The United States Supreme Court recently handed down a decision on the “Computer Fraud and Abuse Act” (CFAA), a 1986 law that makes it a crime to intentionally access a computer without authorization. In Van Buren v. United States, a police sergeant was paid by a third party to run a license-plate search through a law enforcement database. The sergeant was authorized to use the database, but only for law enforcement purposes. The Supreme Court found that the sergeant’s search would not amount to a criminal act under CFAA.
The most important factor in the decision is that the employee was allowed to use the database, even though he used it with an improper purpose. In contrast, employees would “exceed authorized access” when they access a database that they are not authorized to use. They can also violate the law if they are using a work computer with permission, but they access areas of a computer that are off-limits (including files, folders, or databases). In that case, criminal penalties under CFAA would attach.
Cities and towns in Western Massachusetts often have access to databases containing sensitive information, including utilities, law enforcement, and other electronic resources. Employees may gain access to the data without authorization. Whether or not criminal liability applies under CFAA, there may be non-criminal and employment penalties that apply. If you are dealing with a potential computer fraud and abuse case, or if you need help drafting employee policies regarding database access, please contact the attorneys at Doherty Wallace Pillsbury & Murphy, so that our business, employment, and municipal attorneys may assist you.