In a recent case, the United States Supreme Court held that a former police sergeant did not violate the Computer Fraud and Abuse Act (“CFAA”) when he accessed a law enforcement database for personal use. As a general matter, the CFAA provides both criminal penalties and a civil cause of action that employers have utilized to sue employees for data theft. The court’s ruling turned on the fact that the employee was authorized to access the database for proper purposes, so the fact that he accessed the database for personal use wasn’t sufficient to violate the CFAA. This ruling resolves a dispute between Federal Circuit Court and provides guidance for employers on the protection of digital information.
Summary of Case: Van Buren v. United States
In Van Buren v. United States, Nathan Van Buren was a police sergeant in Georgia. In his duties as a police sergeant, Van Buren met Andrew Albo and the two became friendly. Van Buren asked Albo for a personal loan. Albo secretly recorded this conversation and took the recording to the local sheriff’s office and the FBI got involved. At the FBI’s instruction, Albo agreed to pay Van Buren $5,000 if Van Buren would search the state law enforcement computer database for a license plate of a woman Albo met. Van Buren agreed and used his patrol-car computer to access the database with his valid credentials. Van Buren had valid access to license plate information in the database, but had been trained not to use the database for “an improper purpose,” which was defined as “any personal use.” Van Buren was charged with violating the CFAA” on the grounds that running the license plate for Albo exceeded his authorized access.
At issue was a clause in the CFAA which makes it unlawful to “exceed authorized access,” which means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accessor is not entitled so to obtain.” Prior to this case, circuit courts were split as to how to interpret the CFAA’s “exceeds authorized access” clause.
The Supreme Court concluded that under the statute, an individual “exceeds authorized access” when “he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” Since, here, Van Buren was authorized to access the law enforcement database and was also authorized to retrieve license plate information, the conduct did not violate the statute, since he didn’t “exceed authorized access.” The fact that he obtained the information for an improper purpose was not relevant here, as long as he was authorized to access the particular information. The court clarified that “the only question is whether Van Burden could use the system to retrieve license-plate information.”
The Supreme Court made a helpful analogy regarding employee access to information. Under the court’s ruling, if an employee “has access to information stored in a computer—e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.”
Practice Guidance for Employers
While this case may not seem applicable to most employers, the court’s holding is actually more far-reaching than it may initially appear. Essentially, the court here found that if an employee has access to certain information, he does not violate the CFAA if he accesses that information for an improper purpose. Instead, if the employee accessed information he wasn’t authorized to access, for any purpose, then he violated the CFAA.
So, based on this decision, what should employers do to protect their confidential / proprietary information?
First, companies should review how their data is stored and, as necessary, segregate and protect information that the company does not want certain employees to have access to. If an employee has authorized access to all data, there will not be any violation of the CFAA.
Second, company policies (and employee agreements) should be reviewed / updated to ensure that they contain strong confidentiality and data protection provisions. Even if the company does not have restrictive covenant agreements, it should consider having a Confidentiality / Non-Disclosure Agreement in place for all (or most) employees.
Third, there are state and federal laws that provide protections for employers also. Many states, including Virginia, have a Uniform Trade Secrets Act that provides protection from misappropriation of trade secrets. And, in 2016, the federal Defend Trade Secrets Act was passed, which created a federal claim for trade secret misappropriation.
If you need more guidance or information about how this ruling may affect your business, contact the employment law experts at General Counsel, PC today at 703-991-7973 or info@gcpc.com. Attorneys at General Counsel, PC are specialized in labor and employment law and have experience working with business owners and individuals across Virginia.