SCOTUS limits scope of cybersecurity law

The U.S. Supreme Court recently issued a ruling interpreting the scope of the Computer Fraud and Abuse Act (CFAA), a 1986 federal statute that imposes civil and criminal liability for unauthorized computer access. In short, the Court decided that as long as an individual is authorized to access a computer and data, he doesn't violate the CFAA's "exceeds authorized access" clause. In other words, his intended use for the computer and/or the data isn't relevant to whether he violated the statute. As a result, employers may need to reconsider their employee handbooks, policies, and procedures.

Facts

Police officer Nathan Van Buren was accused of computer fraud under the CFAA for accessing the department's computer database from his patrol car to obtain license plate information in exchange for financial gain.

As an officer, Van Buren was authorized to access the database for law enforcement purposes but not for other reasons. Therefore, he was charged under CFAA Section 1030(a)(2)(c) (and for honest services wire fraud) and convicted by a jury.

The U.S. 11th Circuit Court of Appeals, having previously adopted a "broad interpretation" of the CFAA, affirmed Van Buren's conviction. He then appealed to the Supreme Court.

Supreme Court's analysis

The CFAA defines "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the (accessor) is not entitled so to obtain or alter."