Federal law and Florida law provide private causes of action for unauthorized access to computers. The federal law is called the Computer Fraud and Abuse Act (CFAA), and imposes civil liability on those who “intentionally access[ ] a computer without authorization or exceed[ ] authorized access.” 18 U.S.C. § 1030(a)(2). Florida’s statute is the Computer Abuse and Data Recovery Act (CADRA), and imposes liability on persons who knowingly obtain “information from a protected computer without authorization.” Fla. Stat. § 668.803. Peter Mavrick a Miami business litigation attorney, and represents clients in Fort Lauderdale, Boca Raton, and Palm Beach. The Mavrick Law Firm represents businesses and their owners in breach of contract litigation and related claims of fraud, non-compete agreement litigation, trade secret litigation, trademark infringement litigation, employment litigation, and other legal disputes in federal and state courts and in arbitration.
At first blush, the wording in both statutes appears self-explanatory. When someone accesses a computer without authorization, he or she is liable for damages. But this begs the question – what is authorization? Does an individual violate CFAA or CADRA by accessing part of another’s computer system he or she was never authorized to access? Or does that individual violate CFAA or CADRA by accessing information he or she was authorized to access but for purposes exceeding the authorization? In business litigation over the statutes, courts struggled to answer these questions and this led to divergent legal interpretations by various courts. See United States v. Valle, 807 F.3d 508 (2d Cir. 2015) (recognizing the circuit split and noting that this sharp division means that the statute is readily susceptible to different interpretations). In 2021, the United States Supreme Court addressed CFAA in Van Buren v. United States, 141 S. Ct. 1648 (2021), to settle how CFAA should be interpreted. In Van Buren, a law enforcement officer was charged with criminally violating CFAA because he used a patrol car computer to access license plate information for a friend. Id. The law enforcement officer was convicted because he “exceed[ed] his authorized access.” An appeal ensued, and the case was ultimately decided by the United States Supreme Court. The court initially noted both parties agreed the law enforcement officer was given the right to acquire license-plate information from the law enforcement computer database. Therefore, the question was whether the law enforcement office was “entitled so to obtain” the license-plate information, as required by CFAA. The Supreme Court held that “the phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” For example, if a person has access to information stored in a computer—e.g., in ‘Folder Y,’ from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited ‘Folder X,’ to which the person lacks access, he violates the CFAA by obtaining such information. See also Armor Corr. Health Services, Inc. v. Teal, 2021 WL 5834245 (S.D. Fla. Dec. 8, 2021) (the former employee did not lack authorization to downloaded documents from his employer’s server for the improper purpose competing against the employer because the employee was authorized to access those files).
Courts construing the “authorization” wording in CADRA seem to apply a similar analysis. See Grow Fin. Fed. Credit Union v. GTE Fed. Credit Union, 2017 WL 3492707 (M.D. Fla. Aug. 15, 2017) (finding “that no such liability could exist because ‘exceeds authorized access’ simply means that, while an employee’s initial access was permitted, the employee accessed information for which the employer had not provided permission”); see also Maintenx Mgmt., Inc. v. Lenkowski, 2015 WL 310543 (M.D. Fla. Jan. 26, 2015) (“To the extent Maintenx attempts to derive support for its allegation by maintaining that Lenkowski’s use of the data was improper, ‘exceeds authorized access’ should not be confused with exceeds authorized use”). However, it is difficult to determine whether the application of CADRA will continue running parallel to CFAA because (1) the two statutes define “without authorization” differently and (2) CADRA has not been sufficiently tested in the court system. Contrast 18 U.S.C.A. § 1030 (defining “exceeds authorized access” under CFAA) with Fla. Stat. § 668.802 (defining “without authorization).
Peter Mavrick is a Miami business litigation lawyer, and represents clients in Fort Lauderdale, Boca Raton, and Palm Beach. This article does not serve as a substitute for legal advice tailored to a particular situation.