Nebraska District Court Holds that Accessing a Computer With An Improper Purpose Exceeds Authorized Accuss Under the CFAA

U.S. v. Kevin Cave, 12-CR-00417 (D. Neb. 2013) the defendant is a former Omaha police officer who had access to a criminal information database while still employed as a police officer.  Before gaining access to the database he was told at his employee training that use of the database was only allowed for legitimate law enforcement purposes.  Despite this, the defendant allegedly sold information from the database to car repo men who paid him up to $200 a pop for leads on the locations of deadbeat car owners.  At all relevant times the Defendant had a valid log in and password, and had full access to the database. The Defense moved to dismiss, largely on the basis of U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) and WEC Carolina Energy Solutions v. Miller, 687 F. 3d 199 (4th Cir. 2012), arguing that misuse of information is not unauthorized access under the CFAA.  The Government fired back with a brief pointing out the pronounced circuit split on the definition of exceeding authorized access and ultimately prevailed. This case is interesting because its factual simplicity belies its legal complexity.  From one corner you can argue that the Defendant was legally authorized to access everything in the database because he was given a log in and password that gave him access to everything in the database.  From that corner the purpose he was obtaining the information for is irrelevant for CFAA purposes when it comes to the question of authorized access.  The Defendant didn’t hack anything and didn’t access any part of the database that he was restricted from.  His misuse of the information he obtained may have been criminal in some non-CFAA related way, but obtaining information you have ready access to is from this view not a CFAA violation. On the other hand, the Defendant was clearly instructed that the only legitimate purpose that authorized him to use the database was one related to law enforcement.  Under this view, it was his derogation of his duty to his employer (under both agency and contract principles ) that caused the Defendant to exceed his authorized access even though his password gave him access to everything.  I find the implications of this view, and its expansive criminalization of agency and contract law troubling.  As Nosal and countless others have pointed out, it risks criminalizing normal internet behaviour that millions of Americans engage in any day.  Nonetheless, there is a good deal of case law supporting it. Here are the key docs: US v Cave S Indictment Cave MTD Gov Opp to Cave MTD U.S. v Cave Mag Judge FR US v Cave Gov Response to Objects to Mag F&R US v Cave Object to Mag FR U.S. v. Cave MTD Denial (TE)      ]]]]> ]]>

CFAA 2021 Year in review

2021 CFAA Year in Review

In 2021 the United States Supreme Court finally considered what constitutes unauthorized access under the Computer Fraud and Abuse Act. It put a bullet in

Read More »

For media inquiries, please email info@torekeland.com

30 WALL STREET, 8TH FLOOR • NEW YORK, NY 10005

©2022 Tor Ekeland Law, PLLC   •  (718) 737-7264

Attorney Advertising   •   Past results do not guarantee future results   •   Licensed in New York and California