Van Buren v. United States - 141 S. Ct. 1648 (2021)

Rule:

Under 18 U.S.C.S. § 1030(e)(6) of the Computer Fraud and Abuse Act of 1986, an individual exceeds authorized access when he accesses a computer with authorization but then obtains information located in particular areas of the computer, such as files, folders, or databases, that are off limits to him.

Facts:

Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes. Unbeknownst to Van Buren, his actions were part of a Federal Bureau of Investigation sting operation. Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjected to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). A jury convicted Van Buren, and the District Court sentenced him to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applied only to those who obtain information to which their computer access did not extend, not to those who misused access that they otherwise had. 

Issue:

By misusing his computer access for non-law-enforcement purposes, did Van Buren “exceed authorized access” within the contemplation of the Computer Fraud and Abuse Act of 1986 (CFAA)? 

Answer:

No.

Conclusion:

The Court reversed the judgment of the lower courts, holding that 18 U.S.C.S. § 1030(e)(6) covered those who obtained information from particular areas in the computer, such as files, folders, or databases, to which their computer access did not extend. It did not cover those who had improper motives for obtaining information that was otherwise available to them. Since the parties agreed that a police officer was allowed to use the system to retrieve license-plate information, he did not exceed authorized access to the database, as the Computer Fraud and Abuse Act of 1986 defined that phrase, even though he had obtained information from the database for an improper purpose.