June 11, 2021

“Fighting Insider Abuse After Van Buren,” Lawfare, June 11, 2021

“Fighting Insider Abuse After Van Buren,” Lawfare, June 11, 2021

The U.S. Supreme Court’s decision in Van Buren v. United States on June 3 was a significant victory for civil liberties groups, researchers, the defense bar and others troubled by the broad reading of the Computer Fraud and Abuse Act (CFAA) urged by the government. Writing for the majority, Justice Amy Coney Barrett correctly, in our view, struck down the “broad” view of the CFAA in a 6-3 vote. The majority rejected the government’s expansive interpretation of the statute that would have empowered private companies, simply by the way they drafted employee policies or terms of service, to criminalize “a breathtaking amount of commonplace computer activity.” The Van Buren decision established that, going forward, to violate the CFAA, a user must access data from part of a device or network to which the user is not permitted access. This is a far steeper bar than the government’s preferred reading of the CFAA, which would have criminalized “misuse” of data—to which the user had authorized access—under policies dictated by the data owner…