Prosecutors and employers take notice — one of the most robust, wide-reaching tools against computer fraud and abuse could be blunted. The Second Circuit recently joined the Fourth and Ninth circuits in narrowly interpreting the Computer Fraud and Abuse Act (CFAA) in United States v. Valle, 807 F.3d 508 (2d Cir. 2015). Valle, an ex-cop, was convicted of using his access to police databases to aid his gruesome plot to kidnap, torture, and eat a woman, but the Second Circuit overturned that conviction based on its reading of the CFAA. While the Valle case made lurid headlines in the New York press, it has further reaching consequences for the CFAA. The decision deepens the circuit split against the First, Fifth, Seventh, and Eleventh circuits, which give prosecutors and employers more room to bring claims under the CFAA with a broader interpretation of the act.
At stake is the ability of prosecutors and employers to use the CFAA for a common fact pattern in both criminal and civil actions under the statute — when an employee uses his work computer to access information that he is otherwise permitted to access for a non-work purpose in contravention of company policy. The Second Circuit’s Valle decision joins the Fourth and Ninth circuits to say that the CFAA cannot be used for this purpose and is actually meant to only cover traditional hacking activity. On the other side, the First, Fifth, Seventh, and Eleventh circuits still permit a prosecutor, or an employer in a civil CFAA case, to use the act when an employee improperly uses his company access for a non-work purpose.
With a 4-3 circuit split, the stage is set for a potential review by the U.S. Supreme Court. Internet scholars, criminal defense lawyers, and employers have already been filing amicus briefs at the appellate level, arguing both sides of the issue. And all of it turns on the interpretation of a single phrase – what does “exceeds authorized access” mean under the CFAA?
Background. Alberto Valle was a former New York City police officer who was charged with one count of conspiracy to kidnap and one count of improperly accessing a computer in violation of the CFAA. Valle was dubbed the “Cannibal Cop” in the press after details emerged that he engaged in online chats in an “Internet sex fetish community called Dark Fetish Network,” which consisted of “gruesome and graphic descriptions of kidnapping, torturing, cooking, raping, murdering, and cannibalizing various women.” Id. at 512. Valle also accessed restricted law enforcement databases to obtain details about the women he was chatting about, including their locations. Valle then discussed following and tracking the women in his online chats. Prosecutors alleged that Valle was involved in a criminal conspiracy to kidnap and violated the CFAA by using his work access to obtain information to further this conspiracy. Valle’s defense lawyers argued that his chats were mere fantasy, which could not be criminalized, and that the CFAA didn’t apply to his conduct because he was otherwise authorized to access that information, just not for that purpose.
A jury in the Southern District of New York convicted Valle on both counts. Valle, however, filed a motion for acquittal, which the district court granted on the kidnapping count, finding a lack of evidence sufficient to establish the kidnapping conspiracy. The district court denied Valle’s acquittal motion on the CFAA count, and Valle appealed. On review, the Second Circuit agreed with Valle’s lawyers that the phrase “exceeds authorized access” was ambiguous under the CFAA and that, under the principle of lenity, the statute must be interpreted in favor of the criminal defendant.
The Issue. The circuit split centers on the statutory interpretation of the phrase “exceeds authorized access” in the CFAA. 18 U.S.C. § 1030 (a)(2). The CFAA imposes both criminal and civil liability for anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and in doing so “obtains . . . information from any protected computer.” 18 U.S.C. § 1030 (a)(2)(C). The phrase “exceeds authorized access” is further defined in the statute to mean:
to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
Id. § 1030 (e)(6). Despite this statutory definition, the circuits have split over its meaning and whether it permits an action against an employee who is authorized to access the information in question but does so for a purpose prohibited by his employer.
The First, Fifth, Seventh, and Eleventh circuits, whose decisions all came before the Fourth, Ninth, and Second circuits’ more recent decisions on this issue, take the position that the language of §1030(a)(2) and §1030(e)(6) is clear — when an employer defines the purpose for which an employee is authorized to access the information in question via company policy or terms of employment, a derogation of that is a violation of the statute. In other words, under the statute you’re not entitled to use your company access to obtain information for a purpose not permitted by your employer.
However, the Fourth, Ninth, and Second circuits read the statute more narrowly. As the Second Circuit noted in Valle:
Valle concedes that he violated the terms of his employment by putting his authorized computer access to personal use, but claims that he did not violate the statute because he never “used his access to obtain any information he was not entitled to obtain.” In other words, Valle argues that he did not “exceed authorized access” because he was otherwise authorized to obtain the database information about Hartigan; his non‐law enforcement purpose in running the search is irrelevant.
807 F.3d at 523. Under this rationale, the Fourth, Ninth, and Second circuits view the CFAA as limited to hackers who essentially engage in “electronic trespassing,”
‘Without authorization’ would apply to outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).
Id. at 524 (quoting United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (en banc)). The Second Circuit in Valle conceded that both interpretations have merit after examining the CFAA’s statutory history, which dates back to the relevant amendments in 1986. Id. at 525-527. But because of the rule of lenity in criminal cases, the court adopted the interpretation that favored the defendant and overturned Valle’s conviction under the CFAA.
Implications. The implications of the Valle decision could be significant for prosecutors, defendants, employers, and employees operating under the CFAA. If the U.S. Supreme Court steps in and adopts the Valle interpretation, employees who have full access to say, confidential bank information, can’t be prosecuted under the CFAA for violating company policy against accessing and obtaining this information. CFAA would cover only “outside hackers” or “inside hackers” who have electronically breached a barrier of access to the employer’s information system.
And the CFAA seems to be on the Supreme Court’s radar. The Court recently decided another CFAA case on an unrelated jury instructions issue in Musacchio v. United States, No. 14-1095 (U.S. Jan. 25, 2016). Now with a 4-3 circuit split, the Court may soon be willing to settle the “exceeds authorized access” issue.
If the issue does go to the Supreme Court, there will be several issues to watch. First, the facts of the Valle case, with its gruesome details, are probably not the facts that internet advocates of the narrow interpretation want to go up to the highest court of the land on. It will be interesting to see what effect, if any, that has on the Court’s debate. On the other side, the Valle decision also raised concerns in dicta about the broad interpretation taken by the other circuits (First, Fifth, Seventh, and Eleventh) and the potential to “criminalize a broad range of day-to-day activity” that the Second Circuit contends was not meant to be covered by the statute: “While the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters.” 807 F.3d at 528. The Government in Valle tried to stick to the facts of its case and did not respond directly to this argument in its briefing. Yet it will be interesting to see what the response is if this issue is brought before the Supreme Court. Lastly, it will be important to consider what additional arguments are brought to bear on the issue via amicus briefs given that the statute plays such a large role in regulating computer use/abuse despite being written in 1986.
Regardless, employers will want to take note of the current circuit split and consider adjusting their policies accordingly. Specifically, it will be important to note what jurisdictions the employer and its employees are operating in and which standard applies. It will also be important to consider what type of access an employee is allowed, not just from a policy standpoint, but from a process standpoint when it comes to accessing information. Thus, employers may want to consider new technological restrictions to access in addition to other process-oriented restrictions that could be imposed, like retaining a supervisor’s permission before accessing and removing certain data or information.