Last week, in Van Buren v. United States, the U.S. Supreme Court concluded that the Computer Fraud and Abuse Act (CFAA) does not apply to every individual who has authorized access to a computer, even if they obtain information for improper use, and only applies to those individuals who exceed their authorized access by obtaining information located in particular files, folders, or databases to which they did not have access.
Why businesses and employers should note this decision:
This means that if an employee has access to and takes proprietary or confidential information and sells it, uses it illegally, etc., it would not amount to a CFAA violation. If an employee, however, committed the same acts by accessing information in an area to which an employer had not given him access, then it could be considered a CFAA violation.
To protect their businesses, owners should have in place protections to prohibit individuals from accessing portions of computer systems to which they do not absolutely need access, have properly drafted contracts and policies prohibiting such access and providing legal remedies, and should look to state laws for possible further protections.