On June 3, the U.S. Supreme Court issued a decision in the case of Van Buren v. United States. The 6-3 decision greatly limits the scope of the Computer Fraud and Abuse Act of 1986 (CFAA). The decision means that federal prosecutors can no longer use the CFAA to charge employees who “exceed authorized access” to computer data that they were already authorized to view. Whistleblower advocates warned that the government’s broad interpretation of the CFAA criminalized whistleblowers who accessed workplace computer data to expose fraud and misconduct.
“The issue before the Court was critically important to whistleblowers,” explained Stephen M. Kohn, a whistleblower attorney with the law firm of Kohn, Kohn and Colapinto, and the Chairman of the Board of Directors of the National Whistleblower Center (NWC). “Whistleblowers often access computer information and provide it to law enforcement officials, even if those disclosures were not ‘authorized’ by the company. Consequently, a broad reading of the CFAA could have criminalized typical whistleblower behaviors.”
The majority ruling, written by Justice Amy Coney Barrett, states: “[t]he Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”
NWC filed an amicus curiae brief with the court calling for a limitation of the scope of the CFAA. NWC argued that a broad application of CFAA towards any unauthorized use of computer data would lead to “retaliation against whistleblowers who provide evidence of criminal fraud and other criminal activity.” The brief further states “retaliatory CFAA lawsuits… are already being brought by companies against whistleblowers. While Congress attempted to ensure the CFAA would not “cast a wide net over ‘whistleblowers,’ who disclose information they have gleaned” from a computer, whistleblowers have nevertheless been subjected to retaliatory lawsuits by bad actors under the CFAA.”
In an article for The National Law Review, whistleblower attorney Todd Yoder of Kohn, Kohn & Colapinto further explained: “companies had recently begun to weaponize the civil component of the CFAA to attack employee whistleblowers who took computer data from their employees and provided it to the government as evidence in support of qui tam False Claims Act (FCA) cases.”
“In those situations,” Yoder continues, “the only ‘unauthorized access’ at issue was the whistleblower employees merely turning over computer data to the government as evidence of fraud against the United States. This act of attempting to recover taxpayer dollars from fraudsters opened the whistleblowers to costly CFAA actions. However, with the decision by the Court in Van Buren, it appears likely that such retaliatory tactics by FCA defendants will be foreclosed.”
Van Buren v. United States concerned CFAA charges filed against former Georgia police sergeant Nathan Van Buren. Van Buren was convicted of violating the CFAA for accessing a license plate database in exchange for a bribe offered as part of an FBI sting operation. Van Buren appealed the conviction on the grounds that the CFAA should not apply when he had explicit authorization to access the database as part of his job. The Supreme Court ruled in agreement with Van Buren.