The Computer Fraud and Abuse Act—Tips for Family Businesses
The U.S. Supreme Court recently handed down a decision that answered a question regarding the scope of permitted data access under the Computer Fraud and Abuse Act (CFAA) that had led to a notable Circuit split. In light of this decision, it is crucial for family businesses to understand how the CFAA affects them and how to mitigate unauthorized access of business data.
What Does the CFAA Do?
The CFAA prohibits the unauthorized access of a computer, sometimes known as "hacking." The CFAA makes two types of hacking illegal:
- External hacking—where an individual accesses a computer that they do not have authorization to access; and
- Internal hacking (also known as "insider threats")—where an individual has authorization to access the computer they are on, but exceeds that authorization and accesses information they do not have authorization to access.
Both civil and criminal liability can arise from violations of the CFAA.
The case, Van Buren v. United States, eliminated confusion as to the definition of internal hacking. Before the decision, some Circuits defined internal hacking differently than it is above.
Those Circuits held that even if someone is authorized to access the relevant computer and had permission to access the relevant information, they were still violating the CFAA if they used that information for any purpose other than that for which they were authorized. The Van Buren decision eliminated this purpose-based reading of the statute, definitively stating that if a person is authorized to access information on a computer, they are not violating the CFAA when they use it—no matter for what purpose.
Takeaways for Family Businesses
Van Buren limits employers' remedies when their employees misuse their employer's business information. As such, employers should closely examine what they are doing to protect their information.
The easiest way for employers to reduce misuse of their confidential business information is to limit the number of employees who have access to it. If employers do not give their employees access to their confidential business information, then they are still protected against internal hacking by the CFAA. Now, after the Van Buren decision, is a good time for your business to reevaluate who has access to what information on your company's computers.
Clearly demarcating what information each employee has access to increases an employer's chances of falling within the protection of the CFAA. If the entirety of a company's information is stored on one server or hard drive that is accessible by all employees, and employees are simply told which files not to open, a court is unlikely to find that any employee accessing a prohibited file had done so without authorization. Best practices dictate that when businesses want to limit access to information, they protect it with passwords or other technological safeguards, and ensure there are audit procedures to determine who accessed any of the information and when.
Similarly, companies should draft policies regarding employee access to confidential information (i.e., "you may only have access to sensitive company data that is necessary for your job" or "you may only access confidential data if you have explicit authorization"). A well-drafted policy, incorporated into employment contracts, can form the basis of a strong CFAA claim that access was not authorized.
By decreasing the availability of statutory remedies, the Van Buren decision increases the importance of contractual ones. Just because an employee is not liable under the CFAA for accessing and misusing information does not mean they are not liable at all. Employment contracts and other agreements often contain language about the misuse of information. Therefore, it is crucial for family businesses to have a lawyer review all such agreements to ensure they prohibit unauthorized access and protect your company's data.
For an in-depth analysis of the Van Buren case, please review this advisory.