December 1, 2021

Volume XI, Number 335

Advertisement
Advertisement

December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis

The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.

As we outlined in our sister blog, the Court found that individuals “exceed authorized access” only if they obtain files or folders that should have been off limits. In the particular case, authority was not exceeded because the individual was authorized to retrieve the information in question. Although Van Buren was a criminal case, the structure of CFAA strongly suggests that the Supreme Court’s holding will apply in civil cases as well, where controlling decisions in the First, Fifth, Seventh and Eleventh Circuits held the “exceeds authorized access” clause applies to those who misuse their authorized access.

The CFAA has often been used in data privacy and security lawsuits, where companies argue that there is “unauthorized access” under the CFAA because an individual does not comply with terms of service, computer use policies, or other documents requiring privacy and security protections. This “improper purpose” theory will be eliminated if lower courts apply Van Buren’s holding to criminal and civil cases alike.

Putting It Into Practice: This case may eliminate a potential cause of action if an individual acts improperly by misusing personal information or failing to protect it as required by law. That does not mean, however, that companies should necessarily strike such requirements from their policies and terms. CFAA is not the only cause of action that can be brought, and making expectations clear in terms can help guide behavior. This decision does, though, remind companies to think about who has (or should have) access to what systems and to regularly audit and update access rights as people’s roles change.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 165
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
David M. Poell Business Trial Attorney Sheppard Mullin Chicago, IL
Associate

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.

Areas of Practice

David represents companies in a variety of class actions, multi-district litigations and other complex commercial litigation matters in state and federal courts. He specializes in defending corporate clients in high-stakes litigation matters involving federal consumer-protection statutes, privacy torts, unfair business practices, false advertising claims and large...

312-499-6349
Advertisement
Advertisement
Advertisement