‘Unauthorized Access’ Can Be Key in Computer Fraud Cases

As businesses in New York and elsewhere begin to enter a second year of partially or fully closed offices and of dealing with a workforce operating remotely, an issue that was top-of-mind for much of 2020 – computer security – should remain a key concern in 2021 and should not be overlooked or ignored.

In the past year, notorious data breaches by hackers and other malevolent external forces have been regular features in the news. More commonly, however, business data breaches are caused by internal actors, including employees and contractors who inappropriately access a company’s technology for their own or someone else’s purpose.

The Computer Fraud and Abuse Act (CFAA) was passed to provide civil and criminal remedies for certain types of damages caused by a breach of a company’s computer system. The CFAA clearly applies to breaches by outside actors, as it cannot be disputed that those individuals are not authorized to access a company’s computer system. Whether and to what extent the CFAA may be applied in other cases of arguably “unauthorized access,” particularly against business insiders such as employees who exceed their authority, is a question that has divided courts across the country and is currently before the U.S. Supreme Court. Van Buren v. United States, 940 F.3d 1192 (11th Cir. 2019), cert. granted (Apr. 20, 2020) (No. 19-783).

The CFAA

The ambiguity arises from the language of the CFAA and how that language evolved in the years since its passage. Nearly four decades ago, Congress passed the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, which included a new computer-crime prohibition codified in 18 U.S.C. § 1030. Section 1030 made it a crime to obtain national security information or financial records, or to use, modify, destroy, or disclose information on federal government computers, by “knowingly access[ing] a computer without authorization, or having accessed a computer with authorization, us[ing] the opportunity such access provides for purposes to which such authorization does not extend.” Notably, the law only prohibited access to computers operated by the federal government and certain financial institutions.

In 1986, Congress enacted the CFAA, which made several modifications to Section 1030. Among other things, it replaced the phrase “or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend ” with the shorter clause, “exceeds authorized access.”

Almost a decade later, in 1994, Congress broadened the CFAA. It expanded the coverage of the provision covering unauthorized access to include access used to break the law. The 1994 amendment also created a new private right of action for entities that suffered damage or loss from a Section 1030 violation.

Section 1030 was again amended in 1996, when Congress passed the Economic Espionage Act of 1996 and created the first federal criminal laws punishing the theft and misappropriation of trade secrets, and then another time in 2008. Most significantly, the 1996 amendments extended the CFAA’s scope to any “protected computer,” which included not only federal or financial institution computers but also those used in interstate or international commerce or communication.

Currently, Section 1030(a)(2) is violated when a person intentionally accesses without authorization or “exceeds authorized access” to a computer. The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

Plainly, by its terms, the CFAA applies to a stranger who, lacking any access rights at all, violates the law by hacking into a computer. Such a bad actor may not be identifiable or may be outside the jurisdiction. However, the CFAA is also frequently used to redress the conduct of insiders, for example, when an individual with authority to access an entity’s computers or systems as a result of the individual’s employment does so for his or her own benefit or some improper purpose. In such cases, the issue becomes a bit more opaque as to who is authorized to access a computer and when that access “exceeds” authorization.

Court Rulings

The meaning of the “exceeds” requirement has been heavily debated and has divided the courts of appeals. Some courts, including the Second Circuit and New York federal courts, find the status of the individual dispositive. Under these cases, once granted access to the employer’s computer system for employment purposes, the employee’s use of that access does not become “unauthorized” regardless of the employee’s purpose. Only termination or resignation of the employee rescinds that authorization.

The leading decision in the Second Circuit is United States v. Valle, 807 F.3d 508 (2d Cir. 2015). In Valle, a police officer searched a police database for an individual’s personal information without any law enforcement purpose. The circuit court concluded that the officer had not exceeded his authorized access to the police department’s database, holding that the statutory requirement was met “only when [the defendant] obtains or alters information that he does not have authorization to access for any purpose which is located on a computer that he is otherwise authorized to access.” Valle was a criminal case, but courts in the Second Circuit have applied the Valle standard in civil cases.

For example, in Poller v. BioScrip, Inc., 974 F. Supp. 2d 204 (S.D.N.Y. 2013), the U.S. District Court for the Southern District of New York explained that the CFAA’s language did not provide support for the argument that authorization to use a computer was negated by an employee’s resolve to use the computer contrary to the employer’s interest, so long as that individual still technically possessed the right of computer access as part of his or her employment. In other words, exploitative or disloyal access to an employer’s computer did not render otherwise permissible access unauthorized within the CFAA’s meaning.

To the same effect is the Southern District’s decision in Apple Mortgage Corp. v. Barenblatt, 162 F. Supp. 3d 270 (S.D.N.Y. 2016). Here, after resigning, former employees continued to receive emails on their cell phones because the employer had not changed the codes on its computer system in the days following their resignations. The district court denied the former employees’ motion for summary judgment on the ex-employer’s CFAA claim, finding that there was “evidence that after the employees resigned[,] they accessed emails from the [employer’s] system on their phones and read, forwarded, or deleted emails,” meaning that there was “a triable issue of fact as to whether they acted ‘without authorization’ when they accessed, deleted, or forwarded these emails.”

The Fourth, Sixth, and Ninth Circuits, following the same standard adopted by the Second Circuit, also have held that a person who was authorized to access a computer did not exceed the authorized access by violating an employer’s restrictions on the use of information once it was validly accessed. See, e.g., Royal Truck & Trailer Sales and Service, Inc. v. Kraft, 974 F.3d 756 (6th Cir. 2020); WEC Carolina Energy Sols., LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009).

Conversely, decisions from the First, Fifth, Seventh, and Eleventh Circuits find the reason for the individual’s access to the computer to be dispositive of whether the conduct “exceeds authorized access.” These courts have read Section 1030’s statutory terms as encompassing situations where an employee had authorization to access company information but used that information in violation of company policy. See, e.g., United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); International Airport Centers, LLC. v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

The Supreme Court

In Van Buren, the U.S. Supreme Court may resolve the debate as to the meaning of “exceeds authorized access” as used in the CFAA. The question before the Court: Does a person who is authorized to access information on a computer for certain purposes violate Section 1030 by accessing the same information for an improper purpose?

The case arose after a police officer in Georgia was charged with violating the CFAA by searching a woman’s license plate in a police database in exchange for a payment from a third party. Prosecutors asserted that the police officer was authorized to search the database as part of his official duties, but not in exchange for the payment.

A jury convicted the officer and he appealed to the Eleventh Circuit, which affirmed the officer’s conviction on the computer fraud charge, holding that a person with authority to access a computer could be guilty of computer fraud if that person subsequently misused it.

The circuit court reasoned that the evidence showed that the officer had accepted $6,000 to investigate a woman; that he searched what was supposed to be the woman’s license plate in the Georgia Crime Information Center database; that the database was supposed to be used for law enforcement purposes only; and that officers were trained on the proper and improper uses of the system. The circuit court concluded, therefore, that a jury could have found beyond a reasonable doubt that the officer had committed computer fraud for financial gain in violation of the CFAA.

Conclusion

On November 30, 2020, the Supreme Court heard argument in Van Buren and a decision is expected later this term. If the Court upholds the officer’s conviction, it may expand the ability of businesses to rely on the CFAA in the Second Circuit by extending liability to those who have some authority to access a computer system, but who exploit their access for an improper purpose. If, however, the Court reverses the Eleventh Circuit, the CFAA jurisprudence in the Second Circuit will likely remain as it is, and companies facing unwanted intrusions into their computer systems by insiders will continue to rely on other laws and causes of action for relief.

Reprinted with permission from the February 16, 2021, issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.