The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Does Improper Data Access Violate the CFAA?

by Chris Brook on Tuesday April 21, 2020

Contact Us
Free Demo

It won't happen until October at the earliest but the Supreme Court said Monday it will review how the U.S. Computer Fraud and Abuse Act is interpreted for the first time.

In what could prove to be a landmark case, the U.S. Supreme Court is set to decide later this year whether or not when a person who has authorization to access data for one purpose but accesses it for another is in violation of the Computer Fraud and Abuse Act.

On Monday the court agreed to review a case, Van Buren v. United States in which a police officer accessed a law enforcement database to sell data to a third party.

The case, decided last year in the United States Court of Appeals for the Eleventh Circuit, involved Nathan Van Buren, a former sergeant in Georgia who as part of an FBI sting took bribes to access police databases to determine if a license plate number belonged to an undercover police officer.

Van Buren acknowledged that he performed a search using Georgia Crime Information Center and the National Crime Information Center databases after being offered $5,000 initially plus an additional $1,000. While he was sentenced to 18 months in prison for the crime - he was convicted of fraud and violating the CFAA – he argued the law didn't apply since he was authorized to access the database in the first place. In his appeal, Van Buren argued to the Supreme Court that under the CFAA, some minor actions, like "checking sports scores at work to inflating one’s height on a dating website” could also be considered a federal crime.

Despite being enacted more than 30 years ago, in 1986, the CFAA is still the typical route that federal hacking prosecutions go through. This news could limit the reach of the law however.

The CFAA makes it illegal for computer users to access another computer or exceed authorized access without permission. Because of its broadness, courts from district to district have had different opinions over the years on how to interpret the CFAA.

The intent of the law in the 1980s was to fight hacking. That was before the World Wide Web and before many Americans even had a PC however. Since those times, the law has been cited an incalculable number of times. As of late, the CFAA has been used by employers  to seek damages from former employees who either access company computers “without authorization” or exceed authorized access.

The law is so vague that a federal judge in Washington, D.C. ruled just last summer that violating a website’s terms of service - until that point viewed as a violation - does not violate the CFAA. It was that case, Sandvig v. Barr, that signaled that courts were looking to seriously relax how the CFAA was interepreted.

Advocacy groups like EPIC, the Electronic Privacy Information Center, have spent years fighting the broad interpretation of the CFAA. Recently the group asked the Supreme Court to consider whether another provision within the CFAA prohibits third parties from scraping user data when an internet company, in this instance LinkedIn, bans the practice.

Another group, the Electronic Frontier Foundation (EFF) called on the Supreme Court for clarity around the CFAA in relation to Van Buren v. United States case in January. It got its wish on Monday.

Tags: Government

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.