On Monday, the United States Supreme Court heard oral arguments in Van Buren v. United States, a criminal case about a federal antihacking law that could have far-reaching implications for workers’ rights.
The case centers around Nathan Van Buren, a former Georgia police sergeant who was convicted of felony computer fraud in violation of the Computer Fraud and Abuse Act (CFAA). Van Buren was accused of extracting a $6,000 payment to run a license plate search to find out whether a strip club dancer was actually an undercover officer.
An Atlanta federal judge ruled in October 2017 that Van Buren violated the CFAA when he accessed the Georgia Crime Information Center for an improper purpose. Two years later, the Eleventh Circuit Court of Appeals upheld the CFAA conviction.
Passed in 1986, the CFAA was originally intended as an antihacking measure to prosecute cybercriminals. The Act, which provides both criminal and civil penalties, makes it unlawful for a person to knowingly access information on a computer without authorization—or exceeding authorized access—and in doing so, obtain anything of value.
At issue in the Supreme Court case is the “exceeds authorized access” language in the statute. The law defines it as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The ambiguity lies in the last seven words of this definition: does “not entitled so to obtain or alter” refer to information that a person is prohibited from accessing altogether, or does it refer to a person who has access to certain information but uses it for an unauthorized purpose?
Van Buren’s attorney, Jeffrey Fisher, argued that the latter interpretation “would brand most Americans criminals on a daily basis.” He gave the hypothetical example of an employee who used her employer’s Zoom account to connect with family during the Thanksgiving holiday, even though her employee handbook states that the account may only be used for business purposes.
Arguing for the U.S. government, Deputy Solicitor General Eric J. Feigin attempted to persuade the nine justices that “authorization” refers to specific permission granted on an individualized basis.
The justices seemed to agree that the CFAA attempted to address important concerns about employees’ misuse of sensitive personal data, such as stalking or selling personal information for a profit. However, Justice Sonia Sotomayor questioned whether these types of behavior could be prosecuted under other federal criminal statutes—a sentiment echoed by Justice Neil Gorsuch.
Justice Clarence Thomas seemed somewhat unconvinced by the petitioner’s argument, telling Fisher, “I don’t understand why you make the distinction between these two levels or ways that you can have or not have authorization.” Justice Amy Coney Barrett compared the petitioner’s interpretation of the CFAA to an “on/off switch” that fails to account for the scope of the authorization.
Fisher expressed concerns of constitutional vagueness if the CFAA were to be interpreted broadly, claiming that the law would criminalize wide swaths of computer restrictions outlined in service contracts, employee handbooks, course syllabi at universities or even instructions handed down orally. Feigin argued that the petitioner was relying on a “wild caricature” of the government’s position based on “hypothetical prosecutions that he can’t actually identify in the real world for seemingly innocent conduct.”
A significant portion of the hearing focused on the meaning of a two-letter word buried within the definition of “exceeds authorized access.” Fisher argued that the word “so” simply means information obtained “in the manner described,” which would be through a computer (as opposed to information obtained by some other means). Conversely, Feigin contended that the word “so” deals with the way in which such information was accessed, either with permission or without it.
Justice Elena Kagan pointedly asked Feigin, “you would concede, wouldn’t you, that if the word ‘so’ wasn’t there you would lose this case?” to which he replied, “I think it would be a much tougher case for us without the word.” Justice Brett Kavanaugh and Justice Barrett further pressed Feigin on this definition.
Justice Gorsuch generally appeared skeptical of the government’s position, adding that there appeared to be broader pattern of conduct by the Department of Justice over the past ten years to significantly expand federal criminal jurisdiction. Feigin responded that the CFAA was designed to address the exact kind of misconduct at issue in the case.
Justice Samuel Alito expressed difficulty reconciling concerns about personal privacy with criminalizing a wide array of conduct that is generally considered to be innocuous, telling Feigin, “I find this a very difficult case to decide based on the briefs that we’ve received.”
The Circuit Split
The First, Fifth, Seventh and Eleventh Circuits have all adopted a broad interpretation of the CFAA that deems it unlawful for workers to use computers to obtain information for an improper purpose, even if they had authorization to use the computer. The remaining circuit courts use a narrower analysis: “exceeds authorized access” does not account for the employee’s subjective intent, but only considers whether the employee was granted permission to obtain the information in the first place.
In his petition to have the Supreme Court hear his case, Van Buren argued that “it is intolerable for a broad swath of conduct to be entirely innocent in parts of the country but to constitute a federal crime in others.”
There are two angles that the circuit courts have availed themselves of to impose a broader interpretation of the CFAA: the common law of agency and clauses in the employment contract.
For example, in International Airport Centers, LLC v. Citrin, the Seventh Circuit ruled that an employee who accessed his employer’s computer in order to further his own interests—against those of the employer—acted against his duty of loyalty. Therefore, in breaching loyalty, he was no longer authorized to access the records. This represents the agency theory, wherein an employee who once functioned with authority as an agent of their employer relinquishes that authority when they cease to act in the interest of the employer. While the Court deemed the employee to have accessed his work computer “without authorization” due to his breach of loyalty, it acknowledged that “exceeding authorized access” seemed a more appropriate description of the employee’s actions.
Similarly, the employment contract theory condemns employees who access computer data in an explicit violation of their employment contract. The Fifth Circuit applied the contract theory in United States v. John, wherein a Citigroup employee accessed customer account information which she then gave to her half-brother, who used the information for fraudulent purposes. The Court found that, due to the employee’s knowledge of employer policy, she could reasonably expect that an impermissible use of computer information means such conduct would exceed authorized access.
Other legal theories have been used to adopt a narrow interpretation of the CFAA. For example, in WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit ruled that an employee who downloaded proprietary information for the benefit of his next employer did not violate the CFAA. The Court came to this decision by looking back at the legislative intent; the Act was passed as a criminal law to target hackers, and therefore should not be used to penalize every employee who uses a computer in bad faith, the Court argued.
A narrower interpretation also lends itself to the rule of lenity, a legal principle that states that any ambiguity in criminal statutes should be resolved in favor of the defendant. Fisher invoked the rule of lenity during Monday’s hearing, arguing that the Court should avoid interpreting any ambiguity in the law in such a way that would vastly expand federal criminal jurisdiction.
Impact on Employee Rights
Perhaps an unintended consequence of the CFAA is that it allows employers to sue their employees for civil damages if the employee obtained information on a company computer without authorization and caused the employer a loss of at least $5,000.
Should the Supreme Court uphold the Eleventh Circuit’s decision in Van Buren, such a ruling would severely limit employee rights beyond simple computer access.
For example, allowing employers to sue their employees who access information for an improper purpose would have a tangible chilling effect on whistleblowers—the exact opposite of what the legislature has shown to value. In the wake of the Enron scandal, Congress passed the Sarbanes-Oxley Act of 2002 (SOX) to encourage whistleblowing and protect employees of publicly traded companies from retaliation.
However, SOX requires employees to act lawfully in the collection and disclosure of information related to the supposed employer violation. This means, should the Supreme Court interpret the CFAA broadly, employers would have wide latitude to argue that an employee who used information on a company computer to report corruption did so unlawfully, and therefore would not be protected from retaliation under SOX.
This is especially deleterious to employee rights because SOX only protects those whistleblowers against criminal prosecution—so it does not protect from CFAA civil liability.
On July 8, 2020, the National Whistleblower Center filed an amicus brief in support of Van Buren, arguing that a narrow interpretation of the CFAA is needed to protect whistleblowers from retaliation and call out the potential obstruction of justice.
This exact scenario has played out in court: In Erhart v. BofI Holding, Inc., an internal auditor at a publicly traded holding company in California reported his employer for allegedly withholding information from the Securities and Exchange Commission. Erhart then filed a lawsuit alleging that BofI engaged in a pattern of retaliation against him, including by ultimately firing him. The company filed a countersuit against Erhart alleging violated the CFAA by using his company-issued laptop without proper authorization.
The District Court ruled in Erhart’s favor, reasoning that CFAA civil lawsuits in this context would do more harm than good, and would ultimately be used as a silencing device for employees worried about liability and the financial strain of a lawsuit.
A broad CFAA ruling would also limit an employee seeking information about their own claims of discrimination or unequal pay. In the Massachusetts Superior Court case Verdrager v. Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C., an attorney who reported gender discrimination and retaliation searched her firm’s databases for related to her case and forwarded the relevant documents to herself and her attorney. The judge ruled that her actions did not violate the CFAA because she clearly had access to the document management system, even if her actions were perceived as disloyal.
A legal landscape in which an employee is unable to access documents related to her discrimination claims could impair her ability to hold her employer accountable, and even chill her decision to report the inappropriate behavior in the first place.
Understanding “exceeds authorized access” to mean something akin to “authorized but without employer-approved intent” could damage not only employment rights, but labor rights as well. In the Sixth Circuit case Pulte Homes, Inc. v. Laborers’ International Union, a labor union engaged in a phone and email blitz to protest an employee’s termination. The union allegedly bombarded the employer with calls and emails, ultimately disrupting the company’s email server and temporarily preventing the company from being able to conduct its business.
When the employer sued the union for a CFAA violation, the Court found that because the systems were open to the public, the union’s actions were authorized. A broad Supreme Court ruling, on the other hand, could limit union strategies in a way that could impact not only individual employee advocacy, but also collective bargaining and collective action as a whole.
While a broad ruling in Van Buren seems unlikely, companies will still be able to limit their employees’ computer usage at work and discipline offending employees as they see fit. Nevertheless, a broad ruling would enable employers to use the CFAA to seek civil and criminal penalties against their employees for a potentially massive range of computer activities; such a ruling would undeniably come at the expense of workers’ rights.