On June 3, 2021, the U.S. Supreme Court issued its first-ever interpretation of the Computer Fraud and Abuse Act (CFAA), the federal criminal and civil statute intended to deter and punish unauthorized access to computer systems. The decision in Van Buren v. United States adopts a narrow construction of a key provision of the CFAA addressing whether a computer user “exceeds authorized access.” In doing so, the Court echoed the concerns of many commentators who have warned against a broad reading of the statute that might over-criminalize computer activity.

The Court’s decision removed the CFAA as a tool to address certain circumstances when someone accesses a computer in violation of an authorized purpose, such as violations of workplace technology policies or a website’s terms of service. In Van Buren, the Court rejected the argument that violation of a purpose-based restriction can be the basis for a violation of this portion of the CFAA. Because this type of conduct is not actionable under the CFAA, companies may turn to technological access controls to control sensitive data rather than relying on internal policies.

The Court’s limits on the scope of the CFAA may be favorable to cybersecurity researchers, who often access computer systems in violation of terms-of-use to detect security vulnerabilities or other threats. Until Van Buren, white-hat cybersecurity researchers were deterred from carrying out such tests due to the threat of criminal prosecution under the CFAA for exceeding authorized access. Click here to read the full article on this and get more details.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Seth Orkand Seth Orkand

Seth B. Orkand focuses his practice on white-collar criminal defense, government and corporate internal investigations, research misconduct investigations, college and university disciplinary actions, and complex commercial litigation. Read his full rc.com bio here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Kevin Daly Kevin Daly

Kevin P. Daly focuses his practice on complex commercial litigation and trade compliance issues. Kevin represents a variety of clients, including manufacturers, insurance companies, and other businesses, in complex litigation. He has represented clients in class actions (including insurance class actions, consumer class…

Kevin P. Daly focuses his practice on complex commercial litigation and trade compliance issues. Kevin represents a variety of clients, including manufacturers, insurance companies, and other businesses, in complex litigation. He has represented clients in class actions (including insurance class actions, consumer class actions, and class actions related to the Telephone Consumer Protection Act), and product liability actions.