July 8, 2020

Volume X, Number 190

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.

Enacted in 1986 to combat the perceived growing threat of hackers, the CFAA makes it a federal crime to “access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] information from any protected computer.” In addition to criminal penalties, the CFAA contains a private right of action allowing any person who sustains damages or loss because of a CFAA violation to sue for damages or equitable relief. Our sister blog discusses the existing case law involving CFAA claims in more depth.

While a state-by-state inquiry, data breach notification obligations are generally triggered when there has been unauthorized acquisition or access of personal information. Data breach notification statutes do not define what constitutes authorization, and there is a lack of case law in the data breach notification laws analyzing what “authorization” means. However, case law interpreting CFAA has historically helped provide some guidance to organizations on this point.

For example, if an employee sends files to a personal email containing personal information that she uses in the normal course of her responsibilities, but those files are not otherwise acquired or accessed by anyone else, does that company have data breach notification obligations? Under the narrow view (held by the Second, Fourth, and Ninth Circuits), many would argue no. Under the narrow interpretation, if a person is given access to a computer or network (i.e., an employee) then he or she is authorized to access that computer regardless of his or her intent to misuse information or violate any policies that regulate use of the information. In contrast, the First, Fifth, Seventh, and Eleventh Circuits have held that accessing a computer for an improper purpose violates the CFAA, even if the person was otherwise authorized to access the information.

Putting It Into Practice: How the Supreme Court decides Van Buren will transform the landscape for CFAA claims in trade secrets and employment litigation. Simultaneously, the decision should also bring much needed clarity to the definition of “authorization” in the context of data breach statutes, notification obligations, and ensuing data breach litigation.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 139

TRENDING LEGAL ANALYSIS


About this Author

Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
David M. Poell Business Trial Attorney Sheppard Mullin Chicago, IL
Associate

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.

Areas of Practice

David represents companies in a variety of class actions, multi-district litigations and other complex commercial litigation matters in state and federal courts. He specializes in defending corporate clients in high-stakes litigation matters involving federal consumer-protection statutes, privacy torts, unfair business practices, false advertising claims and large-scale data breaches.

David is also particularly experienced in prosecuting and defending actions involving the enforcement of restrictive covenants and non-competes, deceptive trade practices, misappropriation of trade secrets, the Lanham Act and unfair competition. He further advises companies regarding privacy matters matters and provides counseling on compliance with FCC, FTC and state-specific rules and regulations. 

In addition, David works on appellate litigation matters and is well-versed in issues involving administrative law, Article III standing issues and federal jurisdiction. 

Pro Bono

Of note with regard to his pro bono practice, David previously represented a prisoner in an Eighth Amendment excessive force trial in the Eastern District of Missouri.

312-499-6349

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334