/cloudfront-us-east-2.images.arcpublishing.com/reuters/JEUL2B5V7BJCFMRTKGOS3ZSN4Y.jpg "Hungary’s anti-LGBTQ law breaches international rights standards – European rights body")
/cloudfront-us-east-2.images.arcpublishing.com/reuters/DYF5BFEE4JNPJLNCVUO65UKU6U.jpg "The curious case of a map and a disappearing Taiwan minister at U.S. democracy summit")
/cloudfront-us-east-2.images.arcpublishing.com/reuters/UF7R3GWJGNMQBMFSDN7PJNRJ5Y.jpg "Blinken touts deeper U.S. engagement amid concern over ‘aggressive’ China")
United States:
US Supreme Court ruling to limit the scope of the Computer Fraud and Abuse Act limits the legal protection of a company’s digital information
June 21, 2021
Archer & Greiner PC
To print this article, all you need to do is register or log in to Mondaq.com.
Every company generates and maintains different types of information, and whether it’s trade secrets, confidential customer information, or things like customer complaints, they don’t want their information to get into the hands of a competitor or the public. There are several laws a company can rely on to protect their information if they take the right precautions. One such law is the Federal Computer Fraud and Abuse Act (CFAA), which governs unauthorized access to electronically stored, or “digital” information. However, in its recent Van Buren v. United States ruling, the United States Supreme Court limited the protections available to digital information owners under the CFAA.
The CFAA is a federal law that applies to almost any computer as long as it is used in or affects interstate or foreign trade, which includes all computers connected to the Internet. By and large, the CFAA provides for both civil and criminal penalties for unauthorized access to and alteration of digital content on a protected computer under two circumstances: a computer, and (2) when a person transgresses authorized access to obtain or change information. The second was at the center of the Supreme Court’s decision in the Van Buren case, which raised the question of whether a person “exceeds their access rights” when obtaining or modifying information for an improper motive. In other words, the CFAA covers situations where a person, usually an employee, is allowed to access certain digital files to get their job done, but then removes, copies, or changes the information for an improper purpose, e.g. a competitor ?
The court’s answer was “no”. It decided that the CFAA only covers traditional hacking and cases where a person has been granted access to some parts of a computer but is authorized by accessing or using “areas in the computer – such as files, folders, or databases.” their computer access is not extended. ” For example, a person can violate the CFAA if they gain access to a computer to work on a group project, but then use that access as an opportunity to hack into a password-protected file on that computer. Conversely, if a person changes or uses information that they would otherwise have access to without additional permissions, regardless of their motives, there is no CFAA violation.
At first glance, the court’s decision makes sense as Congress likely had no intention of criminalizing conduct such as employees who exceeded their authorized access by using a work computer to check their personal email. However, the takeaway for employers is this: if an employer grants an employee access to certain information for any reason, the CFAA does not protect the employer if the employee modifies or extracts that information, regardless of his motive or the original reason the employer gave the employee grant authorized access.
Despite the court’s ruling, the CFAA still offers some defense primarily for all digital content. To take advantage of this protection, companies should configure their computer systems to restrict their employees, contractors, and suppliers from accessing the digital information they need to do their jobs, such as job functions.
In addition, all is not lost when an employer has to provide certain information to its employees. State and federal laws other than the CFAA protect certain types of information, such as trade secrets or confidential business information, in a variety of circumstances. This includes state laws similar to the CFAA that address unauthorized access to computer systems. However, these safeguards vary from state to state and from law to law, and have limitations. For example, a company must take “reasonable steps” to keep its information confidential in order to protect it as a “trade secret”. This, in turn, should encourage a company to establish clear, written policies and agreements with everyone who has access to its information, including employees, suppliers and contractors, and to include appropriate provisions in an employee handbook, as well as to take other measures to ensure that its valuable information, whether digitally or otherwise, to protect effectively.
The content of this article is intended to provide general guidance on the subject. You should seek expert advice regarding your specific circumstances.
POPULAR ARTICLES ON: Technology Made in the United States
Explaining Cryptocurrency Ransomware Problem
Kelley Drye & Warren LLP
The recent ransomware attacks on Colonial Pipeline and JBS resulted in a spate of calls to ban Bitcoin (and cryptocurrency in general) in order to enable and promote these attacks.
Non-Fungible Tokens: U.S. Legal Issues to Consider
Withers LLP
Over the course of 2021, beyond the rise of cryptocurrency and decentralized finance, non-fungible tokens (NFTs) have also gained in popularity. Digital creators use NFTs to monetize digital creative works.
Application of AI in legal services
Oblon, McClelland, Maier & Neustadt, LLP
A common question is why there are so many lawyers. The question is often paired with the question of why lawyers spend so much time on seemingly insignificant tasks …
