Last week, the Sixth Circuit weighed in on a hotly debated question concerning the Computer Fraud and Abuse Act (CFAA): what does it take for someone to "exceed authorized access" to a computer system? As we recently explained, courts have split over whether the mere improper use of a computer, such as use that violates terms of service, constitutes a violation of the CFAA. The First, Fifth, Seventh, Eighth, and Eleventh Circuits have all answered that question affirmatively, while the Second, Fourth and Ninth Circuits have held that access is unauthorized only when a person bypasses some sort of code-based restriction or authentication gate, such as by guessing another user's password or exploiting a security flaw. With the split deepening, the Supreme Court recently granted certiorari in United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019) to resolve this ambiguity and determine the reach of the CFAA.
In the meantime, the Sixth Circuit has decided to add its two cents, adopting the Second, Fourth and Ninth Circuits' narrow approach to find that the CFAA does not bar employees from misusing company information they are authorized to access. In Royal Truck v. Kraft, two employees of Michigan-based Royal Truck & Trailer Sales & Service abruptly resigned to accept positions with a competitor. Prior to leaving Royal Truck, the employees were alleged to have sent confidential and proprietary sales information from their company e-mail accounts to their personal addresses. They then allegedly proceeded to delete data from their company-issued cell phones and laptops, all in violation of Royal Truck's company policy. A subsequent forensic investigation of the now-former employees' devices led Royal Truck to file a lawsuit, alleging that both individuals, solely by virtue of forwarding and deleting data in violation of company policy, had "exceed[ed] [their] authorized access" under the CFAA.
Both the Eastern District of Michigan and the Sixth Circuit were quick to disagree with the company's claims. The CFAA's aim, the Sixth Circuit explained, is to "penaliz[e] those who breach cyber barriers without permission, rather than policing those who misuse the data they are authorized to obtain." To hold otherwise would have "the odd effect of allowing employers, rather than Congress, to define the scope of criminal liability by operation of their employee computer-use policies."
Of course, the panel's decision is in tension with five other circuits and is far from the final word on the topic. The Supreme Court will have that say in Van Buren, a case that arose in the criminal context. There, Petitioner Nathan Van Buren was a police sergeant who ran a search through a police license plate database for a prohibited reason. He was supposed to run searches only for official law enforcement purposes but he nevertheless ran one in his personal capacity.
Whether the Supreme Court affirms Van Buren's CFAA conviction will have broad consequences for how website owners, employers, and prosecutors can pursue both criminal and civil computer hacking, fraud, and trade-secret cases. But one thing is already certain: Whatever the outcome of Van Buren, CFAA will remain a notoriously tricky statute to navigate.
*Nora Ellingsen contributed to this blog post. Ms. Ellingsen is a graduate of Harvard Law School and is employed at Arnold & Porter's Washington, DC office. Ms. Ellingsen is admitted only in California. She is not admitted to the practice of law in Washington, DC.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.