On November 21, the Supreme Court of Virginia entered a published order reversing a 14-3 en banc decision of the Court of Appeals of Virginia addressing the applicability of Virginia’s criminal laws regulating cybercrime. The decision in Commonwealth v. Wallace is the latest example of courts testing regulatory reach in the cybercrime arena.

The court provided needed clarity on whether the scope of Virginia’s computer fraud statute, contained in Virginia Code Section 18.2-152.3, extends to ATM use. The November decision is only the second instance in which Virginia’s high court has addressed the state’s computer fraud statute, first passed in 1984. The court summarily adopted the reasoning of Court of Appeals dissenting opinion in Wallace v. Commonwealth, 79 Va. App. 455, 476-84 (2024), without further comment, holding: 1) that the ATM at issue in the case constituted a “computer” under Virginia’s computer-crime regime, and 2) that depositing a forged check at an ATM at one’s bank can constitute computer fraud — that is, using the device “without authority” to commit an enumerated crime. Three justices dissented and would have followed the Court of Appeals majority.

Impact of the Decision and Related Decisions

As highly sophisticated, electronic devices continually proliferate, businesses and the legal system will grapple with the challenges they pose. For decades, uniform application of the federal Computer Fraud and Abuse Act of 1986 (CFAA) remained elusive as lower federal courts adopted differing interpretations of its reach. However, in 2021, the U.S. Supreme Court significantly limited the CFAA in Van Buren v. United States, 593 U.S. 374 (2021).

The divided Van Buren court adopted a “gates-up-or-down” approach in circumstances where an individual is alleged to have “exceed[ed] authorized access” in violation of the CFAA. Following more restrictive lower court decisions, the court delineated that CFAA violations under the “exceed authorized access” clause occur only when a user whose credentials do not allow access to a particular database nevertheless manages to knowingly access that database, as opposed to a user who has been granted access to the database but uses the information in the database for an impermissible purpose in violation of company policy.

State courts interpreting similar state statutes have wrestled both with what devices can be used to commit computer crimes (ATMs, employer-issued laptops, smartphones, and even bar code readers, for example), as well as the intended reach of related statutes that have largely failed to keep up with emerging technologies since their enactment in the 1980s. For these and other reasons, businesses seeking to curtail the misuse of devices or information often cannot rely upon fulsome cybercrime enforcement from law enforcement.

The Supreme Court of Virginia decisively weighed in on this issue, permitting consideration not only of the “manner” of use of a device, but the “purpose” of its use in determining whether a violation of the computer fraud statute was committed. The scope of computer fraud in Virginia thus may encompass misuse of data or information obtained, and not mere unlawful access to a device.

Since the expansion of state-level appeals in Virginia in 2022 from a petition to an appeal-of-right regime, the state’s intermediate appellate court has increasingly utilized its full court authority to address contested issues. The Virginia Supreme Court has, however, not hesitated in countering the intermediate court when it deems appropriate, including the instant reversal of a 14-3 en banc Court of Appeals decision. Overall, the decision provides needed clarity in the increasingly nebulous realm of cybercrime enforcement.

Businesses should continue to monitor ever-increasing state and federal rulings related to cybercrime to ensure their policies and practices are precisely tailored to prevent future legal entanglements and consult counsel accordingly.