On November 30, 2020, the United States Supreme Court heard oral arguments in Van Buren v. United States, which may resolve a circuit split on the extent to which the Computer Fraud and Abuse Act (CFAA) covers an employee’s alleged misappropriation of the employer’s information. Enacted in 1986, the CFAA imposes criminal penalties on a person who intentionally accesses a protected computer and obtains information “without authorization” or in a way that “exceeds authorized access.” The CFAA also creates a civil cause of action. The CFAA does not define “without authorization,” but it does define “exceeds authorized access” as “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). That definition is front and center in Van Buren, which involves a police officer who disclosed information he obtained through a confidential database; the officer had access to a confidential database but only for law enforcement purposes.
Two main approaches have emerged to deal with a situation where a person has the right to access computer files but not for the allegedly improper purpose. The First, Fifth, Seventh, and Eleventh Circuits broadly interpret the CFAA as prohibiting using information on a computer in violation of a confidentiality agreement or for a prohibited purpose, even if the person otherwise has permission to access that same information. By contrast, the Second, Fourth, and Ninth Circuits interpret the statute more narrowly, like an anti-hacking statute, holding that improper use of information validly accessed does not violate the CFAA. The Supreme Court’s decision to resolve this circuit split is expected by the end of June 2021.