The controversy over what is a “computer crime” under the Computer Fraud and Abuse Act (CFAA) is now settled for New York, Connecticut, and Vermont. In a case we have been watching on the blog for months, United States v. Valle, the Second Circuit held that the CFAA should be read narrowly.
The Court summarized the CFAA issue:
[W]e must determine whether an individual ‘exceeds authorized access’ [under 18 U.S.C. § 1030(a)] to a computer when, with an improper purpose, he accesses a computer to obtain or alter information that he is otherwise authorized to access, or if he ‘exceeds authorized access’ only when he obtains or alters information that he does not have authorization to access for any purpose which is located on a computer that he is otherwise authorized to access.
Interestingly, the court concluded that the CFAA’s text, history and purpose actually supports both sides of the debate. Still, the court was “obligated to ‘construe criminal statues narrowly so that Congress will not unintentionally turn ordinary citizens into criminals’” (citations omitted).
This criminal case will also impact civil cases. The CFAA creates a private cause of action that some employers have used in lawsuits against employees for alleged misuse of employer data. Now, employers’ ability to do so in New York, Connecticut, and Vermont is more limited.
The court noted that this is an “issue of first impression” in the Second Circuit and that it has “sharply divided our sister circuits.” The Second Circuit’s decision to finally chose a side in the controversy makes it more likely that the Supreme Court will one day settle it once and for all.