The CFAA’s “exceeds authorized access” provision covers those who obtain information from particular areas in a computer to which their computer access does not extend. It does not cover those who have improper motives for obtaining information that is otherwise available to them.
The Supreme Court held that a former police officer did not violate the CFAA by “exceeding” his authorized access to a law enforcement database when he used the database to sell information because he was otherwise authorized to access the database for law enforcement purposes.
The Court’s ruling impacts what conduct is criminally enforceable under the CFAA and limits legal remedies available to employers and private parties for misuse of data or violations of use policies. Companies should analyze whether appropriate protections are in place to safeguard against conduct now decriminalized under the CFAA.
The CFAA provides criminal and civil remedies for whoever intentionally accesses a computer without authorization or exceeds authorized access. The 1986 anti-hacking law addresses external hacking (access without authorization) and internal hacking (exceeds authorized access). To “exceed authorized access” under the CFAA means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”2 Circuit courts split on the meaning of “exceeds authorized access” resulting in different consequences for the same conduct depending on the jurisdiction.
The News Highlights
- A Watershed Supreme Court Decision on Federal Anti-Hacking Legislation
- Check the latest update on Security news
For Latest News Follow us on Google News
- Show all
- Trending News
- Popular By week