In Van Buren v. U.S., the Supreme Court in a 6-3 decisions handed down today, held that the Computer Fraud and Abuse Act (“CFAA”) didn’t apply where a Cumming, Georgia police sergeant used the department’s computer system to access federal and state crime databases to provide information about a woman his friend had met at a strip club. While the sergeant had authorization to access the computer he did not have authorization to access those databases for non-police purposes.
He was charged with violation of the CFAA. That statute makes it a crime when a person “intentionally accesses a computer without authorization or exceed authorized access, and thereby obtains…information from any protected computer.” A “protected computer” includes any computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the U.S. that is used in a manner that affects interstate or foreign commerce or communication of the United States.”
The provision referring to “intentionally accessing a computer without authorization” was written to cover outside hackers,
The Court’s majority noted that the Act, if read otherwise would encompass everyday violations of terms of service, such as use of a work computer to order personal goods from Amazon, posting on Facebook, or checking last night’s sports scores. The Court held that such practices did not exceed authorized access related to computer structures., i.e., prohibitions against accessing certain files, folders or databases to which access does not extend.
So, if you’re an employer, your rules guiding computer use better be detailed and made explicit in personnel manuals, signage, and employee handbook if you want to keep your employees from using their time to surf the net.