U.S. Supreme Court Overturns Former Police Officer’s Conviction for Misuse of Computerized Law Enforcement Records
GARY M. MESSING
Messing Adam & Jasmine LLP
The U.S. Department of Justice (DOJ) has broadly interpreted federal criminal statutes regarding misuse of digital information. The result is an aggressive posture that, taken to its extreme, could criminalize even mundane computer use occurring daily in workplaces across the country. Imagine Police Officer “Smith” gets a call from his sister telling him that her friends want to set her up with a blind date. She is excited to meet someone new, but apprehensive about letting a stranger into her life. She then asks him as a favor to run the man’s name to see if he has a criminal history. Being a caring older brother, Smith agrees and runs the man’s name through a law enforcement database accessible on his work computer. Based on the DOJ’s broad interpretation of the Computer Fraud and Abuse Act (CFAA), this act would make Smith a criminal under federal law.
While law enforcement agencies have rules prohibiting personal use of these types of databases based on legitimate reasons to avoid abuse — rules that could land our hypothetical Officer Smith in hot water administratively — it would be absurd to punish this innocuous behavior criminally. A majority of the justices on the U.S. Supreme Court apparently agreed with this viewpoint and rejected the DOJ’s expansive interpretation of the CFAA in its June 3, 2021, decision entitled Van Buren v. United States, 141 S. Ct. 1648 (2021).
As labor lawyers, we often see cases where peace officers and other public-sector employees are punished for misuse of electronic information stored at work. The resolution of these cases at the administrative level may be compromised by the parties’ concerns over potential criminal prosecution. Accordingly, the Supreme Court’s decision in Van Buren, limiting the reach of the CFAA, may help facilitate a better outcome for employees by taking criminal charges off the table, and allowing their cases to be handled exclusively pursuant to workplace rules and/or collective bargaining agreements. Moreover, this change may mitigate the tendency of some employers to enhance disciplinary sanctions by characterizing the employees’ conduct as criminal.
In the Van Buren case, Nathan Van Buren, who was a police sergeant in Cumming, Georgia, sought a personal loan from a friend named Andrew Albo. His faith in Albo was misplaced, however, as Albo secretly recorded the request and took it to the local sheriff’s office to complain that Van Buren sought to “shake him down” for cash. The sheriff’s investigation was referred to the FBI, which devised an operation to catch Van Buren breaking the law. The plan was for Albo to ask Van Buren to verify whether a woman whom Albo had met at a local strip club was not in fact an undercover officer. He would give Van Buren a license plate number purportedly belonging to the woman so he could search the state law enforcement computer database. Albo, in return, would pay Van Buren approximately $5,000.
The plan worked. Van Buren ran the plate and collected the money. In doing so, Van Buren violated his department’s rules. Even though he had permission to access the law enforcement database, he was forbidden from using any of its information for non-law-enforcement purposes. He was arrested and charged with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access” (18 U.S.C. § 1030[a]) (emphasis added). The term “exceeds authorized access” is defined within the statute as, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter” (18 U.S.C. § 1030[e]). Van Buren was later convicted and sentenced to an 18-month prison term.
Van Buren appealed his conviction. He argued that the “exceeds authorized access” clause of the CFAA “applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have” (Van Buren, supra, 141 S. Ct. at 1653). The government, on the other hand, argued that “exceeds authorized access” goes beyond the issue of whether someone is authorized or not authorized to access a computer or database. It also includes the scenario where an individual, despite having permission to access the information stored in a device or database, uses that information in a way that he or she is not authorized to do so. The Eleventh Circuit Court of Appeals ruled in favor of the government upholding Van Buren’s conviction. He subsequently appealed his case to the U.S. Supreme Court, which granted certiorari.
In a 6-to-3 decision written by Justice Amy Coney Barrett, the court ruled in Van Buren’s favor, finding that a person who has authorized access to an electronic device or database is not subject to criminal liability for improperly using information stored there. Rather, the CFAA criminalizes conduct in which such a person accesses information that is “off limits,” i.e., beyond his or her authorized access. As Justice Barrett put it:
“[I]f a person has access to information stored in a computer — e.g., in ‘Folder Y,’ from which the person could permissibly pull information — then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited ‘Folder X,’ to which the person lacks access, he violates the CFAA by obtaining such information” (Id. at 1654–1655).
The court arrived at its decision primarily based on its interpretation of the text and structure of the CFAA and out of its concern that “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity” (Van Buren, supra, 141 S. Ct. at 1661). As Justice Neil Gorsuch emphasized, the CFAA under the government’s interpretation would “perhaps mak[e] a federal criminal of us all.” (Transcript of oral argument available at tinyurl.com/cccb58xp.) It would, for example, potentially criminalize the following conduct: an employee who sends a personal email from a work computer or a high school student who violates Facebook’s terms of service by creating more than one user account for himself.
These scenarios are similar to our made-up example of Officer Smith who helped his sister verify whether her date has a criminal past. His behavior, though fictional, is relevant to what occurs in many law enforcement agencies across the country and what we have seen from our vantage point as labor lawyers who represent peace officers and other public-sector employees. According to a survey conducted by the Associated Press, sworn and non-sworn employees of state agencies and big-city police departments located throughout the country were fired, suspended or resigned more than 325 times between 2013 and 2015 as a result of misusing work computers or electronic databases, while other employees received reprimands, counseling or lesser discipline in more than 250 instances for similar types of behavior. (See “Across U.S., police officers abuse confidential database,” Associated Press, September 27, 2016, at tinyurl.com/59h3r8rf.)
In light of the above, the Van Buren decision will play a critical part in ensuring that law enforcement employees are not prosecuted unfairly for misusing computerized records. And, as mentioned previously, the decision may reduce the potential for criminal charges and thus facilitate the resolution of these issues at the administrative level. Law enforcement agencies must protect their computerized records for a myriad of reasons, ranging from protecting public safety (by keeping private citizen’s personal information safe and secure) to maintaining the public’s trust. However, criminal charges should only be brought against a law enforcement officer when justified. In the hypothetical case of Officer Smith, his actions should be deterred by workplace rules, but not punished criminally. His actions are less egregious than the real Van Buren, who had his CFAA conviction reversed but remains convicted for “honest services wire fraud” under 18 U.S.C. Sections 1341 and 1346 for the same underlying behavior.
The Van Buren decision leaves certain questions unanswered. The most obvious was stated by the court, as it declined to address whether “exceeding authorized access” refers only to “technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts
or policies” (Van Buren, supra, 141 S. Ct. 1648, n. 8). This issue may be relevant for employees of police departments who may not be technologically barred from accessing workplace computers (in other words, they may not need a password to access a computer) but are forbidden from doing so by agency rules.
PORAC members should also keep in mind that there are laws, other than the CFAA, that may establish criminal and civil liability for the improper use of information an individual is authorized to access. As stated above, Van Buren was charged with a federal crime, “honest services wire fraud,” for the same conduct at issue in the case. The federal Defend Trade Secrets Act (18 U.S.C. Chapter 90) also provides criminal and civil liability for theft of certain proprietary information. Additionally, there are state laws that protect against identity theft, theft of proprietary information and invasion of privacy, which would likely be applicable.
About the Authors
Gary M. Messing is a partner and founding member of the law firm Messing Adam & Jasmine LLP, which predominately represents public-sector unions and their members in labor relations. He has been representing labor unions, peace officers, firefighters and other public-sector employees throughout California for over 40 years. He is also a PORAC LDF panel attorney.
Matthew Taylor is an associate at Messing Adam & Jasmine LLP, specializing in labor law and representing peace officers and other public employees. Matthew draws from his background in law enforcement and investigations. He served as a police officer in the NYPD. He was also an investigator for the City of New York and a legal intern at the U.S. Attorney’s Office in D.C. He is also a PORAC LDF panel attorney.