On April 20, 2020, the Supreme Court granted cert in Van Buren v. United States, to resolve an important circuit split over the meaning of “authorized access” under the Computer Fraud and Abuse Act (CFAA). This is the Court’s first foray into analyzing the precise contours of CFAA liability. Van Buren may have far-reaching implications for any individual or business operating in the digital domain, as the scope of civil and criminal liability under the CFAA can impact just about any sort of relationship involving access to computer systems, whether it be employer-employee relationships or third-party relationships.

The CFAA was enacted in 1986 as a first-of-its-kind statute designed to combat computer-related crimes, and has become an important and powerful tool for not only for the government but any business seeking to protect its intellectual property and computer systems. The CFAA imposes criminal liability on any person who “intentionally accesses a computer without authorization” or “exceeds authorized access” and, in doing so, obtains information from any protected computer. The CFAA also provides a civil cause of action for similar conduct. See 18 U.S.C. §§ 1030(a)(2), 1030(a)(4), 1030(a)(5)(B)-(C).
Continue Reading “Authorized Access”: The Supreme Court’s First Foray Into The Computer Fraud and Abuse Act

Another court has rejected the broader interpretation of the Computer Fraud and Abuse Act (“CFAA” or “the Act”) as applying to employees who exceed their authorized use.  A recent decision in Minnesota highlights the issue of whether the Act imposes civil liability on employees who have permission to access their employers’ data, but do so with a wrongful purpose.  See TripleTree, LLC v. Walcker No. 16-609, 2016 WL 2621954 (D. Minn. May 6, 2016).

The court considered this question in the context of a trade secrets case.  A former employee of TripleTree, an investment banking company, was discovered to have accessed the Company’s confidential information and to have engaged in a series of suspicious activities just prior to leaving the Company for a competitor.  Id. at *1.  TripleTree filed claims against its former employee for, among other things, violating the CFAA and the Minnesota Uniform Trade Secrets Act.  Id. at 2. 

The court sua sponte considered whether it should dismiss TripleTree’s CFAA claim.  Id. at *3.  The CFAA sanctions a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains  . . . information from a protected computer.”  18 U.S.C. § 1030(a)(2)(c).  Any person who suffers from a violation of the Act may bring a civil claim for damages.  18 U.S.C. § 1030(g).  As an employee of TripleTree, the Defendant was permitted to access the Company’s confidential information.  The court considered whether the Defendant’s malicious intent in accessing the information transformed an otherwise lawful act (using the Company’s computers) into a violation of the CFAA.Continue Reading Recent Case Highlights Circuit Split on Important Computer Fraud and Abuse Act Question