United States Supreme Court Stresses Need to Combine IT Safeguards with Written Policies to Protect Confidential Data | McNees Wallace & Nurick LLC
[co-author: Frank Lavery, II]*
On June 3, 2021, the United States Supreme Court issued an important opinion in Van Buren v. United States, which provided important clarifications on the scope of the Computer Fraud and Abuse Act (CFAA). The CFAA prohibits unauthorized access, or access that exceeds authorization, to any computer “used in or affecting interstate or foreign commerce or communication.” As the Supreme Court rightly explains, this extends protection, at a minimum, to all information from computers that connect to the Internet. Thus, the implications of CFAA are considerable. The decision in Van Buren explored what constitutes “unauthorized access” and “access that exceeds authorization”.
Nathan Van Buren was a police sergeant who was granted access to a law enforcement database by the State of Georgia. Yet he was only allowed to access the database for legitimate law enforcement purposes. Nonetheless, Van Buren searched this database for information on a woman with the intention of selling the results for $ 6,000 to a willing buyer. Unbeknownst to Van Buren, the buyer was a confidential FBI informant posing as a potential romantic partner of the woman. It was not disputed that his department’s policy prohibited Van Buren from accessing the database for non-work-related purposes and that he had received appropriate training on the policy. Van Buren was arrested and criminally convicted under the CFAA.
Based on its precedent, the 11e Circuit upheld the conviction, and the Supreme Court granted certiorari to resolve the sharp divergence between US appellate courts as to what constitutes “exceeding of permitted use” under the CFAA. Van Buren argued that his conduct was not criminal, as he was authorized to access the law enforcement database. The government argued that his access exceeded his authorization because he was only allowed to access the database for business purposes.
The Supreme Court ruled that although Van Buren had undeniably violated his department’s policy of using the law enforcement database for personal reasons, there was no “gate” intended to keep Van Buren out. of the database. He simply used his police credentials to gain access to the system for prohibited purposes. goal. The Court explained that the CFAA aims to prevent “external hackers” from entering by authorization and “inside hackers” by restricting users to certain parts of a computer system. The Court went on to say that “[i]In short, an individual “exceeds authorized access” when [or she] accesses a computer with permission, but then obtains information located in particular areas of the computer, such as files, folders or databases, that it is prohibited from [or her]. “So the only relevant question was whether Van Buren could access the database, which both parties agreed he could. For this reason, Van Buren did not “exceed authorized access” to the law enforcement database as defined by the CFAA, even though he obtained information from the system for prohibited purposes.
Holding in Van Buren has very serious real-world implications for those who wish to protect their information from external and internal hackers. Access design and access restriction are critical for a number of reasons, and a policy alone will not necessarily provide adequate technical and procedural safeguards to wrap data within that system. If your organization wishes to properly restrict access to certain information, you must put in place “barriers” to prevent users from entering (including employees who have limited access to the system). These technical protections of the IT infrastructure must be in addition to policies restricting access and training programs. Once these safeguards are in place, anyone who “hacks” access to confidential information will have committed a CFAA criminal offense and could be held liable to the organization or employer for civil damages.