Yesterday, the Supreme Court resolved a circuit split on the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) in a decision that emphasizes the importance of how organizations manage access to their systems. Employees with access to information at work sometimes access that information with improper motives, and in violation of office policies. This inappropriate use of access has led to federal criminal prosecution for some. In Van Buren v. United States, No. 19-783, the United States Supreme Court held that the CFAA is not properly applied to justify those prosecutions.
Nathan Van Buren was a police officer who accepted $6,000 from Andrew Albo, a participant in an FBI sting operation, to search a police database to determine whether a woman Albo professed interest in was an undercover police officer. Van Buren ran a search for the woman’s license plate in the Georgia Crime Information Center database. For doing so, Van Buren was charged and convicted of violating the CFAA, because he had “exceeded” his authority to access that database.
The CFAA makes it illegal “to access a computer without authorization or [to] exceed authorized access.” Exceeding authorized access is defined in the statute as “[accessing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. 1030(a)(2).
The Court held that “exceed[ing] authorized access” under the statute is limited to instances where an individual accesses information to which he or she was not granted access, and does not extend to instances where information is accessed for an improper purpose. The Court’s reasoning was partially based on a concern that the latter interpretation could criminalize a breathtaking amount of commonplace activity that technically violates workplace policies, such as sending personal emails or watching a basketball game on a work computer during the NCAA Tournament.
The practical result of the Court’s holding is that a user that has been granted access to a resource cannot face liability under the CFAA for simply accessing that resource for an improper purpose. To face liability, a user must access a resource to which he or she has not otherwise been granted access. Thus a payroll employee will not be exposed to liability under the CFAA for accessing a company payroll database to which he or she already has access in a manner that violates company policy. Instead, the payroll employee would have to break into a database to which he or she had not been granted access or potentially steal the credentials of another employee who did have access.
The Court’s holding also suggests that its interpretation of the CFAA is equally applicable for civil actions brought under the CFAA’s private right of action. Under the interpretation of the CFAA rejected by the Court, an organization could potentially bring an action under the CFAA in a situation where a contractor that was legitimately granted access to a resource at the organization maliciously deleted data on that resource. The Court’s holding in Van Buren forecloses that option.
Van Buren emphasizes the importance of proper user access control practices, as liability under the CFAA does not extend to situations where users misuse the access they are granted. Users should only be granted access to the resources they need to perform their job functions and should not be granted access to anything beyond that. Organizations should also never have shared accounts. If a user needs access to a resource, that user should have his or her own account. Segmenting access limits an organization’s exposure to potential misuse of data. Further, terminated and departing employees should have all of their access rights revoked immediately upon their departure.
Organizations should also take care to fully vet vendors before they are given access to organization resources. Like users, vendors should only be given access to the resources necessary to perform the functions for which they were hired. Each individual working for a vendor should have their own credentials and not be allowed to share them with others. At the end of a vendor’s work, all access for the vendor should be revoked.
While laws such as the CFAA provide some form of deterrence to improper access, they only provide companies with recourse after a breach occurs. Organizations should take proactive measures such as limiting user access to protect themselves before they are in a position to cooperate with law enforcement on a potential CFAA prosecution or to bring a private action under the statute.