Quantcast
Channel: Blog
Viewing all articles
Browse latest Browse all 277

Van Buren v. United States: The Supreme Court Eliminates a Remedy for Employers

$
0
0
Van Buren v. United States: The Supreme Court Eliminates a Remedy for Employers

Reprinted with permission from the June 21st edition of The Legal Intelligencer. (c) 2021 ALM Media Properties. Further duplication without permission is prohibited.

Since its enactment in 1986, employers have used the federal Computer Fraud and Abuse Act, 19 U.S.C. §1030 (“CFAA”) to vindicate violations of the employer’s workplace policies regarding use of computers, email accounts, and other electronic information by departing employees. The CFAA inevitably appeared as a claim in an employer’s complaint to address such conduct as downloading information from work computers and email accounts, or wiping devices and removing valuable information. The CFAA potentially provided relief where the information taken might not meet the definition of a “trade secret” in the federal Defend Trade Secrets Act (18 U.S.C. §1986), or Pennsylvania’s Uniform Trade Secrets Protection Act (12 P.S. § 5302). Further, and perhaps providing leverage for employers, the CFAA provided a criminal remedy for such violations. In Van Buren v. United States, 592 U.S. ___ (June 3, 2021), the United States Supreme Court may have eliminated that claim for wronged employers.

The CFAA prohibits intentionally accessing a computer with or without authorization or exceeding authorized access of a computer. The Act defines “exceeding authorized access” as accessing a computer with authorization and using that access to obtain information in the computer to which the individual is not otherwise entitled. The CFAA imposes criminal liability for violations of these prohibitions. It also imposes civil liability through a private cause of action if there is “damage,” meaning, an impairment to the integrity or availability of data, a program, a system or information.


Officer Van Buren was charged and convicted for violating the CFAA. Specifically, in exchange for the payment of $5000, Officer Van Buren used his police vehicle’s computer to access license plate information for a friend. Officer Van Buren had “authorization” to use the vehicle’s computer and he had “authorization” to access the license plate database. However, he was not permitted to access the database for “personal use.”

And that is the issue in the case: whether the CFAA’s prohibition against “exceeding” authorized access applies to access of information an individual is entitled to access, but did so with an improper purpose. The circuit courts are split on the issue. The Eleventh Circuit upheld Officer Van Buren’s conviction, but the Supreme Court held that accessing information to which the individual otherwise is entitled but with an improper purposes is not a violation of the CFAA, overturning Officer Van Buren’s conviction.

The majority opinion, authored by Justice Barrett, focused on the impact on “millions of otherwise law-abiding citizens,” noting that an opposite holding would render criminal a “breathtaking amount of commonplace computer activity.” Most employers have policies that prohibit personal use. Some employers have computer policies that incorporate corporate codes of ethics, or anti-discrimination statutes. The Supreme Court noted that a holding that otherwise authorized access for “an improper purpose” would mean that employees violated the CFAA, and would be subject to criminal prosecution, for sending a personal email, agreeing to terms of service for certain websites, “embellishing” on dating websites or using a pseudonym on Facebook while using their work computers. The court noted that there are other remedies for such conduct. For example, the individual who uses authorized access to misappropriate trade secrets is subject to other laws prohibiting that conduct; and, in this case, Officer Van Buren might be subject to federal wire fraud statutes.

The Supreme Court did not address the civil liability provisions of the CFAA, except to note that the requirement to show damage in order to impose civil liability demonstrates that the purpose of the statue is to remediate the “ordinary consequences of hacking” and not “misuse of sensitive information” remediable by other laws. The Court’s holding and this observation likely mean the death knell of this particular strategy in employment trade secret or restrictive covenant cases. In those cases, the employee has usually downloaded information or contacts prior to termination (and the inevitable severing of the employee’s access to that information). The employee has authorized access both to the “computer” and to the information the employee downloaded, likely up to the time of his termination. Under the holding in Van Buren this conduct on the part of the employee is not a violation of the CFAA, and for that reason cannot form the basis of a civil claim. The statute specifically provides for a private cause of action for “any person who suffers damage or loss by reason of violation of this section,” requiring the wronged party to prove a “violation of this section” prior to seeking a civil remedy. Where a workplace policy violation by an employee who is authorized to access a computer or the information accessed is not a “violation” under Van Buren, the wronged party cannot state a claim.

Further, the Supreme Court’s limitation of the CFAA to the “ordinary consequences of hacking” necessarily eliminates civil liability. The employee’s wrong was not “hacking” in the ordinary sense, but misusing or misappropriating information. Interestingly, in the case where an employee “wipes” a device prior to returning it to the employer, there is “damage” as defined by the statute, necessary to impose civil liability, but the employee will have damaged information which he had authorization to access.

The Supreme Court’s clarification of the reach of the CFAA in Van Buren impacts employers’ remedies against employees who download, destroy or misappropriate information before they depart employment. Employers will have to find other legal remedies to address this conduct by departing employees with bad motives. Employee contracts should require return of any information (including electronic information and data) upon termination, and prohibit the employee from keeping copies. This will provide the employer with a breach of contract claim. Federal and state trade secret statutes may also apply if the information taken amounts to a “trade secret.” Common law claims such as conversion or breach of the duty of loyalty may also apply to remedy the wrong. While it is important to have written workplace policies regarding use of computers and electronic information, a violation of those policies alone will not be enough to state a claim for civil or criminal liability under the CFAA.

Patricia Collins is a Partner and Employment Law Chair with Antheil Maslow & MacMinn, LLP, based in Doylestown, PA. Her practice focuses primarily on employment, commercial litigation and health care law. Patricia Collins can be contacted at 215.230.7500 ext. 126.


Viewing all articles
Browse latest Browse all 277

Trending Articles