As a result of a recent United States Supreme Court decision, employers can no longer use the Computer Fraud and Abuse Act of 1986 ("CFAA") as a tool to prevent unauthorized use of its computer systems.
The CFAA makes it illegal to "access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
In Van Buren v. United States, No. 19-783, the Supreme Court held that a police officer did not violate the CFAA when he ran an unauthorized license plate search in exchange for money. Relying on the language of the statute, the Court reasoned that the CFAA makes it illegal to access information an individual is not permitted to obtain, but does not prohibit improper use of information or databases which an individual has the authority to access.
Justice Barrett used the following example to clarify the Court's holding: If an individual is authorized to access a specific folder on a computer, he/she does not violate the CFAA if he/she accesses the folder for an unauthorized purpose. However, if an individual accesses a separate folder on the computer to which he/she does not have authorized access, such conduct violates the CFAA.
In light of the Supreme Court's decision, employers should consider the following to protect against improper/unauthorized use of its computers/databases:
1) Strengthening policies regarding unauthorized use of computers/databases. While unauthorized use is no longer unlawful under the CFAA, employers are free to implement restrictive policies regarding unauthorized use of computers and discipline employees who violate the policies.
2) Taking further steps (e.g. secure passwords) to safeguard documents/information to which employers do not want employees to access.
3) Entering into confidentiality/unauthorized use agreements with employees.