The Supreme Court ruled against the government in a case centered around the Computer Fraud and Abuse Act (CFAA) on Thursday, writing that the Justice Department’s interpretation of the law was too broad and effectively attached “criminal penalties to a breathtaking amount of commonplace computer activity.”
The 6-3 decision put a limit on how the federal government can use the law to prosecute those who unlawfully access a system. In her majority opinion, Justice Amy Coney Barrett wrote that Nathan Van Buren — a police officer from Cummings, Georgia who was convicted for taking a bribe to look up a license plate — did not violate the CFAA because as an officer he was given full access to the license plate database.
Barrett was joined by Justices Sotomayor, Gorsuch, Kagan, Kavanaugh and Breyer, while Thomas, Alito and Chief Justice Roberts dissented. Barrett argued that by saying Van Buren exceeded his “authorized access” as a police officer, the government was criminalizing “every violation of a computer-use policy.” If that was the case, Barrett said it would mean that “millions of otherwise law-abiding citizens are criminals.”
Lawyers and legal experts had a wide range of responses to the ruling depending on the client base. The ACLU praised the decision, listing specific instances where the expanded reading of the law criminalized everyday activity and research.
Esha Bhandari, deputy director of the ACLU’s Speech, Privacy, and Technology Project, called it an “important victory for civil liberties and civil rights enforcement in the digital age,” adding that it will “allow researchers and journalists to use common investigative techniques online without fear of CFAA liability.”
Erez Liebermann, a partner at Linklaters, said companies and government entities now need to take extra steps to place technological barriers around data in their companies if they want to restrict access to employees.
While this will add costs, Liebermann said it may make data more secure, both from internal users and hackers roaming through a company’s system.
“The Court’s opinion removes a strong criminal deterrent. Employees who might have shied away from theft of internal data because of the fear of prosecution or civil action have caught a break,” Liebermann explained. “Terms of Use and Authorized Use Policies, which already had little teeth given that most people don’t read them, just had a few more teeth knocked out. It’s doubtful that they could form the basis of a criminal prosecution or civil action.”
Mark Langer, a privacy associate with Aleada, said critics and activists have fought against the law for years because the CFAA’s current structure gives the government broad authority to prosecute and then rely on prosecutorial discretion to ensure that this authority is not abused.
“Having the Supreme Court push back on this sweeping interpretation of the CFAA is a huge step for reining in the CFAA’s scope. Solving this problem goes far beyond the scope and facts of one case, and it is the job for a legislature, not a judge. Hopefully this case will provide momentum to Congress’s efforts to bring these laws into the 21st century,” Langer said.
Epstein Becker Green lawyer Aime Dempsey explained that since the law was passed in the 1980s, it was used to prosecute hackers and as a way for companies to sue certain employees for damages and other penalties.
Dempsey echoed Liebermann’s sentiment, telling ZDNet that employers needed to place more stringent limits on employee access now that the Supreme Court has ruled that even if unlawful access may violate company policy, it would not violate the CFAA.
“If a company has a policy that someone will get fired if they misuse information, this decision wouldn’t change that at all. It would only change the access to this particular statute of the CFAA criminally or civilly,” Dempsey said.
Alan Brill, senior managing director in the cyber risk practice of consultancy firm Kroll, said that the ruling “isn’t giving people a free pass to steal or misuse data because there are other laws to use in certain cases.”
Companies will need to look at how their systems are built and whether they are giving too many employees access to too much information, he said.
“I would probably call together the general counsel, the HR manager, the IT manager and the compliance officer and I would look at what our organization’s rules are for use and misuse of data. I would want to make sure that they were very clearly spelled out and I would want to make sure that they were spelled out appropriately in light of the other laws and labor laws,” Brill explained.
Rules and penalties should be explained and sketched out in compliance with collective bargaining agreements, Brill added, noting that some companies should consider having employees sign updated non-disclosure agreements or computer use agreements.
“This is a multi-dimensional problem that needs a well-thought-out, multi-dimensional answer,” Brill said.
“But if we stick with the basics, giving people access to what they need and not giving them access to what they don’t need, we’re going a long way to immunizing ourselves from the effects of this decision.”