Plain-English summary
Court limits when using authorized computer access becomes a federal crime under the CFAA
In Van Buren v. United States (2021), the Supreme Court narrowed the Computer Fraud and Abuse Act (CFAA). The Court held that an employee does not 'exceed authorized access' under 18 U.S.C. §1030(a)(2) merely by using legitimately accessible computer information for an improper purpose.
Why this matters
This decision narrows federal criminal liability for employees and others with permitted computer access. It prevents routine rule-breaking (like violating an employer’s acceptable-use policy) from automatically becoming a federal CFAA crime, while preserving liability for people who break technical access barriers to get data they are not allowed to see.
Who may feel it
- Employees, contractors, and others who have legitimate access to workplace computers
- Police and government workers with access to law-enforcement databases
- Employers and data owners who rely on access rules and contracts to protect data
- Prosecutors and defense attorneys handling CFAA cases
- Privacy, cybersecurity, and civil liberties advocates