The Supreme Court will take up Van Buren vs. United States, a case that could modernize and alter the scope of the Computer Fraud and Abuse Act (CFAA).
At issue whether it is federal crime for someone with permission to access information on a computer to do so for an improper purpose.
While it is impossible to know how the high court will rule, Mark Krotoski, co-head of the privacy and cybersecurity practice at law firm Morgan Lewis, said a decision on the case “would allow an even approach to the issue instead of jurisdictional” approaches that have left lower courts split in their interpretation of the statute on cases with similar merits. In Van Buren, Georgia Police Sergeant Nathan Van Buren was convicted by tk under the CFAA for running a license plate number for a third party while he was a target in an FBI sting. On appeal, the 11th circuit upheld the lower court’s ruling.
“The courts of appeals are openly divided four-to-three over whether a person with permission to access information on a computer violates the Computer Fraud and Abuse Act when he accesses that information for an improper purpose,” Van Buren’s lawyers argued in their petition to SCOTUS. “This Court should use this case to resolve the conflict.”
The CFAA has long been considered outdated and in need of a facelift. Efforts by the House to pass the Active Cyber Defense Certainty Act, introduced last year, have stalled. The so-called Hack Back bill would limit “the prosecution of computer fraud and abuse offenses where the conduct constituting an offense involves a response to, or defense against, a cyber intrusion” and supplant the CFAA. But despite bipartisan support, it hasn’t gained enough traction to move it through the House and into the Senate.
SCOTUS had an opportunity last year to hear arguments in another case prosecuted under the CFAA, but declined, “though most observers were optimistic” that the court would take on the CFAA to resolve conflicts in district courts, Krotoski said.