Supreme Court Chooses Narrow Interpretation of CFAA in Van Buren v. United States

The U.S. Supreme Court issued a decision Van Buren v. United States1 on June 3, 2021 that has broad implications for technology companies writ large. With its decision, the Court has restricted the scope and application of the Computer Fraud and Abuse Act2 (“CFAA”) and has set the stage for a significant shift in how companies operate and how they maintain data.

Congress passed the CFAA in 1986 as a federal computer trespass statute designed to prohibit hacking. The statute provides both criminal and civil remedies for whoever “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer.”3 The CFAA does not define the terms “access” or “authorization” but does define “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”4

Courts have split in their interpretation of the definition for “exceeds authorized access.” Some courts have held that the phrase referred to particular files or databases that one is not authorized to access; other courts construed the law more broadly to refer to the purpose for which one is authorized to access the computer.5

Over the years, critics of the broader definitional approach to the CFAA have pointed to what they derided as arbitrary and perverse results in both criminal prosecutions and civil enforcement, and in particular, they raised concerns about the CFAA’s application to alleged terms-of-service violations. This law and the specter of arbitrary enforcement have been particularly problematic for technology companies.6  Attempts to invoke the civil prong of the CFAA in the business-to-business context have had mixed results as well and have led to marketplace confusion.7

The Van Buren decision, written by Justice Barrett and with a majority composed of both conservative and liberal justices, endorses the narrow interpretation of “exceeds authorized access.” The Court held that the CFAA does not cover individuals who obtain information with improper motives if the information is otherwise available to them. The CFAA prohibitions on illegal access cover “those who obtain information from particular areas in the computer–such as files, folders, or databases–to which their computer access does not extend.”8

This means that individuals who may access a system are entitled to obtain information if their access extends to that information, regardless of improper purpose or use, without violating the CFAA. Violations of the CFAA are limited to accessing information that is otherwise off-limits to the individual. Although the opinion endorses a gates-up-or-down inquiry, the Court did not address whether such an inquiry turns only on technological limitations to access or looks to limits contained in contracts or policies. However, since the court abrogated EF Cultural Travel BV,9 it appears contractual limitations will no longer give rise to civil liability under the CFAA.

While a complete analysis of the potential impact of Van Buren is certainly yet to come, entities should review the decision in light of their current practices to determine whether operations or compliance programs should be evaluated.

1 No. 19-783, 2021 WL 2229206 (U.S. June 3, 2021)
2 18 U.S.C. § 1030.
3 18 U.S.C. § 1030 (a)(2).  
4 18 U.S.C. § 1030(e)(7).
5 See United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015).
6 See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (prosecuting cyberbullying that led to a 13-year-old’s suicide, under CFAA for violations of MySpace’s terms of service by creating a fake account); United States v. Swartz, 945 F. Supp. 2d 216 (D. Mass. 2013) (prosecuting an MIT student, who later committed suicide, for creating and using a program to rapidly download JSTOR articles, which he was permitted to access on the MIT campus).  
7 Compare Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016) (“[A] violation of the terms of use of a website–without more–cannot establish liability under the CFAA.”); United States v. Nosal (Nosal I), 676 F.3d 854, 862 (9th Cir. 2012) (“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”) with EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001) (holding that violations of confidentiality agreements or other contractual restraints could give rise to a claim for unauthorized access under the CFAA).
8 Van Buren, No. 19-783, slip op. at 3.
9 274 F.3d 577 (1st Cir. 2001).