In the wake of a 5-4 circuit court split, the Supreme Court of the United States granted certiorari to review the 1986 Computer Fraud and Abuse Act (CFAA) and specifically whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if he accesses the same information for an improper purpose. Van Buren v. United States, Case No. 19-783 (Supr. Ct., Apr. 20, 2020) (certiorari granted).
After a criminal conviction under the CFAA, Van Buren, a Georgia police officer, unsuccessfully appealed to the US Court of Appeals for the 11th Circuit, arguing that his act of accessing information on a database for an improper purpose did not “exceed authorized access” under the CFAA. United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).
The First, Fifth and Seventh Circuits have agreed with the 11th Circuit’s interpretation and held that accessing a computer for an improper purpose violates the CFAA, even if the person was otherwise authorized to access the information. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
The Second, Fourth and Ninth Circuits have held that a criminal violation occurs only if a person accesses information on a computer that he is prohibited from accessing for any reason whatsoever. United States v. Valle, 807 F.3d 508 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).