Supreme Court Cuts Back Computer Fraud and Abuse Act
Updated: Jul 15, 2021
Back in 1986 Congress passed the Computer Fraud and Abuse Act (CFAA).
CFAA imposes criminal or civil liability on any person who intentionally accesses a computer without authorization or exceeds authorized access and, in doing so, obtains information from any protected computer. The CFAA generally covers many types of computer fraud, including trade secret theft, hacking, data breaches, and anticompetitive behavior. To win, a plaintiff must prove a defendant (i) intentionally accessed a computer, (ii) lacked authority to access the computer or exceeded granted authority to access the computer, (iii) obtained data from the computer, and (iv) caused a loss of $5,000 or more during a one-year period.
Almost immediately, some courts began to rule that even if a person is authorized to access a computer, if that person accesses the computer for reasons outside the scope of the authority granted, CFAA imposed liability. As a result, CFAA became a favorite way of going after former employees for trade secret theft.
Other courts ruled that a person could only exceeds the granted authority to access a computer if the person accesses files or databases the person does not have authority to access. If they misuse information they get from files or databases they do have authority to access, there is no CFAA liability.
The Supreme Court decision follows this second, narrower rule and makes it national law.
In this particular case, the court ruled that a police officer did not violate the CFAA when taking a cash in exchange for searching a database because the police officer had access to the database for work purposes. An individual exceeds authorized access when accessing computer with authorization but gets information located in particular areas of the computer that are off-limits to them.
Why This Is Important... The decision severely restricts CFAA and relegates cases involving trade secrets and other employee malfeasance to common law standards which are more difficult to prove. Businesses need to revisit policies with tighter standards so that access to data is limited to certain areas and being clear on what is and is not accessible.