Image credit: Peqsels

The U.S. Supreme Court’s latest ruling in Van Buren vs. United States in regards to federal anti-hacking laws has broad implications for companies across industries. Corporate general counsels will need to be mindful of the potential impact of this decision. The ruling imposes limitations on the measures that companies can take to prevent hacking, or the unauthorized access to data.

In a June 3rd decision, the Supreme Court limited the scope of the Computer Fraud and Abuse Act (CFAA). Amy Comey Barrett had the pen on the majority 6-3 opinion. The ruling limits the scope of what the law can consider unauthorized access to data.

The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act became effective in 1986, before the days of modern Internet. Many consider the law, consisting of anti-hacking legislation, to be controversial. The purpose of the law is to prosecute hackers who obtain “unauthorized access” to a computer or network. Despite the CFAA’s intentions, there has been significant ambiguity about the meaning of “unauthorized” access.

There is a general consensus that the CFAA is vaguely worded and outdated. Some critics have referred to the anti-hacking statute as the “worst law” in the technology law books. Others have expressed concerns that the CFAA could punish hackers who act in good faith to identify security vulnerabilities in computer networks. By taking the Van Buren case, the Supreme Court sought to provide clarity on this law that predates the modern Internet.

Notably, the Supreme Court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”

The Supreme Court interpreted the statute to require a ”gates-up-or-down inquiry—one either can or cannot permissibly access a computer system, and one either can or cannot access certain authorized areas within the system” in determining violations of the CFAA.

Genesis of the Anti-Hacking Case

The Van Buren case centered around a license plate data situation. Nathan Van Buren, a former Georgia police officer, successfully petitioned the Supreme Court to review his case. The court convicted Mr. Van Buren of violating the anti-hacking provisions of the Computer Fraud and Abuse Act when he searched for a license plate in a law enforcement database. The prosecutor alleged that he accessed the database to look up the license plate of a personal acquaintance in exchange for cash.

Mr. Van Buren’s convicted cited a violation the CFAA because he accessed the database for an “improper purpose” that was unrelated to his work as a police officer. Mr. Van Buren argued that this overbroad interpretation of the law could punish many everyday online behaviors. For example, this expansive anti-hacking interpretation could result in the criminal prosecution of individuals whenever they violate a website’s terms of service.

Applause for the Supreme Court’s Decision

The Supreme Court’s narrowing of the CFAA’s interpretation is a welcome relief to many. It prevents good faith hackers and everyday violators of the terms of service of a website from criminal prosecution. However, as Justice Clarence Thomas wrote in his dissenting opinion, “without valid law enforcement purposes, he was forbidden to use the computer to obtain that information.” The existing general anti-hacking terms of service of website operators and employers may no longer be sufficient to safeguard key data in light of the Court’s decision. In-house legal counsel will need to note this fact, and potentially redraft contractual language in website terms of use.

There have been mixed reactions to the Court’s decision. In light of the Court’s ruling, some experts in civil liberties believe that Congress should amend the CFAA. “This is an important and welcome decision that will help protect digital research and journalism that is urgently necessary. But more is needed,” commented Alex Abdo of the Knight First Amendment Institute. “Congress should amend the Computer Fraud and Abuse Act to eliminate any remaining uncertainty about the scope of the statute. It should also create a safe harbor for researchers and journalists who are working to study disinformation and discrimination online. Major technology companies should not have a veto over research and journalism that are manifestly in the public interest.”

Further Anti-Hacking Legislation Necessary?

Despite the Supreme Court’s ruling to narrow the scope of the CFAA, Congress could pass legislation to broaden its scope. It is possible that legislation will be introduced to have the CFAA cover “improper purpose” information access in protected computers.

It is important for in-house lawyers to note that, despite the ruling in Van Buren, other anti-hacking federal and state criminal statutes may still penalize unauthorized access to data. Additionally, the court’s ruling may impact civil enforcement by companies. Companies need to carefully review their information access policies and make changes in light of the Supreme Court’s ruling and any subsequent action taken by Congress.