The United States Supreme Court has decided the case of Van Buren v. United States, holding that a person does not violate the Computer Fraud and Abuse Act (“CFAA”) by accessing information on a computer or network to which the person has lawful access even if they access the information for improper reasons. This is a huge win for everyday individuals because had this case been decided differently, potentially millions of people could have been subjected to criminal liability for violating their employers’ policies. As such, this decision acts as a check on the government from prosecuting behavior that is not inherently criminal.  

Van Buren v. United States

The defendant, a former police sergeant, worked for a Georgia police department. The defendant and his fellow officers were warned about a certain individual in town. This individual was known to police as “very volatile” and officers were told to be careful when around him. Despite these warnings, the defendant formed a personal relationship with him. Eventually, the defendant asked the individual for a personal loan. Unbeknownst to the defendant, this individual recorded his conversation with him and then took it to the local sheriff’s office where he complained that the defendant tried to “shake him down for money.” Eventually, the FBI obtained this taped conversation. 

The FBI then decided to run a sting operation on the defendant. They concocted a scheme where the defendant would run a license plate for the individual in exchange for $5,000. The defendant then used the state law enforcement computer database to search for this license plate. This would have violated his police department’s policy. After obtaining the FBI-created license-plate entry, the defendant then reached out to the individual. After he made this contact, the defendant was subsequently arrested and charged with a felony violation of the CFAA which subjects an individual to criminal liability to anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The defendant proceeded by jury trial where he was found guilty of the aforementioned charge and sentenced to 18 months in prison. The defendant then filed a timely appeal with the Eleventh Circuit. 

The Eleventh Circuit’s Decision

On appeal, he argued that the CFAA’s clause that states “exceeds authorized access” applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they already have. The Eleventh Circuit disagreed with the defendant’s argument. The Eleventh Circuit held that the defendant violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” Undeterred, the defendant filed a petition for certiorari with the United States Supreme Court. The Supreme Court agreed to hear his case. 

What is the CFAA? 

The CFAA subjects individuals to criminal liability to anyone who “intentionally accesses a computer without authorization or exceeds authorized access” and then subsequently obtains information based on this improper access. The statute defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” The CFAA applies to all information from all computers that connect to the Internet. In addition to criminal penalties, the statute also allows persons who suffered damages to sue the perpetrators for monetary relief. 

The U.S. Supreme Court’s Decision

The United States Supreme Court held that the defendant did not violate the CFAA. In making its decision, the Supreme Court first reviewed the plain language of the statute. The Court focused on the clause “exceeds authorized access” because that was the most relevant text in the defendant’s case. The Supreme Court held that an individual “exceeds authorized access” when he accesses a computer with authorization, but then obtains information located in a particular area of a computer that is off-limits to him. In other words, an individual only violates the CFAA when he accesses information that he was not entitled to obtain. An individual does not violate the CFAA if he accesses information, that he is otherwise entitled to access, but does so in violation of a company policy. The Government had argued for a much more expansive view of the statue. However, the Court rejected this interpretation because it would have allowed the government to prosecute individuals when they violated workplace policies. Consequently, the defendant’s conviction is reversed and his sentence is vacated.

Facing Criminal Charges? We Can Help. 

If you are facing criminal charges or under investigation by the police, we can help. We have successfully defended thousands of clients against criminal charges in courts throughout Pennsylvania and New Jersey. We have successfully obtained full acquittals in cases involving charges such as Conspiracy, Aggravated Assault, Rape, and Murder. Our award-winning Philadelphia criminal defense lawyers offer a free criminal defense strategy session to any potential client. Call 267-225-2545 to speak with an experienced and understanding defense attorney today.