In a 6 to 3 ruling, the United States Supreme Court has limited the scope of the Computer Fraud and Abuse Act or CFAA.
Background on the CFAA
First, some background on the law: The CFAA was signed into law in 1986. It’s real purpose was to prevent hackers from breaking into secured computer systems. There is a classic 80’s movie called War Games. In War Games, Matthew Broderick hacks into a military supercomputer and almost starts World War III. That is what the CFAA was really all about. The CFAA is both a criminal and civil statute.
Authorized Users and Unauthorized Access
In the 30+ years since its passage, the CFAA has spawned a massive amount of litigation in both the criminal and civil arenas. Some of these cases align with the true purpose of the CFAA: to prevent hacking and cybercrime. But many of these cases involved authorized users exceeding the scope of their authorization. A great example: US v. Aaron Swartz. Swartz was a computer programmer and Harvard Research fellow. He created a program that allowed him to mass download articles from an academic database called JSTOR. Swartz did have a JSTOR account and was an authorized user. But he violated JSTOR’s terms of use by running a program that would automatically download large volumes of materials.
There is a clear distinction between someone hacking into a computer system for nefarious purposes and someone downloading too many academic articles from JSTOR. But the feds did not care. They indicted Swartz for wire fraud and violations of the CFAA. Facing economic ruin and 30+ years in jail, Swartz committed suicide.
Swartz is probably the most egregious and tragic example of misuse and abuse of the CFAA. But the CFAA has also been widely abused in the civil context. There are hundreds of examples of corporate plaintiffs suing employees and consumers for breaching acceptable use policies or terms of use. Companies have gone so far as to sue employees under the CFAA for using Facebook and checking personal email while using work computers. All of this crystalizes the issue: Does accessing a computer system for unapproved purposes constitute “access without authorization” or “exceeding authorized access”? The Supremes said no.
The Supreme Court’s Ruling: A (Sort of) Bright Line
Mindful that CFAA had been misused and abused to punish all sorts of relatively innocent computer conduct, the Court attempted to create a bright line: Gates up or gates down. If someone is authorized to enter a particular computer or a particular database within a computer, and they do so, that is not a violation of the CFAA. Rather than considering what the person does with the data or why they accessed the data, the Court focused solely on whether or not they had authorized access to that universe of data.
Does this help clarify the law and rein in abuse of the CFAA? Yes. Does it completely resolve the issue? No. Of course not.
My Takeaways
The CFAA can no longer be used to impose civil or criminal liability for a violation of terms or service or terms of use. That’s a win. But consider how twisted this whole CFAA mess has been: The CFAA was poorly drafted to begin with. Overzealous prosecutors have abused the statute for decades. Corporate plaintiffs have used the statue to bully departing employees who may have emailed themselves some documents. Countless lives have been ruined. Some people are dead. And it has taken the courts 35 years to correct this fairly obvious legislative error. That is a poor reflection on the American legal system.
Unfortunately, we have yet to learn our lesson. I say this because Florida just passed the updated Combatting Corporate Espionage in Florida Act. This is basically the CFAA debacle 2.0, but at the Florida level. This new Florida law creates a new 2nd degree felony (15 years in jail) for “trafficking in trade secrets”. Given the long history of corporate plaintiffs in Florida filing frivolous trade secret cases, I expect an uptick in criminal prosecutions of departing employees who, e.g., forwarded themselves some documents or took the mythical “customer list” (of customers that anybody can find on Google in 10 minutes).
Jonathan Pollard is a Florida attorney who litigates complex and high stakes non-compete and trade secret cases. He has appeared in or on The New York Times, Wall Street Journal, PBS NewsHour, Law360, Litigation Commentary & Review, IP WatchDog, Inc. Magazine and more. His Fort Lauderdale office can be reached at 954-332-2380.