Supreme Court Narrows Scope of Anti-Hacking Law

The Supreme Court recently issued its first ever opinion interpreting the Computer Fraud and Abuse Act, 18 U.S.C. §1030. In issuing its opinion, the Court limited the scope of the Computer Fraud and Abuse Act and resolved a circuit split on the meaning of “exceeds authorized access” found in the statute. In a 6-3 opinion, Justice Amy Coney Barrett, in her first signed majority opinion, said the Court would not turn “millions of otherwise law-abiding citizens” into criminals if they violated their employer’s computer-use policies at work by using their computers to send personal e-mails, do online shopping, or plan a vacation.

At issue, the Court said, were so-called “inside hackers” who have legal access to a computer but exceed their authorized authority by using the information for unauthorized purposes. Adopting the government’s “breathtaking” interpretation of the phrase “exceeds authorized access,” the Court explained, would turn every violation of a computer-use policy into a criminal act.

The immediate beneficiary of the Court’s ruling was a former Georgia police sergeant, Nathan Van Buren. Van Buren was authorized to use the Georgia Crime Information Center database to check license plates as part of his job. He unwittingly found himself caught up in an FBI sting when he took a $5,000 payment from a man who claimed that he wanted to learn about a stripper he had just met. After using his official computer to perform the requested search, Van Buren was charged and convicted of violating the Computer Fraud and Abuse Act for exceeding his “authorized access.”

The Computer Fraud and Abuse Act was enacted in 1986, during the early stages of the internet. The statute imposes criminal or civil liability on any person who “intentionally accesses a computer without authorization” or “exceeds authorized access” and, in doing so, obtains information from a “protected computer.” The statute does not define the term “without authorization” but does define the term “exceeds authorized access” in a rather opaque way. Pleading a claim under the statute requires a plaintiff to allege that the defendant (i) intentionally accessed a computer, (ii) lacked authority to access the computer or exceeded authorized access to the computer, (iii) obtained data from the computer, and (iv) caused a loss of $5,000 or more during a one-year period.

Van Buren’s activities, the Court concluded did not satisfy these elements. Specifically, the Court held that the government did not satisfy the second element of proving that Van Buren “exceeded his authorized access” to the computer. Even though Van Buren obtained information from the law enforcement database “for an improper purpose,” he did so with authorization the Court concluded. According to the Court, an individual “‘exceeds authorized access’ when he accesses a computer with authorization, but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”

Although the instant impact of the Court’s decision was on Van Buren’s conviction. The Court’s opinion has potentially sweeping implications for everyday life. Supporters of the government’s position argued in amici briefs that a narrow reading of the Computer Fraud and Abuse Act could protect those who accessed and released corporate secrets, or used the information for nefarious purposes. On the other end of the spectrum, those opposing a broader reading of the statute argued that a broad interpretation would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.” In adopting a narrow interpretation of the statutory language the Court resolved a split among the federal appellate circuits. The First, Fifth, Seventh, and Eleventh Circuits had previously interpreted the phrase broadly while the Second, Fourth, and Ninth Circuits had adopted the narrow interpretation.

The Court’s full opinion is available here.

Super Lawyers named Illinois complex business litigator Peter Lubin a Super Lawyer and Illinois business dispute trial attorney Patrick Austermuehle a Rising Star in the Categories of Business Litigation, Class Action, and Consumer Rights Litigation. Lubin Austermuehle’s Illinois business trial lawyers have over thirty years of experience litigating complex fraud, copyright, non-compete agreement, trademark and libel suits, class action, consumer rights, and many different types of business and commercial litigation disputes. Our Wilmette and Orland Park business dispute lawyers, civil litigation lawyers, and copyright attorneys handle emergency business lawsuits involving copyrights, trademarks, injunctions, and TROS, covenant not to compete, franchise, distributor and dealer wrongful termination and trade secret lawsuits, and many different kinds of business disputes involving shareholders, partnerships, closely-held businesses and employee breaches of fiduciary duty. We also assist Chicago and Wheaton area businesses and business owners who are victims of fraud. You can contact us by calling at 630-333-0333. You can also contact us online through our Contact Us page here.

Contact Information