William & Mary Business Law Review


George F. Leahy


Internet-connected devices have become essential parts of personal and professional life. As these devices have grown in importance and prevalence in the workplace, so too have federal computer regulations come into the spotlight. Prior to the Supreme Court’s Decision in Van Buren v. United States, the Circuit Courts of Appeals were split on the interpretation of the “exceeds authorized access” clause of the Computer Fraud and Abuse Act (CFAA), a commonly invoked federal law that imposes criminal and civil liability for computer misuse. Although the Court’s narrow holding clarified the definition of “exceeds authorized access,” the Court did not specify what forms of access restrictions, if exceeded, create a CFAA cause of action.

This Note examines enforceable access restrictions for the purposes of CFAA liability in the wake of the Supreme Court’s Decision in Van Buren v. United States. This Note argues that the unresolved issue of CFAA enforceable access restrictions should be further narrowed to include only technological or code-based limitations. This narrowing would be in line with both the Court’s reading of the CFAA and the original legislative purpose of the CFAA. Because the CFAA was primarily implemented as a computer hacking statute, its application should be limited only to when an individual breaks through a technological barrier to access information and, conversely, the CFAA should not be enforced where an individual breaches merely contractual or other non-code-based access restrictions. Narrowing the CFAA in this way would also ensure heightened cybersecurity measures for companies that manage highly sensitive information and safeguard consumer data privacy in the absence of cohesive U.S. cybersecurity and data privacy laws.

Included in

Computer Law Commons