June 3, 2023

Volume XIII, Number 154
Advertisement

31

New Articles
Bottom Row Image
Advertisement

June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

June 01, 2023

Subscribe to Latest Legal News and Analysis

May 31, 2023

Subscribe to Latest Legal News and Analysis

Article By

Liisa M. Thomas
Kari M. Rollins
Julia K. Kadish
David M. Poell

Sheppard, Mullin, Richter & Hampton LLP
Eye On Privacy

Related Practices & Jurisdictions
Advertisement

The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm

Monday, June 14, 2021

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.

As we outlined in our sister blog, the Court found that individuals “exceed authorized access” only if they obtain files or folders that should have been off limits. In the particular case, authority was not exceeded because the individual was authorized to retrieve the information in question. Although Van Buren was a criminal case, the structure of CFAA strongly suggests that the Supreme Court’s holding will apply in civil cases as well, where controlling decisions in the First, Fifth, Seventh and Eleventh Circuits held the “exceeds authorized access” clause applies to those who misuse their authorized access.

The CFAA has often been used in data privacy and security lawsuits, where companies argue that there is “unauthorized access” under the CFAA because an individual does not comply with terms of service, computer use policies, or other documents requiring privacy and security protections. This “improper purpose” theory will be eliminated if lower courts apply Van Buren’s holding to criminal and civil cases alike.

Putting It Into Practice: This case may eliminate a potential cause of action if an individual acts improperly by misusing personal information or failing to protect it as required by law. That does not mean, however, that companies should necessarily strike such requirements from their policies and terms. CFAA is not the only cause of action that can be brought, and making expectations clear in terms can help guide behavior. This decision does, though, remind companies to think about who has (or should have) access to what systems and to regularly audit and update access rights as people’s roles change.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 165
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Liisa M. Thomas
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

[email protected]
312-499-6335
www.sheppardmullin.com
Kari M. Rollins
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

[email protected]
212.634.3077
www.sheppardmulin.com
Julia K. Kadish

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

[email protected]
312.499.6334
www.sheppardmullin.com
David M. Poell
David M. Poell Business Trial Attorney Sheppard Mullin Chicago, IL
Associate

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.

Areas of Practice

David represents companies in a variety of class actions, multi-district litigations and other complex commercial litigation matters in state and federal courts. He specializes in defending corporate clients in high-stakes litigation matters involving federal consumer-protection statutes, privacy torts, unfair business practices, false advertising claims and large...

[email protected]
312-499-6349
www.sheppardmullin.com