U.S. Supreme Court Reviewing "Anti-Hacking" Case - All Employers Should Watch
The United States Supreme Court (USSC) granted cert to review how modern acts are treated under the Computer Fraud and Abuse Act (CFAA), which was first passed in 1986.
Deemed by BloombergLaw and other news outlets as the “Anti-Hacking Law,” in U.S. v. Van Buren, 930 F.3d 1192 the U.S. Court of Appeals for the 11th Circuit (covering GA, FL, AL) considered whether police sergeant Nathan Van Buren of the Cumming, Georgia Police Department violated 18 U.S.C. §1030(a)(2) when he searched the Georgia Crime Information Center (GCIC) database for a license plate number belonging to a woman in exchange for money. Specifically, Van Buren was paid by a "friend" to look up an exotic dancer’s license plate to confirm that she was not an undercover law enforcement officer. The “friend” turned out to be an FBI informant involved in a larger sting operation.
Under CFAA, 18 U.S.C. §1030(a)(2) criminalizes anyone who accesses a computer either without authorization or exceeding permitted authorization to obtain information that meets one of three criteria: (1) is information contained in a financial record of a financial institution; (2) is information from any department or agency of the United States; or (3) is information from any “protected” computer. A “protected computer” is a computer that is (A) exclusively for the use of (or used by) a financial institution or the United States Government; or (B) which is used in or affecting interstate or foreign commerce or communication.
Van Buren was convicted under 18 U.S.C. 1030(a)(2) but argues on appeal that the conviction was erroneous for two reasons: (1) He should have been charged with a misdemeanor; and (2) there was insufficient evidence to convict.
As noted by the 11th Circuit (which upheld Van Buren’s conviction), Van Buren properly faced a felony charge because his crime was motivated by private financial gain. The district court instructed the jury on only felony computer fraud and did not raise the possibility that Van Buren could still be convicted of the lesser-included, misdemeanor version of the offense, should the jury conclude the financial element was missing. Van Buren argues that this omission of the misdemeanor instruction amounted to reversible error.
For Van Buren to succeed on his argument, he must demonstrate that the evidence would have allowed a rational jury to believe that he committed the crime without the motivation of personal financial gain. According to the 11th Circuit,
Van Buren's problem arises from the fact that the record contains no evidence that Van Buren engaged in computer access for any reason other than financial gain…In short, no jury could have rationally believed that if Van Buren searched Carson's tag in the GCIC system on September 2, 2015, he did it for some non-financial, unidentified reason. The district court therefore did not abuse its discretion in declining to give the misdemeanor-computer-fraud instruction.
In reviewing the case, the USSC will set precedent in determining if felony convictions for abusing network access privileges will be upheld under CFAA. CFAA also permits civil penalties for violators, so the USSC’s decision may create waves of new CFAA and “Anti-Hacking” claims in criminal and civil courts.
All employers, from both the public and private sectors, should pay close attention. Although employers usually evade vicarious liability for the intentional bad acts of its employees, having employees arrested, charged, or sued for violating “anti-hacking” laws is bad publicity. Further, employees may face a ricochet of negligent supervision claims.