Hacking Not Allowed? The U.S. Supreme Court Rules on the Computer Fraud and Abuse Act

Hacker at computer seeking trade secrets

And, so the story goes like this: Bob was a policeman who was approached by a friend of his with a proposition.

“I need you to check on the criminal background of a possible business partner of mine,” says the friend, and hands Bob $5,000 in payment.

Excited about how the money would help pay for his upcoming Las Vegas getaway, Bob goes to his station, logs in using his login ID and passcode, searches for the name of the individual and pulls up a criminal record. He prints the information out, puts it into an envelope, and hands his friend the envelope.

Meanwhile, back at the station, Police Chief Pete sees that a computer file has been left open, displaying the name and data of Bob’s search. Well, it takes little time for Chief Pete to find out that Bob had entered the station’s computer network.

The next day, Chief Pete confronts Bob, who admits to performing a search on an individual concerning whom there were no charges or investigation pending. After some prying from Chief Pete, Bob finally admits to performing the search for $5,000.

Bob is in big trouble.  Not only does he end up being fired but is later charged criminally with hacking the station’s computer under the Computer Fraud and Abuse Act of 1986 (CFAA).  Facing fines and potentially significant jail time, Bob hires an attorney to defend him. His counsel argues that Bob may have not been right in logging into the station’s computer, but that he was not only authorized to access the network, but also had ready access to the information he allegedly stole so was not in violation of the CFAA.

While I changed the names and played with the fact pattern a bit, the case of Police Officer Bob was essentially the case decided, in June 2021, by the U.S. Supreme Court in Van Buren v. United States. In the Van Buren case, the decision could not have turned on a more sleep-inducing issue—the definition of “exceeds authorized access,” which reads, as follows: “Exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” (Italics Added). The actual debate between counsel and court was over the meaning of the arcane word duo “so to.”  But as is sometimes the case, significance can emerge from the seemingly trivial, and so it was in Van Buren.

To backtrack a bit, the CFAA has been amended several times since its enactment more than 30 years ago, its scope expanding with each amendment.  Significantly, the statute not only provides for criminal penalties, but also civil liability for economic losses incurred by a party of at least $5,000.

What the Court held was that although Bob engaged in underhanded behavior, he did not hack the police station’s network because he was, technically, authorized to access the information he purloined, although he may not have been authorized to use his access in the way that he did. According to the Majority Opinion, the outcome would have been different had Bob used his access to the station’s computer network to invade a portion of the network to which he was barred from access.

For employers, Van Buren has import because if employees can use their credentials to steal information readily accessible to them on an employer’s network, the employer may no longer have a claim to assert under the CFAA.

To step back, in my last article on the “10 Things to Consider When Creating a Trade Secrets Program,” one recommendation was that trade secrets should be segregated from non-sensitive information so that the owner can argue that reasonable measures were taken to keep trade secrets secret.  After Van Buren, this recommendation is now also valid when it comes to protecting any information that is owned and/or controlled by the employer. It is now advisable that only a limited number of reliable employees be given open-ended access to information available on a network and that less reliable employees, like Bob, should be restricted altogether from being able to access certain parts of the network or allowed to access them based only on a more restrictive access protocol.

All this said, we should not forget that the CFAA is not the only remedy available to employers who have been hacked by employees. As we have discussed in the past, employers can sue for civil damages under various constructions of contract, state misappropriation, and trade secrets law, but the question now is whether one of the more potent weapons against computer hacking historically will continue to be a deterrent against hackers and unscrupulous employees and contractors or if, after Van Buren, it has been left, as Shakespeare penned, full of sound and fury, signifying nothing.

Related content:

What You Need to Know about Keeping Trade Secrets

All Good Things Come To An End (Part I):  Someone Breaches Their Contract With You

Small Business Owner’s Quick Guide to Conducting a Trademark Search 


FTC Bans Non-compete Clauses

FTC Bans Non-compete Clauses

Here are six FTC non-compete provisions In a previously article on non-competes entitled “Are Non-Compete Provisions Still Enforceable”, there was a reference to a rule published for comment in January 2023 by the U.S. Federal Trade Commission. The proposed rule would...

Seven Lessons Before Entering into a Bad Agreement

Seven Lessons Before Entering into a Bad Agreement

Look before you leap, do your home work before the commitment Jose, the President of Software Development Group (“SDG”), was desperate to expand his business. He saw many opportunities of exploiting the market for products to enhance the data security of medical...

Video Gallery

Modern version of Stoic philosopher Epictetus
A professional leads a cybersecurity training session for employees, emphasizing best practices. The photography captures the engagement of participants, showcasing the educational aspect of safeguard
Hispanic bearded male businessman trainer teaching coaching new recruitment African American female businesswoman employee in formal suit sitting studying learning company graph chart strategy
The presence of a robot using a computer. Office keyboard being typed on by machine. future IT group,.
Latino Streetwear Entrepreneur Latin Biz Today
Chef Lorena Garcia cooking with a wok
Latina Chef Loren Garcia
Latin Biz Today partner Johanna at the San Sebastián Festival


Which item currently represents the greatest hurdle in the growth of your business?(Required)

Sign Up for the Latin Biz Today Newsletter

PR Newswire

Featured Authors

Innovation & Strategy


Four Basic Principles for Raising Capital

Four Basic Principles for Raising Capital

Outside investors want to understand a business' strategy as well as its financial statements.   The need to raise capital from outside investors requires a great deal of preparation across multiple dimensions. Among many things, investors look to understand...









Work & Life


Health & Fitness

Travel & Destinations

Personal Blogs

Pin It on Pinterest