U.S. Supreme Court Takes Case About Computer Fraud and Abuse Act
On April 20, 2020, the U.S. Supreme Court agreed to hear the case of Van Buren v. United States, a case where a police department employee used his authorization to access a criminal records database for personal purposes. This is considered the federal crime of “exceeding the scope of authorization” to access a computer – or computer trespass. The federal CFAA (Computer Fraud and Abuse Act, 18 USC 1030), not only prohibits traditional “hacking” – that is, accessing a computer without authorization – but it also prohibits using a computer in a way that “exceeds authorized access.” Similarly, Ohio’s computer crime statute, Ohio R.C. 2913.04, makes it a crime to access a computer “beyond the scope of the express or implied consent of, the owner of the computer…” The terms “exceeding the scope” or “beyond the scope” of authorization to use a computer are broad and ambiguous, and run the risk of exposing employees to criminal liability for violating language in a company handbook or an HR manual.
Corporate Employee Context
It is not unusual for companies that provide employees with access to company resources – like computers, email accounts, database access, or other electronic resources – to require that employees or others use such access exclusively for “legitimate” business purposes. Sometimes, departing employees attempt to take certain information which they had lawful access to as an employee, but which the employer either expressly or impliedly has restricted them from taking. These are usually customer lists, formulas, secret plans, business forms and other sensitive information restricted either as company “trade secrets” or through an employee non-compete or non-solicitation agreement. Even if an employee takes data with them improperly (that is to say, in violation of an agreement not to compete, solicit, or misappropriate a trade secret) does this render the employee’s “access” to the corporate computer or database “unauthorized” and therefore a crime? The question is whether an employee who accesses a company’s electronic resources not for the purpose of working for the company but for their own, possibly nefarious, personal purposes is committing the criminal offense of computer trespass?
We obviously do not condone stealing proprietary information, or breaching enforceable and binding agreements, but does the CFAA mean that a person who violates a company policy is guilty of criminal trespass? Does an employee who watches a Browns or Bengals game on their work computer in violation of the corporate “computer use” policy “exceed” their authorization to access a computer?
The CFAA – which also contains civil damage provisions and remedies – is frequently used by companies to enforce computer use restrictions, typically with respect to departing employees. In one such case, an employee of executive search firm Korn Ferry International used his credentials as an employee first – nand after termination, as a contractor – to essentially “steal” data from his old employer. A federal appeals court in California ruled that the actions did not constitute “exceeding the scope” of authorization to access the computer, distinguishing between being entitled to “access” the data, and being authorized to later “use” that same data. Hence, this is an issue that the Supreme Court has agreed to resolve in Van Buren.
Publicly Digitally Trespassing
Van Buren may determine other rights of companies as well. Can a company lawfully restrict access to “public” databases? Can Facebook keep other companies from downloading users profiles and pictures, and for example selling a facial recognition database based on these profiles and pictures? Can LinkedIn keep competitors from “scraping” and mining data it spends millions of dollars to create? Can eBay keep competing sites from scraping data from its auctions and creating a “super” auction site which combines data from multiple auctions? What does it mean to access in excess of authorization? A related case, HiQ Labs v. LinkedIn, which discusses the authority under the CFAA of a website operator to exclude competitor’s access to or use of publicly accessible data is also pending before the Supreme Court, but review has not yet been granted.
Surprisingly, the problem pre-dates the digital age. By way of analogy, Ohio R.C. 2923.126(3)(a) provides that a store can post a “no firearms” sign and that “a person who knowingly violates a posted prohibition of that nature is guilty of criminal trespass.” So violating a written prohibition means that you are either accessing without authorization, or exceeding the scope of your authorization, and therefore trespassing. But should every violation of an unread website’s terms, or a provision tucked into an employee handbook act as a trap for the unwary?
Recommendations to Companies
Van Buren and possibly HiQ have significant potential consequences for the remedies available to companies for employee “abuse” of access to databases. A decision in the case may be handed down by the Supreme Court as soon as the end of July.
In the meantime, here are a few things we recommend:
- Don’t write policies which state that an employee has no “expectation of privacy” at work or on work electronic resources, but instead obtain an employee’s consent to have their computer, email, and network surveyed in properly tailored – and actually listed out – circumstances;
- Make sure that employees reasonably know what is expected of them and what is permitted with respect to access to and use of corporate used, leased and operated hardware, software and most importantly data;
- Make sure your computer use and data access policies are clear and up to date. Many older policies may fail to prohibit activities that you want to restrict, and more significantly, may restrict activities that you actually permit;
- Adapt your computer use and data access policies to changing circumstances. Particularly in light of the COVID-19 pandemic, many employees are working remotely from devices which may or may not meet the requirements outlined in pre-COVID policies. We recommend that you revisit your remote work policies particularly as they apply to Bring Your Own Device (BYOD) and Mobile Device Management (MDM) plans;
- Apply your policies in a firm but flexible manner, and recognize that not all violations will have the same impact;
- Segregate data, like though password logins, limitation of access, etc., and deploy meaningful MultiFactor Authentication (MFA);
- Monitor network and data access responsibly and consistent with a network monitoring policy;
- Clearly establish employee, contractor, and third party expectations with respect to data privacy, data and access monitoring, and data use, and obtain express or implied consent consistent with the laws in the jurisdictions in which you or your employees operate.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.