June 15, 2021

The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm

Julia Kadish, David Poell, Kari Rollins, Liisa Thomas

+ Follow Contact

Send

Embed

Sheppard Mullin Richter & Hampton LLP

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.

As we outlined in our sister blog, the Court found that individuals “exceed authorized access” only if they obtain files or folders that should have been off limits. In the particular case, authority was not exceeded because the individual was authorized to retrieve the information in question. Although Van Buren was a criminal case, the structure of CFAA strongly suggests that the Supreme Court’s holding will apply in civil cases as well, where controlling decisions in the First, Fifth, Seventh and Eleventh Circuits held the “exceeds authorized access” clause applies to those who misuse their authorized access.

The CFAA has often been used in data privacy and security lawsuits, where companies argue that there is “unauthorized access” under the CFAA because an individual does not comply with terms of service, computer use policies, or other documents requiring privacy and security protections. This “improper purpose” theory will be eliminated if lower courts apply Van Buren’s holding to criminal and civil cases alike.

Putting It Into Practice: This case may eliminate a potential cause of action if an individual acts improperly by misusing personal information or failing to protect it as required by law. That does not mean, however, that companies should necessarily strike such requirements from their policies and terms. CFAA is not the only cause of action that can be brought, and making expectations clear in terms can help guide behavior. This decision does, though, remind companies to think about who has (or should have) access to what systems and to regularly audit and update access rights as people’s roles change.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.