Supreme Court Poised To Decide Scope of Federal Hacking Law: Implications for Businesses & Employees

May 8, 2021

For more than 30 years, the federal computer hacking statute has been used by companies to sue employees (and former employees), competitors and even customers and users who violate their rules on the use of computers, computer databases and data gleaned from computers. In the next few weeks, the U.S. Supreme Court will decide whether these lawsuits (and criminal prosecutions) are what Congress intended when it passed the hacking law in the early 1980’s. At issue is the concept of “exceeding authorization to access” a computer – a vague and ambiguous term used in the statute to criminally prosecute hackers who, although marginally “authorized” to use a computer or service, extend that use to do things like destroy data, perpetuate viruses or steal personal information. The same language, however, has been used by employers to sue departing employees who use their legitimate user ID’s and passwords (authorized access) to download things like customer data, client contacts or other information that they intend to use to (allegedly) improperly compete with their employer – or to “exceed” their authorization with respect to the data. The hacking law has also been used by companies to enforce restrictions on the use of otherwise “public” data on their websites — such as price comparisons by consumers or third parties, data “scraping” of useful information which is then represented by the competitor, or simply violating a company’s terms of service or terms of use. While any of these things might be actionable (as say, unfair competition, trespass to chattels, breach of contract), companies have turned to the hacking law’s provisions to get compound damages, injunctive relief and most importantly, to get into federal court. The Supreme Court is poised to decide whether this is what Congress intended in the early 80’s.

Computer Crime Law Background

The statute, the Computer Fraud and Abuse Act, (CFAA) Title 18 USC 1030 was passed in 1984, and amended several times since then to fill a gap in then-existing law; if you “broke into” a home, an office or a business, you were guilty of burglary and trespass. If you “stole” documents or “damaged” property, you could also be prosecuted for theft or destruction. But with computers (and dial-up modems), the concepts of “trespass” and “burglary” and even of “theft” or “damage” were imperfect analogies. At the end of the day, what we call “computer crimes” are, in reality, crimes against information – its confidentiality, its availability and its integrity. Unlike the theft of a car or a horse, when data is “stolen,” it is still where it belongs. When digital data is “damaged,” it may simply be locked or inaccessible. When a computer system is “damaged,” the hardware and software may be functioning perfectly well. So Congress, first in 1984 and again in 1986, attempted to “fill the gap” created by the new technology, and passed a comprehensive but imperfect computer crime law.

The computer crime law focused on several types of possible mischief. Computer “trespass,” theft of certain classes of protected information (e.g., national security information, federal banking and credit information, trade secrets), damage and destruction of computers, networks and databases (viruses, worms, denial of service and disruption), and trafficking in “counterfeit access devices” — stolen passwords, tokens, etc. The statute was modified to include not simply “unauthorized access” to computers or databases, but also included “exceeding authorization” to access a computer. Another modification included expanding the scope of the types of information protected under the computer crime law to include “any information” on a computer.

The statute has both criminal and civil provisions. Under the criminal provisions, a United States Attorney may prosecute violations of the law either as a misdemeanor (trespass) or a felony (theft, damage, destruction), although some misdemeanors become felonies depending on the circumstances (e.g., “trespass” with intent to commit tortious conduct — including the “tort” of trespass). In one infamous case, a woman was prosecuted under the felony provisions of the statute for creating a MySpace page under a fictitious name (in violation of MySpace’s rules) to harass her daughter’s estranged friend (who ultimately committed suicide). The government’s theory in that case was that the defendant’s “access” to MySpace “exceeded authorization” since the rules required users to provide “accurate” information when opening an account.

What Did Congress Intend?

One of the results of the changes in the hacking law is that people who simply violate the terms of an online agreement — a Terms of Service, a Terms of Use, a privacy policy, an Acceptable Use policy, a Software License Agreement or even employment agreements or HR policies, run the risk that this “violation” renders their “access” to the computers, databases, networks or data to be either “unauthorized” or “exceeding authorization.” In addition, the federal computer crime law, while written as a criminal statute, also includes a so-called private right of action. This means that individuals can sue others for exceeding their authorization to access (use) computers or electronic data. And they have. In one case, employees of executive search firm Korn Ferry left the company but not before they downloaded data they thought might be useful in their future endeavors. The prosecutors alleged that the employees exceeded their authorization to access Korn Ferry’s computers in order to obtain information – a felony under the statute. The federal appeals court in California noted that “The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute… If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.” In another case, the statute was used in a civil context against a company that “scraped” public data from LinkedIn in a way that violated LinkedIn’s online agreement which prohibited such online scraping.

It’s not clear that this is what Congress intended when it passed an anti-hacking law.

In the case to be decided by the Supreme Court, a Georgia police officer, using his own credentials, accessed the Georgia online police database, not as specified in the user agreement “for authorized law enforcement purposes” but to look up criminal records and rap sheets for people he was paid by a third party to look up. Clearly a violation of policy, and maybe prosecutable under some law, but is it “hacking?” While the police officer’s access to the database was both lawful and authorized, it was his subsequent use and dissemination of the data obtained as a result of the lawful access that was prohibited. The Court will look to the language and history of the statute, its purpose and intent, and may give the law either an expansive or restrictive interpretation.

If the high court rules expansively, then virtually any violation of an agreement which involves electronic data, network access or online databases can be the subject of a CFAA lawsuit or criminal prosecution. A company “acceptable use” policy which prohibits “abusive” language in emails can be used to sue an employee for hacking when they “exceed [their] authorization to access [use]” the email system in violation of the policy. Companies that are granted access to cloud services, databases or networks but agree on how they will use or secure that data are not only subject to breach of contract damages if they fail to live up to their contractual obligations, but can be sued or prosecuted for hacking. And users of social media who run afoul of policies face not only “Facebook jail” but real jail as well.

The case is United States v. Van Buren, Supreme Court Dkt. No. 18-12024 and was argued before the high Court on Nov. 30, 2020. As the Court’s term ends at the end of June or early July, we can expect a ruling before then.

If you have questions about the case or its potential implications, please reach out to Mark Rasch at mdr@kjk.com or 301.547.6925.