On June 3, 2021, the U.S. Supreme Court issued its first-ever interpretation of the Computer Fraud and Abuse Act (CFAA), the federal criminal and civil statute intended to deter and punish unauthorized access to computer systems. The decision in Van Buren v. United States adopts a narrow construction of a key provision of the CFAA addressing whether a computer user “exceeds authorized access.” In doing so, the Court echoed the concerns of many commentators who have warned against a broad reading of the statute that might over-criminalize computer activity.
The Court’s decision removed the CFAA as a tool to address certain circumstances when someone accesses a computer in violation of an authorized purpose, such as violations of workplace technology policies or a website’s terms of service. In Van Buren, the Court rejected the argument that violation of a purpose-based restriction can be the basis for a violation of this portion of the CFAA. Because this type of conduct is not actionable under the CFAA, companies may turn to technological access controls to control sensitive data rather than relying on internal policies.
The Court’s limits on the scope of the CFAA may be favorable to cybersecurity researchers, who often access computer systems in violation of terms-of-use to detect security vulnerabilities or other threats. Until Van Buren, white-hat cybersecurity researchers were deterred from carrying out such tests due to the threat of criminal prosecution under the CFAA for exceeding authorized access. Click here to read the full article on this and get more details.