Officer Van Buren was charged and convicted for violating the CFAA. Specifically, in exchange for the payment of $5000, Officer Van Buren used his police vehicle’s computer to access license plate information for a friend. Officer Van Buren had “authorization” to use the vehicle’s computer and he had “authorization” to access the license plate database. However, he was not permitted to access the database for “personal use.”
And that is the issue in the case: whether the CFAA’s prohibition against “exceeding” authorized access applies to access of information an individual is entitled to access, but did so with an improper purpose. The circuit courts are split on the issue. The Eleventh Circuit upheld Officer Van Buren’s conviction, but the Supreme Court held that accessing information to which the individual otherwise is entitled but with an improper purposes is not a violation of the CFAA, overturning Officer Van Buren’s conviction.
The majority opinion, authored by Justice Barrett, focused on the impact on “millions of otherwise law-abiding citizens,” noting that an opposite holding would render criminal a “breathtaking amount of commonplace computer activity.” Most employers have policies that prohibit personal use. Some employers have computer policies that incorporate corporate codes of ethics, or anti-discrimination statutes. The Supreme Court noted that a holding that otherwise authorized access for “an improper purpose” would mean that employees violated the CFAA, and would be subject to criminal prosecution, for sending a personal email, agreeing to terms of service for certain websites, “embellishing” on dating websites or using a pseudonym on Facebook while using their work computers. The court noted that there are other remedies for such conduct. For example, the individual who uses authorized access to misappropriate trade secrets is subject to other laws prohibiting that conduct; and, in this case, Officer Van Buren might be subject to federal wire fraud statutes.
The Supreme Court did not address the civil liability provisions of the CFAA, except to note that the requirement to show damage in order to impose civil liability demonstrates that the purpose of the statue is to remediate the “ordinary consequences of hacking” and not “misuse of sensitive information” remediable by other laws. The Court’s holding and this observation likely mean the death knell of this particular strategy in employment trade secret or restrictive covenant cases. In those cases, the employee has usually downloaded information or contacts prior to termination (and the inevitable severing of the employee’s access to that information). The employee has authorized access both to the “computer” and to the information the employee downloaded, likely up to the time of his termination. Under the holding in Van Buren this conduct on the part of the employee is not a violation of the CFAA, and for that reason cannot form the basis of a civil claim. The statute specifically provides for a private cause of action for “any person who suffers damage or loss by reason of violation of this section,” requiring the wronged party to prove a “violation of this section” prior to seeking a civil remedy. Where a workplace policy violation by an employee who is authorized to access a computer or the information accessed is not a “violation” under Van Buren, the wronged party cannot state a claim.
Further, the Supreme Court’s limitation of the CFAA to the “ordinary consequences of hacking” necessarily eliminates civil liability. The employee’s wrong was not “hacking” in the ordinary sense, but misusing or misappropriating information. Interestingly, in the case where an employee “wipes” a device prior to returning it to the employer, there is “damage” as defined by the statute, necessary to impose civil liability, but the employee will have damaged information which he had authorization to access.
The Supreme Court’s clarification of the reach of the CFAA in Van Buren impacts employers’ remedies against employees who download, destroy or misappropriate information before they depart employment. Employers will have to find other legal remedies to address this conduct by departing employees with bad motives. Employee contracts should require return of any information (including electronic information and data) upon termination, and prohibit the employee from keeping copies. This will provide the employer with a breach of contract claim. Federal and state trade secret statutes may also apply if the information taken amounts to a “trade secret.” Common law claims such as conversion or breach of the duty of loyalty may also apply to remedy the wrong. While it is important to have written workplace policies regarding use of computers and electronic information, a violation of those policies alone will not be enough to state a claim for civil or criminal liability under the CFAA.
Patricia Collins is a Partner and Employment Law Chair with Antheil Maslow & MacMinn, LLP, based in Doylestown, PA. Her practice focuses primarily on employment, commercial litigation and health care law. Patricia Collins can be contacted at 215.230.7500 ext. 126.