And, so the story goes like this: Bob was a policeman who was approached by a friend of his with a proposition.
“I need you to check on the criminal background of a possible business partner of mine,” says the friend, and hands Bob $5,000 in payment.
Excited about how the money would help pay for his upcoming Las Vegas getaway, Bob goes to his station, logs in using his login ID and passcode, searches for the name of the individual and pulls up a criminal record. He prints the information out, puts it into an envelope, and hands his friend the envelope.
Meanwhile, back at the station, Police Chief Pete sees that a computer file has been left open, displaying the name and data of Bob’s search. Well, it takes little time for Chief Pete to find out that Bob had entered the station’s computer network.
The next day, Chief Pete confronts Bob, who admits to performing a search on an individual concerning whom there were no charges or investigation pending. After some prying from Chief Pete, Bob finally admits to performing the search for $5,000.
Bob is in big trouble. Not only does he end up being fired but is later charged criminally with hacking the station’s computer under the Computer Fraud and Abuse Act of 1986 (CFAA). Facing fines and potentially significant jail time, Bob hires an attorney to defend him. His counsel argues that Bob may have not been right in logging into the station’s computer, but that he was not only authorized to access the network, but also had ready access to the information he allegedly stole so was not in violation of the CFAA.
While I changed the names and played with the fact pattern a bit, the case of Police Officer Bob was essentially the case decided, in June 2021, by the U.S. Supreme Court in Van Buren v. United States. In the Van Buren case, the decision could not have turned on a more sleep-inducing issue—the definition of “exceeds authorized access,” which reads, as follows: “Exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” (Italics Added). The actual debate between counsel and court was over the meaning of the arcane word duo “so to.” But as is sometimes the case, significance can emerge from the seemingly trivial, and so it was in Van Buren.
To backtrack a bit, the CFAA has been amended several times since its enactment more than 30 years ago, its scope expanding with each amendment. Significantly, the statute not only provides for criminal penalties, but also civil liability for economic losses incurred by a party of at least $5,000.
What the Court held was that although Bob engaged in underhanded behavior, he did not hack the police station’s network because he was, technically, authorized to access the information he purloined, although he may not have been authorized to use his access in the way that he did. According to the Majority Opinion, the outcome would have been different had Bob used his access to the station’s computer network to invade a portion of the network to which he was barred from access.
For employers, Van Buren has import because if employees can use their credentials to steal information readily accessible to them on an employer’s network, the employer may no longer have a claim to assert under the CFAA.
To step back, in my last article on the “10 Things to Consider When Creating a Trade Secrets Program,” one recommendation was that trade secrets should be segregated from non-sensitive information so that the owner can argue that reasonable measures were taken to keep trade secrets secret. After Van Buren, this recommendation is now also valid when it comes to protecting any information that is owned and/or controlled by the employer. It is now advisable that only a limited number of reliable employees be given open-ended access to information available on a network and that less reliable employees, like Bob, should be restricted altogether from being able to access certain parts of the network or allowed to access them based only on a more restrictive access protocol.
All this said, we should not forget that the CFAA is not the only remedy available to employers who have been hacked by employees. As we have discussed in the past, employers can sue for civil damages under various constructions of contract, state misappropriation, and trade secrets law, but the question now is whether one of the more potent weapons against computer hacking historically will continue to be a deterrent against hackers and unscrupulous employees and contractors or if, after Van Buren, it has been left, as Shakespeare penned, full of sound and fury, signifying nothing.