Computer Fraud and Abuse Act

Yesterday the Supreme Court issued a decision in Van Buren v. United States, No. 19-783, ruling that a police officer did not violate the Computer Fraud and Abuse Act (“CFAA”) when he obtained information from a law enforcement database that he was permitted to access, but did so for an improper purpose.  In so ruling, the Court adopted a relatively narrow reading of the CFAA, and partially resolved a years-long debate concerning the scope of liability under the CFAA.

The CFAA prohibits, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer.”  18 U.S.C. § 1030(a)(2).  What it means to “exceed authorized access” has been the subject of disagreement among lower courts:  Some have concluded that this term refers to accessing areas of a computer that the user is not permitted to access under any circumstances—e.g., a student accessing her university’s database of grades that is restricted to only administrator use.  Others have concluded that this term also encompasses individuals who are permitted to access an area of a computer for certain purposes, but they do so for an improper purpose—e.g., an administrator accessing the university’s database of grades that she is generally permitted to use, but she does so for the improper purpose of blackmailing a student.
Continue Reading Supreme Court Adopts Narrow Reading of the CFAA in Van Buren v. United States

By Alex Berengaut

[This article also was published in Law360.]

In May 2017, the “WannaCry” malware was used to launch a worldwide ransomware cyberattack. WannaCry encrypted files on victim computers and demanded a ransom payable in bitcoin to provide the encryption key. The attack was stopped when a British security researcher, Marcus Hutchins, accidentally discovered and activated a “kill switch” in the malware.

In a dramatic turn of events, Hutchins was arrested earlier this month by the FBI in Las Vegas as he was returning home from a cybersecurity conference. He wasn’t charged for anything to do with WannaCry; rather, the government alleged that he had created and conspired to sell a different piece of malware, the “Kronos Banking trojan,” a piece of software that recorded and stole user credentials and other personal identifying information. On Aug. 14, 2017, he pleaded not guilty to the charges against him.

Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act.[1] It is likely that these issues will be litigated as the case unfolds.

But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country. Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.[2] As the Second Circuit has put it, “[i]n order to apply extraterritorially a federal criminal statute to a defendant consistently with due process, there must be a sufficient nexus between the defendant and the United States so that such application would not be arbitrary and fundamentally unfair.”[3]
Continue Reading Is The Hutchins Indictment Over Malware Unconstitutional?

In WEC Carolina Energy Solutions LLC v. Miller, the U.S. Court of Appeals for the Fourth Circuit recently ruled that a former employee could not be held liable under the federal Computer Fraud and Abuse Act (“CFAA”), where he lawfully downloaded confidential information from his employer’s computer network and soon thereafter used that information in connection with