Van Buren v. United States (2021) — CFAA¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
The Supreme Court held in Van Buren that the CFAA’s “exceeds authorized access” provision does not cover the government’s theory that a person with lawful access to information violates the CFAA whenever he uses that access for an improper purpose. The ruling narrows certain CFAA applications involving insider misuse of valid credentials.
Regulatory and Legal Outcomes¶
Supreme Court¶
Van Buren v. United States, 593 U.S. 374 (2021) — opinion PDF.
Security Technical Summary¶
Summary¶
Technical authorization (valid account, permitted query path) must be separated from policy and employment rules about purpose of use. Security architecture should enforce least privilege and monitoring on sensitive systems regardless of CFAA alone.
Engineering takeaways¶
- ABAC / purpose-based controls where legally and technically feasible.
- UEBA and query anomaly detection for high-risk databases.
- Annual training tying acceptable use to disciplinary and contractual consequences—not only criminal law.
Understanding Regulatory and Court Orders¶
Understanding regulatory and court orders
| Document | Date | Source | Key content |
|---|---|---|---|
| Van Buren v. United States | Jun. 3, 2021 | U.S. Supreme Court | CFAA “exceeds authorized access” construction |
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | High-level security status and top risks for the board. | CISO delivers a board security brief to the Board Audit Committee. |
| Executive Security Risk Summary | Consolidated security risks and mitigation for executives. | Security Director prepares executive risk summary for CEO and leadership. |
| Security Program Status Report | Program health, metrics, and progress for leadership. | Lead Security Engineer submits status report to Security Director and CISO. |
| Strategic Security Initiative Justification | Business case for a major security initiative. | CISO presents business case for program investment and remediation. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain security posture and controls to a regulator. | Security lead submits explanation of program and compliance posture. |
| Compliance Justification Document | Justify how controls meet a requirement or framework. | Lead Security Engineer maps controls to legal or regulatory requirements. |
| Controls -> Evidence Map | How controls are implemented and evidenced. | Security or control owner maps controls to evidence for regulator or auditor. |
| Governance Response Memo | Respond to an audit or regulatory request on governance. | CISO submits governance response memo for oversight review. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronological factual narrative for legal or regulatory use. | Security or legal prepares chronology for counsel or regulator. |
| Security Architecture Explanation for Legal Review | Explain architecture and controls for counsel. | Lead Security Engineer produces architecture memo for General Counsel. |
| Risk Register | Justify risk acceptance or mitigation for legal or audit. | Security Director maintains risk register for leadership and audit. |
| Security Decision Documentation | Record a significant security decision and rationale. | Security Director documents decision record for board and counsel. |
| Policy and governance | ||
| Security Policy Draft | Draft or update an enterprise security policy. | Security Director drafts policy for CISO, Legal, and board review. |
| Security Governance Memo | Define or clarify governance roles and escalation. | CISO issues internal governance memo to leadership. |
| Security Program Justification | Justify program scope, resourcing, or structure. | CISO presents program justification to CEO and board. |
| Internal Security Directive | Directive or mandate from leadership on security. | CISO issues internal directive on priority control requirements. |
| Public communication | ||
| Security Public Statement | Draft for press or public breach or incident statement. | CISO drafts public statement for consumers and partners. |
| Customer Security Explanation | Explain a security topic or incident to customers. | CISO drafts formal customer explanation for affected users. |
| Security Transparency Report Section | Section for an annual or ad-hoc transparency report. | CISO drafts security section of transparency report for external audiences. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | What to produce within 48 hours for evidence readiness. | Checklist for audit or regulator request. |
| Implementation Checklist | 0-30 / 30-60 / 60-90 day execution plan. | Security or program owner executes plan for leadership or board. |
Facts and Timeline¶
- 2021 — Supreme Court decides Van Buren.
References¶
Primary: Van Buren slip opinion (PDF)