Computer Fraud: U.S. Supreme Court Rules There Must Be Unauthorized Access to Violate the Computer Fraud Abuse Act of 1986
Author
Michael Keeley
Under the Computer Fraud Abuse Act of 1986 (“CFAA”), anyone who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby obtains computer information commits a criminal offense. In Van Buren v. U.S., 593 U.S. ___(June 3, 2021), a Georgia police sergeant, Nathan Van Buren, was authorized to use the department’s computer system to search automobile license plates. Van Buren agreed to accept payment from a man he met in return for running a license plate search on a woman the man purportedly met at a strip club. Unfortunately for the sergeant, the man was part of an FBI sting attempting to “see how far Van Buren would go for money.” Van Buren was convicted of violating the CFAA, and the case made its way to the United States Supreme Court. Van Buren argued that the “exceeds authorized access” clause of the CFAA applies only to those who obtain information to which their computer access does not extend, not to those who misuse access they otherwise legitimately have. The Court agreed and overturned Van Buren’s conviction, reasoning that, while Van Buren used the computer in violation of department policy, he did not exceed his “authorized access” because he was authorized to retrieve license-plate information.
A frequent issue in the context of computer fraud claims is whether there is coverage when an insured loses money as a result of being socially engineered; that is when a fraudster pretending to be someone he is not sends the insured an email that tricks the insured into transferring money to the fraudster. A common computer fraud insuring agreement covers loss “resulting directly from the use of any computer to fraudulently cause a transfer of property . . .” Insurers have been making arguments similar to Van Buren’s for years; that is, there is no computer fraud when the fraudster had the authority to send his email to the insured’s computer. The fraudster’s email certainly has a fraudulent purpose, but the fraudster was authorized to send the email. As a result, there should be no computer fraud coverage for the same reasons the CFAA would not be violated by Van Buren’s use of his department’s computer system.
While obviously involving different facts and a criminal statute, the reasoning of the Court’s decision is instructive in the insurance context. Writing for the majority, Justice Amy Barrett began by pointing out that, while both “Van Buren and the Government raise a host of policy arguments to support their respective interpretations,” “we start where we always do: with the text of the statute.” Justice Barrett then spent seven pages carefully examining the wording of the statute in the context of various rules of construction, ultimately finding that requiring unauthorized use “is perfectly consistent with the way that an ‘appropriately informed’ speaker of the language would understand the meaning of ‘exceeds authorized access.’” This is precisely what the better—reasoned decisions construing computer fraud claims do, with the predictable result being no coverage without “unauthorized access.”
The Court’s opinion continues by examining the “common parlance” of the statute, the statute’s structure, and the precedent and history of the statute, ending with a commonsense consideration of what the Government’s interpretation of the statute would mean in the context of the “breathtaking amount of commonplace computer activity.” As Justice Barrett reasoned, “[t]o top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.” “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.
. . . . [O]n the Government’s reading . . . an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” “[T]he fallout underscores the implausibility of the Government’s interpretation. It is ‘extra icing on cake already frosted.’”
Finding computer fraud coverage for a social engineering loss is just as implausible. The use of computers in society is ubiquitous, and virtually all written communications today involve a computer. Thus, to hold that “Computer Fraud” means any fraud that uses a computer even in some minor way, including using an email to send a letter that conveys an untrue message, would turn “Computer Fraud” coverage into “All Fraud” coverage.” For the same reasons the Court found the CFAA requires unauthorized access for there to be computer fraud, so too should there be unauthorized access for there to be computer fraud under a fidelity bond.