General Counsel, P.C.

  • Practice Areas
    • Business Law
      • Business Breakups in Virginia
      • Minority Shareholder Protections
      • Emerging Companies
      • Entity Formation
      • Foreign Companies Entering U.S. Market
      • Real Estate and Leases
      • Starting a Business, Licensing & Compliance
      • Registered Agent Services
      • Succession Planning for Business Owners
      • Tax Law Matters
      • Charitable Solicitation Practice Group
      • Intellectual Property
        • Trade Secrets
        • Copyright
        • Trademark
    • Employment Law
      • Employment Documentation
        • Building Your Cornerstone
        • Employee Document Vault
        • Employee Handbook Tuneup Services
        • Guidelines for Hiring or Firing Employees
        • Separation Agreements
      • Drug Testing
        • Drug Testing Your Workforce – Best Practices
        • Laws Affecting Drug Testing Policies
      • Regulatory Issues
        • VA, MD, DC, Rights & Obligations
        • Age Discrimination
        • Americans with Disabilities Act
        • At-Will Employment
        • Fair Labor Standards Act
        • Family Medical Leave Act
        • Pregnancy Discrimination Act
        • Title VII
      • Non-Competition Agreements
        • District of Columbia
        • Maryland
        • Virginia
      • For Employers of Uniformed Services Members
      • Employer Considerations For Government Contractors
      • For Non-Profits
    • Family Law
      • Divorce
        • Grounds for Divorce
          • Fourth Level Menu Sample
        • High Net Divorce
        • Same Sex Divorce
        • Military Divorce
        • Uncontested Divorce
        • Litigation vs. Alternative Dispute Resolution in Divorce
        • Post-Divorce Enforcement and Appeals
        • Alimony and Spousal Support
        • Child Custody
        • Child Support
        • Filing for Divorce in Virginia
        • Divorce Security Clearance
      • Property Division
      • Alimony and Spousal Support
      • Child Support
      • Child Custody and Visitation
      • Marital Agreements
      • International Family Law
      • Domestic Violence and Protective Orders
      • Co-Parenting in Virginia
    • Government Contracts
      • Bid Protests
      • Government Contract Claims and Appeals
      • Getting Government Contracts: Small Business Certification Services
        • 8(a) Small Business
        • HUBZone Small Business
        • SDVOSB Program
        • Veteran-Owned Small Business
        • Women-Owned Small Business
    • Litigation
      • Arbitration, Mediation & Alternative Dispute Resolution Attorneys
      • Commercial & Business Litigation
      • Defamation
      • Employment Disputes
      • Government Contracting Disputes
      • Intellectual Property Disputes
      • Local Counsel
      • Pre-Litigation
    • Estate Planning
      • Estate Planning FAQs
      • Trusts
      • Wills
      • Families With Children
      • Business Succession Planning
      • Asset Protection Planning
      • Celebrity Estate Planning Mistakes
      • Legal Business Contingency Plans
      • Become a Referral Partner
    • Probate Administration
      • Probate is Complex – FAQ and Answers
      • Trust & Estate Litigation
  • About Us
    • Overview
    • Biographies
      • Andrew “Andy” Baxter
      • Matthew Brennan
      • Heba K. Carter
      • Joanna Foard
      • Erika Gnazzo
      • Merritt Green
      • Elizabeth Hart
      • David Kaye
      • Craig Lawless
      • David Proano
      • Evan St. John
    • How We Help
  • Resources
    • Practical Counsel Blog
    • Bid Protest Weekly
    • VetWorking
    • COVID Compliance Plans
    • Virginia COVID Workplace Safety and Health Standards
    • Video Library
    • Webinars
    • Quotes in The News
    • GCPC First Generation Law Student Scholarship
  • Testimonials
  • Contact
  • Make Payments
703-556-0411

U.S. Supreme Court Holds Employee Who Accessed Work Database for Improper Purpose Did Not Violate CFAA

Thursday, 05 August 2021 / Published in Labor & Employment, News

U.S. Supreme Court Holds Employee Who Accessed Work Database for Improper Purpose Did Not Violate CFAA

In a recent case, the United States Supreme Court held that a former police sergeant did not violate the Computer Fraud and Abuse Act (“CFAA”) when he accessed a law enforcement database for personal use. As a general matter, the CFAA provides both criminal penalties and a civil cause of action that employers have utilized to sue employees for data theft.  The court’s ruling turned on the fact that the employee was authorized to access the database for proper purposes, so the fact that he accessed the database for personal use wasn’t sufficient to violate the CFAA. This ruling resolves a dispute between Federal Circuit Court and provides guidance for employers on the protection of digital information.

Summary of Case:  Van Buren v. United States

In Van Buren v. United States, Nathan Van Buren was a police sergeant in Georgia. In his duties as a police sergeant, Van Buren met Andrew Albo and the two became friendly. Van Buren asked Albo for a personal loan. Albo secretly recorded this conversation and took the recording to the local sheriff’s office and the FBI got involved. At the FBI’s instruction, Albo agreed to pay Van Buren $5,000 if Van Buren would search the state law enforcement computer database for a license plate of a woman Albo met. Van Buren agreed and used his patrol-car computer to access the database with his valid credentials. Van Buren had valid access to license plate information in the database, but had been trained not to use the database for “an improper purpose,” which was defined as “any personal use.” Van Buren was charged with violating the CFAA” on the grounds that running the license plate for Albo exceeded his authorized access. 

At issue was a clause in the CFAA which makes it unlawful to “exceed authorized access,” which means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accessor is not entitled so to obtain.” Prior to this case, circuit courts were split as to how to interpret the CFAA’s “exceeds authorized access” clause. 

The Supreme Court concluded that under the statute, an individual “exceeds authorized access” when “he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” Since, here, Van Buren was authorized to access the law enforcement database and was also authorized to retrieve license plate information, the conduct did not violate the statute, since he didn’t “exceed authorized access.” The fact that he obtained the information for an improper purpose was not relevant here, as long as he was authorized to access the particular information. The court clarified that “the only question is whether Van Burden could use the system to retrieve license-plate information.” 

The Supreme Court made a helpful analogy regarding employee access to information. Under the court’s ruling, if an employee “has access to information stored in a computer—e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.”

Practice Guidance for Employers

While this case may not seem applicable to most employers, the court’s holding is actually more far-reaching than it may initially appear. Essentially, the court here found that if an employee has access to certain information, he does not violate the CFAA if he accesses that information for an improper purpose. Instead, if the employee accessed information he wasn’t authorized to access, for any purpose, then he violated the CFAA. 

So, based on this decision, what should employers do to protect their confidential / proprietary information?  

First, companies should review how their data is stored and, as necessary, segregate and protect information that the company does not want certain employees to have access to.  If an employee has authorized access to all data, there will not be any violation of the CFAA.

Second, company policies (and employee agreements) should be reviewed / updated to ensure that they contain strong confidentiality and data protection provisions.  Even if the company does not have restrictive covenant agreements, it should consider having a Confidentiality / Non-Disclosure Agreement in place for all (or most) employees.

Third, there are state and federal laws that provide protections for employers also.  Many states, including Virginia, have a Uniform Trade Secrets Act that provides protection from misappropriation of trade secrets.  And, in 2016, the federal Defend Trade Secrets Act was passed, which created a federal claim for trade secret misappropriation.

If you need more guidance or information about how this ruling may affect your business, contact the employment law experts at General Counsel, PC today at 703-991-7973 or info@gcpc.com. Attorneys at General Counsel, PC are specialized in labor and employment law and have experience working with business owners and individuals across Virginia.

  • Tweet
Tagged under: Accessed Work Database, CFAA, Employee, Employers, guidance, Implications, Improper Purpose, No Violation, U.S. Supreme Court

TOP ARTICLE CATEGORIES

  • BUSINESS

  • COVID-19

  • LABOR & EMPLOYMENT

  • FAMILY LAW

  • GOVERNMENT CONTRACTS

  • LITIGATION

Subscribe to Blogs and Updates

Address:

6849 Old Dominion Dr #220
McLean, VA 22101

Hours of Operation:

Mon – Fri, 8AM – 5PM

Phone Number:

+1 703-556-0411


  • HOME
  • ABOUT US
  • PRIVACY POLICY
  • DISCLAIMER
  • SITEMAP
  • CONTACT US
  • MAKE A PAYMENT

General Counsel, P.C. BBB Business Review

© 2023 General Counsel, P.C. | Website Design & Development by High Level Thinkers

TOP