June 4, 2023

Volume XIII, Number 155


June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.

Enacted in 1986 to combat the perceived growing threat of hackers, the CFAA makes it a federal crime to “access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] information from any protected computer.” In addition to criminal penalties, the CFAA contains a private right of action allowing any person who sustains damages or loss because of a CFAA violation to sue for damages or equitable relief. Our sister blog discusses the existing case law involving CFAA claims in more depth.

While a state-by-state inquiry, data breach notification obligations are generally triggered when there has been unauthorized acquisition or access of personal information. Data breach notification statutes do not define what constitutes authorization, and there is a lack of case law in the data breach notification laws analyzing what “authorization” means. However, case law interpreting CFAA has historically helped provide some guidance to organizations on this point.

For example, if an employee sends files to a personal email containing personal information that she uses in the normal course of her responsibilities, but those files are not otherwise acquired or accessed by anyone else, does that company have data breach notification obligations? Under the narrow view (held by the Second, Fourth, and Ninth Circuits), many would argue no. Under the narrow interpretation, if a person is given access to a computer or network (i.e., an employee) then he or she is authorized to access that computer regardless of his or her intent to misuse information or violate any policies that regulate use of the information. In contrast, the First, Fifth, Seventh, and Eleventh Circuits have held that accessing a computer for an improper purpose violates the CFAA, even if the person was otherwise authorized to access the information.

Putting It Into Practice: How the Supreme Court decides Van Buren will transform the landscape for CFAA claims in trade secrets and employment litigation. Simultaneously, the decision should also bring much needed clarity to the definition of “authorization” in the context of data breach statutes, notification obligations, and ensuing data breach litigation.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 139

About this Author

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

David M. Poell Business Trial Attorney Sheppard Mullin Chicago, IL

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.

Areas of Practice

David represents companies in a variety of class actions, multi-district litigations and other complex commercial litigation matters in state and federal courts. He specializes in defending corporate clients in high-stakes litigation matters involving federal consumer-protection statutes, privacy torts, unfair business practices, false advertising claims and large...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...