this ruling, other parts of the CFAA are subject to fraud or other defined acts, such as B. deliberate damage to a computer, an injury. In addition, other federal and state criminal laws may apply to unauthorized access to computer information.

The court’s ruling has restricted the law in a way that affects not only the criminal application of the law but also the possible civil enforcement by corporations. As far as Congress allows, employers and website owners should carefully examine the information they want to protect from otherwise authorized employees and users and develop a prophylactic approach to prevent such unauthorized access.

This column does not necessarily represent the opinion of the Bureau of National Affairs, Inc. or its owners.

Write for us: Guidelines for Authors

Information about the author

Mark Srere is partner and leader of the White Collar Practice Group of Bryan Cave Leighton Paisner LLP.

Ben Clark is senior litigator at Bryan Cave Leighton Paisner LLP and a former federal prosecutor.


About Author

Leave A Reply