Van Buren v. United States: The Supreme Court Eliminates a Remedy for Employers

Wednesday, July 21 2021 13:56 Written by  Patricia Collins

Reprinted with permission from the June 21st edition of The Legal Intelligencer. (c) 2021 ALM Media Properties. Further duplication without permission is prohibited.

Since its enactment in 1986, employers have used the federal Computer Fraud and Abuse Act, 19 U.S.C. §1030 (“CFAA”) to vindicate violations of the employer’s workplace policies regarding use of computers, email accounts, and other electronic information by departing employees. The CFAA inevitably appeared as a claim in an employer’s complaint to address such conduct as downloading information from work computers and email accounts, or wiping devices and removing valuable information. The CFAA potentially provided relief where the information taken might not meet the definition of a “trade secret” in the federal Defend Trade Secrets Act (18 U.S.C. §1986), or Pennsylvania’s Uniform Trade Secrets Protection Act (12 P.S. § 5302). Further, and perhaps providing leverage for employers, the CFAA provided a criminal remedy for such violations. In Van Buren v. United States, 592 U.S. ___ (June 3, 2021), the United States Supreme Court may have eliminated that claim for wronged employers.

The CFAA prohibits intentionally accessing a computer with or without authorization or exceeding authorized access of a computer. The Act defines “exceeding authorized access” as accessing a computer with authorization and using that access to obtain information in the computer to which the individual is not otherwise entitled. The CFAA imposes criminal liability for violations of these prohibitions. It also imposes civil liability through a private cause of action if there is “damage,” meaning, an impairment to the integrity or availability of data, a program, a system or information.


Officer Van Buren was charged and convicted for violating the CFAA. Specifically, in exchange for the payment of $5000, Officer Van Buren used his police vehicle’s computer to access license plate information for a friend. Officer Van Buren had “authorization” to use the vehicle’s computer and he had “authorization” to access the license plate database. However, he was not permitted to access the database for “personal use.”

And that is the issue in the case: whether the CFAA’s prohibition against “exceeding” authorized access applies to access of information an individual is entitled to access, but did so with an improper purpose. The circuit courts are split on the issue. The Eleventh Circuit upheld Officer Van Buren’s conviction, but the Supreme Court held that accessing information to which the individual otherwise is entitled but with an improper purposes is not a violation of the CFAA, overturning Officer Van Buren’s conviction.

The majority opinion, authored by Justice Barrett, focused on the impact on “millions of otherwise law-abiding citizens,” noting that an opposite holding would render criminal a “breathtaking amount of commonplace computer activity.” Most employers have policies that prohibit personal use. Some employers have computer policies that incorporate corporate codes of ethics, or anti-discrimination statutes. The Supreme Court noted that a holding that otherwise authorized access for “an improper purpose” would mean that employees violated the CFAA, and would be subject to criminal prosecution, for sending a personal email, agreeing to terms of service for certain websites, “embellishing” on dating websites or using a pseudonym on Facebook while using their work computers. The court noted that there are other remedies for such conduct. For example, the individual who uses authorized access to misappropriate trade secrets is subject to other laws prohibiting that conduct; and, in this case, Officer Van Buren might be subject to federal wire fraud statutes.

The Supreme Court did not address the civil liability provisions of the CFAA, except to note that the requirement to show damage in order to impose civil liability demonstrates that the purpose of the statue is to remediate the “ordinary consequences of hacking” and not “misuse of sensitive information” remediable by other laws. The Court’s holding and this observation likely mean the death knell of this particular strategy in employment trade secret or restrictive covenant cases. In those cases, the employee has usually downloaded information or contacts prior to termination (and the inevitable severing of the employee’s access to that information). The employee has authorized access both to the “computer” and to the information the employee downloaded, likely up to the time of his termination. Under the holding in Van Buren this conduct on the part of the employee is not a violation of the CFAA, and for that reason cannot form the basis of a civil claim. The statute specifically provides for a private cause of action for “any person who suffers damage or loss by reason of violation of this section,” requiring the wronged party to prove a “violation of this section” prior to seeking a civil remedy. Where a workplace policy violation by an employee who is authorized to access a computer or the information accessed is not a “violation” under Van Buren, the wronged party cannot state a claim.

Further, the Supreme Court’s limitation of the CFAA to the “ordinary consequences of hacking” necessarily eliminates civil liability. The employee’s wrong was not “hacking” in the ordinary sense, but misusing or misappropriating information. Interestingly, in the case where an employee “wipes” a device prior to returning it to the employer, there is “damage” as defined by the statute, necessary to impose civil liability, but the employee will have damaged information which he had authorization to access.

The Supreme Court’s clarification of the reach of the CFAA in Van Buren impacts employers’ remedies against employees who download, destroy or misappropriate information before they depart employment. Employers will have to find other legal remedies to address this conduct by departing employees with bad motives. Employee contracts should require return of any information (including electronic information and data) upon termination, and prohibit the employee from keeping copies. This will provide the employer with a breach of contract claim. Federal and state trade secret statutes may also apply if the information taken amounts to a “trade secret.” Common law claims such as conversion or breach of the duty of loyalty may also apply to remedy the wrong. While it is important to have written workplace policies regarding use of computers and electronic information, a violation of those policies alone will not be enough to state a claim for civil or criminal liability under the CFAA.

Patricia Collins is a Partner and Employment Law Chair with Antheil Maslow & MacMinn, LLP, based in Doylestown, PA. Her practice focuses primarily on employment, commercial litigation and health care law. Patricia Collins can be contacted at 215.230.7500 ext. 126.

Last modified on Wednesday, July 21 2021 14:41
Patricia Collins

Patricia Collins

Patty has been practicing law since 1996 in the areas of Employment Law, Health Care and Litigation, with extensive experience in advising employers and health care providers as well as complex litigation in federal and state courts. Patty’s knowledge of employment law includes the Employee Retirement Income Security Act; federal and state employment discrimination laws, and employment contracts and wage claims.

To view Patricia Collins' full profile, click here.

Leave a comment

Blogger Bios

  • Adam M. Weiss Adam M. Weiss
    Adam focuses his practice on business and corporate law, serving as a…
  • Bill MacMinn Bill MacMinn
    Bill concentrates his practice in the area of litigation, including Commercial Litigation,…
  • Elaine T. Yandrisevits Elaine T. Yandrisevits
    As an estate planning attorney, Elaine Yandrisevits is committed to guiding individuals…
  • Elizabeth J. Fineman Elizabeth J. Fineman
    Elizabeth Fineman concentrates her practice on domestic relations matters and handles a…
  • Gabriel Montemuro Gabriel Montemuro
    Gabe’s practice focuses on litigation, including commercial litigation, personal injury, estate and…
  • Janel Clause Janel Clause
    Janel Clause focuses her practice on business and corporate law, serving as…
  • Jennifer Dickerson Jennifer Dickerson
    Jennifer Dickerson is committed to a career focused on helping individuals and…
  • Jessica A. Pritchard Jessica A. Pritchard
    Jessica A. Pritchard, focuses her practice exclusively in the area of family…
  • Joanne Murray Joanne Murray
    Joanne concentrates her practice in the areas of Business Law, Business Transactions,…
  • Jocelin A. Price Jocelin A. Price
    As an estate planning practitioner, Jocelin Price knows that the work of…
  • Lisa A. Bothwell Lisa A. Bothwell
    Lisa Bothwell counsels corporate/business clients on the formation, operation, acquisition, and sale…
  • Lynelle Gleason Lynelle Gleason
    Lynelle A. Gleason has spent her legal career in Bucks County, representing…
  • Megan Weiler Megan Weiler
    Megan Weiler is a skilled advocate dedicated to guiding clients and their…
  • Melanie J. Wender Melanie J. Wender
    Melanie J. Wender is a dedicated and supportive advocate for individuals and families…
  • Michael W. Mills Michael W. Mills
    Mike is devoted to helping businesses build value and improve working capital,…
  • Patricia Collins Patricia Collins
    Patty has been practicing law since 1996 in the areas of Employment…
  • Peter J. Smith Peter J. Smith
    Pete is a business lawyer and trusted partner to his corporate clients…
  • Stephen M. Zaffuto Stephen M. Zaffuto
    Stephen Zaffuto is a skilled and insightful Corporate and Real Estate attorney…
  • Susan Maslow Susan Maslow
    Sue concentrates her practice primarily in general corporate transactional work and finance…
  • Thomas P. Donnelly Thomas P. Donnelly
    Tom’s practice focuses on commercial litigation and transactions. In litigation, Tom represents…