Skip to main content

Does Improper Data Access Violate the CFAA?

by Chris Brook on Tuesday April 21, 2020

Contact Us
Free Demo

It won't happen until October at the earliest but the Supreme Court said Monday it will review how the U.S. Computer Fraud and Abuse Act is interpreted for the first time.

In what could prove to be a landmark case, the U.S. Supreme Court is set to decide later this year whether or not when a person who has authorization to access data for one purpose but accesses it for another is in violation of the Computer Fraud and Abuse Act.

On Monday the court agreed to review a case, Van Buren v. United States in which a police officer accessed a law enforcement database to sell data to a third party.

The case, decided last year in the United States Court of Appeals for the Eleventh Circuit, involved Nathan Van Buren, a former sergeant in Georgia who as part of an FBI sting took bribes to access police databases to determine if a license plate number belonged to an undercover police officer.

Van Buren acknowledged that he performed a search using Georgia Crime Information Center and the National Crime Information Center databases after being offered $5,000 initially plus an additional $1,000. While he was sentenced to 18 months in prison for the crime - he was convicted of fraud and violating the CFAA – he argued the law didn't apply since he was authorized to access the database in the first place. In his appeal, Van Buren argued to the Supreme Court that under the CFAA, some minor actions, like "checking sports scores at work to inflating one’s height on a dating website” could also be considered a federal crime.

Despite being enacted more than 30 years ago, in 1986, the CFAA is still the typical route that federal hacking prosecutions go through. This news could limit the reach of the law however.

The CFAA makes it illegal for computer users to access another computer or exceed authorized access without permission. Because of its broadness, courts from district to district have had different opinions over the years on how to interpret the CFAA.

The intent of the law in the 1980s was to fight hacking. That was before the World Wide Web and before many Americans even had a PC however. Since those times, the law has been cited an incalculable number of times. As of late, the CFAA has been used by employers  to seek damages from former employees who either access company computers “without authorization” or exceed authorized access.

The law is so vague that a federal judge in Washington, D.C. ruled just last summer that violating a website’s terms of service - until that point viewed as a violation - does not violate the CFAA. It was that case, Sandvig v. Barr, that signaled that courts were looking to seriously relax how the CFAA was interepreted.

Advocacy groups like EPIC, the Electronic Privacy Information Center, have spent years fighting the broad interpretation of the CFAA. Recently the group asked the Supreme Court to consider whether another provision within the CFAA prohibits third parties from scraping user data when an internet company, in this instance LinkedIn, bans the practice.

Another group, the Electronic Frontier Foundation (EFF) called on the Supreme Court for clarity around the CFAA in relation to Van Buren v. United States case in January. It got its wish on Monday.

Tags:  Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.