Supreme Court Limits Reach of Computer Fraud and Abuse Act in Employment

Author: David B. Weisenfeld, XpertHR Legal Editor

June 3, 2021

An individual does not violate the Computer Fraud and Abuse Act (CFAA) by using their authorized database access for improper motives, the Supreme Court has ruled. The CFAA has been used by some employers against employees who steal, interfere with or misuse company computer files.

The case of Van Buren v. United States involved a police officer who used his patrol-car computer to access a law enforcement database in exchange for money, but the justices showed concern for the potentially broader workplace ramifications.

The government's interpretation of the CFAA would attach criminal penalties to a "breathtaking amount of commonplace computer activity," wrote Justice Amy Coney Barrett for the 6-3 Court.

An employee exceeds authorized access to a computer, Justice Barrett noted, by accessing files, folders or databases that are off-limits to him. In this case, there was no dispute that the officer had authorized access to the database as part of his job.

Under the government's interpretation of the law, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose - such as to prepare for a business meeting, the Court explained, but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose, such as helping draft a resume to submit to a competitor employer. But the majority rejected that reasoning.

Justice Barrett wrote that those who intentionally use their computers in a way their job prohibits, by checking sports scores or paying bills at work, could have been subject to criminal penalties had the Court reached a contrary result.

"Employers commonly state that computers and electronic devices can be used only for business purposes," said Justice Barrett. "On the government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA."

But in dissent, Justice Clarence Thomas countered that while the officer had permission to access the law enforcement database to check a license plate, he was not entitled to obtain that information for an improper purpose. Justice Thomas also used a few real-world examples to illustrate.

"An employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared," wrote Justice Thomas.

"An employee of a car rental company may be 'entitled' to 'access a computer' showing the GPS location history of a rental car and use such access to locate the car if it is reported stolen," he added. "But it would be unnatural to say he is 'entitled' to 'use such access' to stalk his ex-girlfriend."

However, the Supreme Court's ruling will make it more difficult to criminalize certain violations of employer computer use policies under the CFAA.