Supreme Court Resolves Circuit Split over Scope of Computer Fraud and Abuse Act
Client Alert | 5 min read | 06.04.21
After months of anticipation, the Supreme Court issued its opinion in Van Buren v. United States narrowing the scope of what constitutes “exceeds authorized access” under Section 1030(a)(2) of the Computer Fraud and Abuse Act (“CFAA”). No. 19-783, --- S.Ct. --- (June 3, 2021). The Supreme Court ruled that to be liable under the “exceeds authorized access” prong of the CFAA, a defendant must have accessed information within a computer system they were not permitted to access. It is no longer sufficient under the CFAA to show a defendant had an improper motive to obtain and use information on a computer system which they were permitted to access.
The CFAA makes it illegal to access a computer without authorization or “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” See generally Section 1030(a). At issue in Van Buren is whether a person who is authorized to access information on a computer for certain purposes exceeds that access under Section 1030(a)(2) if he accesses the same information for an improper purpose. Van Buren involved a police officer who accessed a law-enforcement database to obtain information for private, rather than legitimate law-enforcement, use.
The CFAA is a criminal statute that includes a private right of action, and thus the case law has developed in both the criminal and civil contexts. The CFAA defines “exceeds authorized access” as “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). This definition has led to a circuit split on what type of conduct actually constitutes a CFAA violation. In particular, and as we have discussed here, courts have grappled with whether the CFAA focuses on how the individual accesses the information, as opposed to how or under what circumstances the individual uses it.
The First, Fifth, Seventh, and Eleventh Circuits broadly interpret “exceeds authorized access” to include using information on a computer in violation of a confidentiality agreement, or accessing information on a computer for a purpose prohibited by an employer. Specifically, the Eleventh Circuit has held that a defendant “exceeded his authorized access” under the CFAA by improperly using information that he was authorized to access. U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In contrast, the Second, Fourth, and Ninth Circuits have adopted a narrower interpretation of “exceeding authorized access”: liability cannot be imposed on a person with permission to access information on a computer who then uses that information for an improper purpose. U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (holding that subsequent improper use of information that was acquired by individuals with authorization to access such information is not a CFAA violation).
In a 6-3 ruling, the Court sided with the Second, Fourth, and Ninth Circuits in holding that an individual “exceeds authorized access” when she accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to her. In so holding, the Court narrowed the scope of the CFAA and resolved the circuit split. The Court adopted the narrow approach, focusing on one’s authority to access information (i.e., the act) on a device rather than one’s authority to use that information. Justice Barrett, writing for the majority, found that the CFAA does not cover those who “have improper motives for obtaining information that is otherwise available to them.”
Justice Barrett, joined by the other two Trump appointees and the Court’s liberal wing, applied a textualist approach in interpreting the CFAA. Of critical importance was the meaning of “so” contained in the clause “entitled so to obtain.” In analyzing the plain meaning of the word, Justice Barrett held the phrase is “best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” Any other interpretation, the Court held, “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
Justice Barrett’s opinion focuses on an individual’s authority to access systems that host information, rather than the individual’s authority to possess or use that information. As the Court’s first foray into the CFAA, this decision will have far-reaching implications for any individual or business operating in the digital domain, as the scope of civil and criminal liability under the CFAA can impact just about any sort of relationship involving access to computer systems, whether it be employer-employee relationships or third-party relationships, such as visitors to a website.
Businesses seeking to curb unauthorized use of information by employees and others may need to revisit how and under what circumstances they grant access to such information. It is clear, however, that businesses will have a narrower set of legal tools to prevent unauthorized use of certain information. Instead, businesses must resort to other legal tools to prevent such conduct. For example, the federal Defend Trade Secrets Act (DTSA) and state trade secret, tort, trespass, contract law, and, depending on the circumstances, intellectual property law will take on more significance in holding individuals liable for access to and use of the information. In addition, businesses could bolster their contract claims by imposing greater restrictions on access or use of information in contracts, terms of service, or business handbooks. The government likewise will be more constrained in the types of cases is prosecutes using the CFAA.
In addition to Van Buren, a second CFAA case, HiQ v. LinkedIn, is pending before the Supreme Court. That case involves a business using automated bots to scrape information from public LinkedIn profiles including name, work history, job titles and skills, and using that information to yield “people analytics” in order to sell such information to its clients. While the Supreme Court has not ruled on LinkedIn’s pending cert petition, the Court’s approach to the CFAA in Van Buren will undoubtedly impact companies relying on, or opposing, data scraping (or other technical measures to obtain information) as a business model. The ultimate outcome in the HiQ case will undoubtedly be influenced by the Court’s approach to the CFAA in Van Buren.
Contacts
Insights
Client Alert | 3 min read | 10.10.25
New Post Appeals Mediation Pilot Program
On October 1, 2025, the IRS Independent Office of Appeals launched a two-year pilot program to make Post Appeals Mediation (PAM) more attractive and accessible to taxpayers. See IRS Announcement 2025-10. The new PAM pilot program offers taxpayers the opportunity to be assigned to a new Appeals team, which is otherwise unconnected to the underlying case, who will represent the original Appeals team in the mediation session. The assignment of the new Appeals team does not begin a new appeals process but rather is intended to help facilitate an expedited and impartial look at the underlying case with the goal of further exploring all potential paths to resolution prior to litigation.
Client Alert | 1 min read | 10.09.25
New California Algorithmic Pricing Law Could Have Far Reaching Effects
Client Alert | 5 min read | 10.08.25
California’s AI Transparency Act (CAITA) May be Amended to Regulate Social Media Platforms
Client Alert | 6 min read | 10.08.25
Hacker No Fly Zone: FAA and TSA Propose Cybersecurity Rules for Drone Ecosystem