Loose language in a criminal statute conferring a private cause of action – such as the Computer Fraud and Abuse Act (CFAA) – presents an interpretative dilemma for courts. The CFAA furthers the legitimate public interest in preventing and punishing “computer fraud” and “computer abuse.” But there is currently a circuit split as to what constitutes “computer fraud and abuse” under the CFAA, and the Sixth Circuit recently deepened that split.
The concept of a “scheme or artifice to defraud” built into the federal mail, wire, and bank fraud statutes has been broadly interpreted to reach all sorts of dishonest conduct intended to separate a victim from his money or property.[1] Based on the text of the CFAA, courts have articulated a number of plausible reasons to take an expansive view of computer fraud and abuse, so as to punish and provide civil remedies for the misuse of confidential information.[2] But such an expansive view creates tension in the digital context addressed by the CFAA. An overly broad view of CFAA liability expands criminal liability and potentially criminalizes a wide range of conduct, such as using a work computer to participate in a NCAA March Madness pool.
In Royal Truck & Trailer Sales and Service, Inc. v. Kraft, the Sixth Circuit added to the circuit split that has existed for roughly eight years by taking a narrow view of CFAA liability in a civil case.[3] That decision came on the heels of the Supreme Court’s grant of certiorari in a criminal case, United States v. Van Buren, in which the Eleventh Circuit reaffirmed the broad view of CFAA liability.[4]
The Sixth Circuit’s decision in Royal Truck
After discovering that two former sales employees had accessed its computer network and transferred confidential company information to their personal e-mail accounts, Royal Truck & Trailer Sales and Service (Royal Truck) brought suit against them, asserting claims under the CFAA. The district court dismissed the CFAA claims. Royal Truck appealed, but the Sixth Circuit affirmed the dismissal.
Under the CFAA, a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished.”[5] Although a violation gives rise to criminal liability, the CFAA also provides a private right of action, including in instances where a person suffers a “loss” over the course of a year “aggregating at least $5,000 in value.”[6]
On appeal, Royal Truck conceded the former employees had authorization to access company data through their company e-mail accounts, because they accessed the system while still employed. The question on appeal therefore focused on whether the two defendants “exceed[ed] authorized access” by later misusing the data, in violation of Royal Truck’s internal policies.
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[7] Construing this language and analyzing dictionary definitions of the terms “access,” “authorization,” and “obtain or alter,” the Sixth Circuit concluded that the CFAA’s plain language does not reach the misuse of data obtained through authorized access. According to the Sixth Circuit, “Section 1030(a)(2)’s aim, in other words, is penalizing those who breach cyber barriers without permission, rather than policing those who misuse the data they are authorized to obtain.”[8]
The Sixth Circuit relied in part on the rule of statutory construction that “where Congress knows how to say something but chooses not to, its silence is controlling.”[9] Congress knew how to say “exceeds unauthorized use” but chose not to do so when enacting the CFAA. As an example, the panel cited the statute requiring that federal agencies share homeland security information in a way that “ensure[s] that such information is not used for an unauthorized purpose.”[10]
In the panel’s view, the interpretation of the relevant statutory language led to a “plain understanding” of its terms, precluding liability in that case.[11] The Sixth Circuit also questioned whether there should be criminal liability under the CFAA “for conduct as pedestrian as checking one’s private social media account on a work phone.”[12]
The Eleventh Circuit’s decision in Van Buren
As a police officer in Georgia, Nathan Van Buren had access to an official government database maintained by the Georgia Bureau of Investigation – the Georgia Crime Information Center (GCIC) database. While Van Buren was authorized to access the GCIC database for legitimate law enforcement purposes, he accepted $6,000 from an individual to obtain information from the GCIC for an illegitimate purpose – to look up information about someone Van Buren thought was a dancer the individual had met at a strip club. In fact, Van Buren had been caught in a sting operation set...
