The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm

Sheppard Mullin Richter & Hampton LLP

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.

As we outlined in our sister blog, the Court found that individuals “exceed authorized access” only if they obtain files or folders that should have been off limits. In the particular case, authority was not exceeded because the individual was authorized to retrieve the information in question. Although Van Buren was a criminal case, the structure of CFAA strongly suggests that the Supreme Court’s holding will apply in civil cases as well, where controlling decisions in the First, Fifth, Seventh and Eleventh Circuits held the “exceeds authorized access” clause applies to those who misuse their authorized access.

The CFAA has often been used in data privacy and security lawsuits, where companies argue that there is “unauthorized access” under the CFAA because an individual does not comply with terms of service, computer use policies, or other documents requiring privacy and security protections. This “improper purpose” theory will be eliminated if lower courts apply Van Buren’s holding to criminal and civil cases alike.

Putting It Into Practice: This case may eliminate a potential cause of action if an individual acts improperly by misusing personal information or failing to protect it as required by law. That does not mean, however, that companies should necessarily strike such requirements from their policies and terms. CFAA is not the only cause of action that can be brought, and making expectations clear in terms can help guide behavior. This decision does, though, remind companies to think about who has (or should have) access to what systems and to regularly audit and update access rights as people’s roles change.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.