In Van Buren v. United States, decided on June 3, 2021, the US Supreme Court clarified the reach of the Computer Fraud and Abuse Act (CFAA). (18 U.S.C. § 1030 et seq.) The case involved a police sergeant who, in return for a bribe, used his patrol-car computer to access a law enforcement database to retrieve information about a license plate number. The officer accessed the database using his valid law enforcement credentials, however, his conduct violated his department’s policy against obtaining database information for non-law-enforcement purposes.

The CFAA makes it a felony to intentionally access a computer without authorization, or to “exceed” the user’s “authorized access.” The statute provides: “[T]he term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” (18 U.S.C. § 1030(e)(6)) At issue in Van Buren was the interpretation of “exceeds authorized access.”

The Court held that under the CFAA “exceeds authorized access” does not extend to those who have improper motives for obtaining information that is otherwise entrusted to them. The Court drew a distinction between those who access unauthorized information and those who misappropriate information to which they have lawful access. A copy of the Court’s decision is available here: https://spelusolawoffice.com/wp-content/uploads/2021/06/19-783_k53l.pdf.