By Tristan Jenkinson
The United States Supreme Court has indicated that it will hear a case that should clarify how the Computer Fraud and Abuse Act (CFAA) should be interpreted. The result could affect how companies can pursue ex-employees for intellectual property theft and employee misuse of company data.
The clarification relates to the specific interpretation of when access to a computer “exceeds authorized access”. The lower courts have been split on how this should be interpreted in a case where an individual accesses data that they are authorised to access, but for an unauthorised reason.
The case that the Supreme Court are to hear involves Nathan Van Buren, formerly a police officer in Georgia. Van Buren was subject to a sting operation devised by the FBI. Van Buren was offered $6,000 to search police records for a license plate, allegedly to find out if a local stripper was an undercover police officer. Van Buren performed the search and was subsequently sentenced to 18 months in jail.
Van Buren appealed against the alleged breach of CFAA, claiming that as he had authorised access to search the database, therefore doing so (even if for an improper purpose) was not exceeding his authorised access (therefore it was not a breach of CFAA). This would have been the interpretation of courts in New York, California and North Carolina, where non-authorised access would require actions akin to stealing another user’s password, or hacking a website.
Van Buren’s lawyers have argued that a broader interpretation of CFAA could result in criminalising any form of non-work related use of work computers – such as taking part in college basketball pools.
President Trump’s administration have reportedly urged the Supreme Court to leave Van Buren’s conviction in place.
The decision by the Supreme Court, due in their next session, could have an impact in the civil law space and the options that companies have to follow up intellectual property theft, or misuse of company computers and data.