Contact Us Today! (877) 276-5084
(877) 276-5084

Attorney Steve® Blog

How Van Buren v. United States Changed the Computer Fraud and Abuse Act

Posted by Steve Vondran | Jun 24, 2026

Vondran Legal® CFAA insights: What Every SaaS Company, Employer, and Technology Business Needs to Know.  

picture of computer locked

By Attorney Steve® Vondran

Introduction

For decades, the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, has been one of the most important—and controversial—federal statutes governing computer misuse.

Originally enacted in 1986 to combat computer hacking, the CFAA has evolved into a powerful civil and criminal enforcement tool used by businesses, employers, software companies, and government agencies. Plaintiffs have invoked the statute against former employees, competitors, web scrapers, credential sharers, insiders, and even individuals accused of violating a website's Terms of Service.

However, in Van Buren v. United States, 593 U.S. 374 (2021), the United States Supreme Court significantly narrowed the scope of the CFAA.

The decision rejected an expansive interpretation of "unauthorized access" that had developed in several federal circuits and clarified that simply misusing information one is otherwise authorized to access does not necessarily violate the CFAA.

For technology companies, SaaS providers, employers, cybersecurity professionals, and business owners, Van Buren fundamentally changed how courts analyze unauthorized computer access.

This article explains what the decision means, why it matters, and how businesses should adapt their legal strategies.

Understanding the CFAA

Congress enacted the CFAA to address unauthorized intrusions into protected computer systems.

Today, the statute provides both criminal penalties and civil remedies for certain unauthorized computer activities.

The CFAA is frequently invoked in disputes involving:

  • Employee misconduct

  • Data theft

  • Customer databases

  • Password sharing

  • Credential abuse

  • Insider threats

  • Trade secret misappropriation

  • Cloud computing

  • SaaS platforms

  • API abuse

  • Website scraping

  • Network intrusions

A successful civil CFAA claim can allow businesses to seek damages and injunctive relief in federal court.

The Statutory Language

The central provision interpreted in Van Buren makes it unlawful to:

intentionally access a computer without authorization or exceed authorized access.

The phrase "exceeds authorized access" became the source of decades of disagreement among federal courts.

The statutory definition states that a person exceeds authorized access when he or she:

accesses a computer with authorization and uses that access to obtain or alter information that the accessor is not entitled so to obtain or alter.

The question became:

Does someone violate the CFAA whenever they misuse information?

Or only when they access information they were never permitted to reach?

The Circuit Split

Before Van Buren, federal courts adopted two competing approaches.

The Broad Interpretation

Several courts held that a user exceeded authorized access whenever they violated restrictions placed on their computer use.

Examples included:

  • violating company computer policies

  • breaching confidentiality agreements

  • using work computers for personal reasons

  • accessing information for an improper purpose

  • violating website Terms of Service

Under this view, authorization depended not only upon technological permissions but also upon contractual limitations.

This interpretation dramatically expanded the reach of the CFAA.

The Narrow Interpretation

Other courts rejected this approach.

These courts focused on whether the user actually had permission to access the particular files, databases, or systems.

If the user could legitimately reach the information, improper motives alone did not create CFAA liability.

The Supreme Court ultimately adopted this narrower interpretation.

The Facts of Van Buren

Nathan Van Buren served as a police sergeant in Georgia.

An individual working with the FBI offered Van Buren money to search a law enforcement license plate database.

Van Buren had valid credentials allowing him to access the database as part of his official duties.

However, department policy prohibited using the database for personal purposes.

Van Buren nevertheless performed the search in exchange for money.

Federal prosecutors charged him under the CFAA.

Their theory was straightforward:

Although Van Buren had permission to enter the database, he exceeded his authorized access because he used the information for an improper purpose.

The Supreme Court's Decision

The Supreme Court disagreed.

Justice Amy Coney Barrett, writing for the majority, held that the CFAA focuses on where someone is allowed to go within a computer system—not why they go there.

The Court adopted what many commentators describe as a "gates-up-or-gates-down" framework.

If the gate to particular information is open to a user, accessing that information generally does not violate the CFAA merely because the user later misuses it.

Conversely, if the gate is closed and the user bypasses technological or permission-based restrictions, the CFAA may apply.

The Gates-Up-or-Gates-Down Test

Imagine a large office building.

An employee's key card opens Floors 1 through 5.

Floors 6 through 20 require higher security clearance.

If the employee uses their key card to enter Floor 3 and later misuses documents found there, that may violate employment policies or trade secret laws—but not necessarily the CFAA.

If the employee hacks the security system to access Floor 15, however, they have entered an area they were never authorized to access.

That is the type of conduct the CFAA primarily targets.

Why the Decision Matters

The ruling dramatically narrowed potential CFAA liability.

The decision rejected theories that would have criminalized ordinary workplace misconduct.

Without the Court's interpretation, millions of Americans could theoretically have violated federal law by:

  • checking sports scores at work

  • using workplace computers for personal email

  • violating employer computer policies

  • breaching contractual restrictions

  • violating a website's Terms of Service

The Supreme Court declined to interpret the statute so broadly.

What Still Violates the CFAA?

Van Buren did not eliminate the CFAA.

Many forms of conduct remain actionable.

Examples include:

  • hacking into another person's account

  • bypassing authentication systems

  • exploiting software vulnerabilities

  • using stolen credentials

  • accessing restricted databases

  • circumventing permission controls

  • escalating privileges within a network

  • accessing information after authorization has been revoked

These remain classic CFAA scenarios.

What About Password Sharing?

Password sharing presents increasingly important questions for SaaS companies.

Suppose:

An employee shares login credentials with an unauthorized third party.

The third party accesses company systems using those credentials.

Whether that conduct violates the CFAA may depend upon several facts:

  • Who owned the account?

  • Was credential sharing prohibited?

  • Had authorization been revoked?

  • Did technological controls restrict access?

  • Did the third party circumvent authentication?

  • Did the company provide notice that access was prohibited?

Van Buren does not answer every credential-sharing question.

Instead, courts continue analyzing whether the user actually lacked authorization to enter the protected system.

The Importance of Revoking Authorization

One lesson from modern CFAA litigation is that companies should clearly document when authorization ends.

For example:

  • terminating employees

  • disabling accounts

  • changing passwords

  • revoking API tokens

  • removing administrator privileges

  • providing written notice that access is no longer authorized

Clear revocation helps establish when future access may become unauthorized.

Terms of Service Still Matter

Some business owners mistakenly believe Van Buren made Terms of Service irrelevant.

That is incorrect.

Terms of Service continue serving numerous important purposes:

  • establishing contractual obligations

  • defining acceptable use

  • prohibiting credential sharing

  • allocating risk

  • limiting liability

  • supporting breach of contract claims

  • supporting fraud claims

  • strengthening evidentiary positions

Although violating Terms of Service alone may not establish CFAA liability after Van Buren, contractual remedies often remain available.

Other Legal Claims May Fill the Gap

Even where the CFAA no longer applies, businesses may pursue other legal remedies, including:

  • breach of contract

  • trade secret misappropriation

  • copyright infringement

  • state computer crime statutes

  • conversion

  • breach of fiduciary duty

  • unfair competition

  • tortious interference

  • fraud

Technology disputes rarely depend upon a single cause of action.

Practical Recommendations for SaaS Companies

Businesses should not rely solely upon the CFAA.

Instead, companies should implement layered legal and technical protections.

Consider:

  • Clearly drafted Terms of Service.

  • Comprehensive Acceptable Use Policies.

  • Explicit credential-sharing prohibitions.

  • Multi-factor authentication.

  • Role-based access controls.

  • Immediate account deactivation upon termination.

  • Detailed audit logging.

  • Written revocation notices.

  • Employee cybersecurity training.

  • Periodic access reviews.

Legal documentation works best when supported by robust technical safeguards.

The Future of CFAA Litigation

Van Buren resolved one major interpretive dispute, but significant questions remain.

Federal courts continue addressing issues involving:

  • web scraping

  • automated bots

  • API access

  • credential sharing

  • cloud platforms

  • artificial intelligence

  • insider threats

  • authorization after account termination

As software platforms become increasingly interconnected, courts will likely continue refining what constitutes "authorization" under the CFAA.

Conclusion

The Supreme Court's decision in Van Buren fundamentally reshaped the Computer Fraud and Abuse Act by narrowing the meaning of "exceeds authorized access." The Court made clear that the statute is directed primarily at those who enter digital spaces they are not permitted to enter, rather than those who misuse information they were otherwise entitled to access.

For businesses, this means that relying solely on the CFAA is no longer enough. Strong contracts, carefully drafted Terms of Service, well-defined access policies, prompt revocation procedures, and layered technical security controls have become more important than ever.

Whether you operate a SaaS platform, manage proprietary business data, or are evaluating potential claims involving employee misconduct or unauthorized system access, understanding the post-Van Buren landscape is essential. Careful planning today can significantly reduce legal risk and strengthen your position if a dispute arises tomorrow.

Need Legal Guidance?

If your company has questions about unauthorized access, credential sharing, SaaS Terms of Service, Acceptable Use Policies, or litigation under the Computer Fraud and Abuse Act, contact Attorney Steve. We advise technology companies, startups, software developers, and online businesses on proactive risk management and represent clients in complex technology and intellectual property disputes nationwide.

About the Author

Steve Vondran
Steve Vondran

Thank you for viewing our blogs, videos and podcasts. As noted, all information on this website is Attorney Advertising. Decisions to hire an attorney should never be based on advertising alone. Any past results discussed herein do not guarantee or predict any future results. All blogs are written by Steve Vondran, Esq. unless otherwise indicated. Our firm handles a wide variety of intellectual property and entertainment law cases from music and video law, Youtube disputes, DMCA litigation, copyright infringement cases involving software licensing disputes (ex. BSA, SIIA, Siemens, Autodesk, Vero, CNC, VB Conversion and others), torrent internet file-sharing (Strike 3 and Malibu Media), California right of publicity, TV Signal Piracy, and many other types of IP, piracy, technology, and social media disputes. Call us at (877) 276-5084. AZ Bar Lic. #025911 CA. Bar Lic. #232337

Contact us for an initial consultation!

For more information, or to discuss your case or our experience and qualifications please contact us at (877) 276-5084. Please note that our firm does not represent you unless and until a written retainer agreement is signed, and any applicable legal fees are paid. All initial conversations are general in nature. Free consultations are limited to time and availability of counsel and will depend on the type of case you are calling about (no free consultations for other lawyers). All users and potential clients are bound by our Terms of Use Policies. We look forward to working with you!
The Law Offices of Steven C. Vondran, P.C. BBB Business Review

Office Locations

San Francisco Office – Serving Silicon Valley and the Bay Area!
Orange County Office – Newport Beach
4 more locations

Menu