On June 3, 2021, in Van Buren v. United States, the United States Supreme Court reversed and remanded a lower court decision allowing employers to seek criminal sanctions against an employee who misused his work computer for his own benefit. The employee, a police sergeant, was accused of using his patrol car computer to run license plate searches for money. He was fired and charged and convicted with a felony under the CFAA, serving 18 months in prison.
Van Buren’s attorney argued that using a company computer to access information you are not authorized to have would violate the statute but that his client was actually authorized to use the computer to do license plate searches, just not for his personal gain. The government argued that the statute broadly covered both access and unauthorized use; the Court disagreed.
Reversing the lower courts’ imposition of criminal penalties against the employee, the Supreme Court held that while the employee might be liable under other state or federal statutes, the Court would not interpret the vague and ambiguous CFAA language of “exceeds authorized access” to mean unauthorized use.
Employers have been using the Computer Fraud and Abuse Act of 1986 (“CFAA”) to seek leverage and criminal penalties against employees using their work issued computer devices for unauthorized purposes. The CFAA specifically prohibits access that is unauthorized or which exceeds authorized access. The Court held that the CFAA only focused on the “authorized access” part of the equation and to interpret the statute to prohibit unauthorized use would be too broad.
What does this mean for employees and employers? Notwithstanding the fact that there are other civil penalty statutes such as the Defend Trade Secrets Act and its state law counterparts which fill the gap in the CFAA identified by the Supreme Court, the Van Buren ruling now makes it difficult for an employer to pursue criminal sanctions against an employee for alleged theft of trade secrets, particularly where the employee legitimately had access to the information within the scope of his or her job.
But employees beware! There are other statutes that employers routinely use to justify termination. Employers argue that the employee’s alleged theft or misuse of information justified termination or would have justified termination as after acquired evidence. Of course, the arguments are not that simple and an employer would still need to show that the information stolen was somehow proprietary and that they have suffered damages as a result of the alleged theft. However, the tool is used to pressure employees raising claims against the employer and has very little to do with the likelihood of success. While Mr. Van Buren is surely thrilled with this outcome, he has already served his 18 month jail sentence for his alleged violation of the CFAA.
The Bottomline: Employers, make sure that you are clear and specific about what company devices can and cannot be used for. This is going to require a review and revision of your employee handbook. And employees, you should never be using company issued devices for personal use, even if it’s just checking sports scores or paying bills as pointed out by Justice Barrett. The Court, recognizing the slippery slope created by the ambiguities in the CFAA, was not willing to permit the criminalization of such behavior but you should still beware.