EPIC to Supreme Court: Government Insiders Who Improperly Access Personal Data Violate Computer Crime Statute

EPIC has filed an amicus brief in the U.S. Supreme Court case Van Buren v. United States, which concerns whether a police officer violated the Computer Fraud & Abuse Act by accessing personal data in a government database for non-law enforcement purposes. EPIC’s brief argues that the CFAA was enacted “to protect personal information stored in recordkeeping systems” and the scope of the law “should be co-extensive with its data protection purpose.” EPIC wrote that government databases “hold vast quantities of some of the most sensitive personal data imaginable” and that “we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems.” The brief also responds to concerns about the potential scope of CFAA liability by noting that “any limiting principle should be tethered to the underlying purpose of” the provision, which is “to protect sensitive data from exposure and subsequent misuse.” EPIC has participated as amicus in LinkedIn v. hiQ Labs, which concerns the application of the CFAA to companies that scrape social media user data. The petition for review in the LinkedIn case is pending in the U.S. Supreme Court.