Board Pack (Van Buren v. United States)

Use this to brief executives and counsel.

---

Purpose

This board brief provides decision-useful context for Van Buren v. United States: the Supreme Court’s narrowing of certain Computer Fraud and Abuse Act theories, insider access risk, and enterprise monitoring and employment-aligned responses. It is designed to help the board evaluate governance adequacy, remediation priority, and reporting cadence across legal, technical, and operational dimensions.

Hallucinated writing examples

Scenario: In an illustrative period following the Supreme Court’s June 2021 ruling (time), the Chief Information Security Officer (role) prepares a board security brief (type) for Board Audit Committee (audience).

MEMORANDUM

To: Board Audit Committee
From: Chief Information Security Officer
Date: September 30, 2021
Subject: Board Security Brief — Van Buren v. United States, 593 U.S. 338 (2021); Insider Access and CFAA Program Updates

This memorandum summarizes the Supreme Court’s June 3, 2021 decision in Van Buren v. United States, 593 U.S. 338, holding that “exceeds authorized access” under the CFAA does not cover obtaining information from portions of a computer for an improper purpose when the user is otherwise authorized to access that information. For enterprises, the case requires updating insider-threat and law-enforcement training materials and reducing over-reliance on a single criminal statute for misuse scenarios.

Incident Summary: The underlying prosecution involved a law enforcement officer paid to search a sensitive database for personal reasons—misuse of otherwise permitted access. For corporate analogs, risk concentrates in employees or contractors with broad database entitlements, support roles with standing authorization, and third-party service accounts.
Misuse may still implicate employment policies, trade-secret law, wire fraud, and other theories; technical controls and HR processes must align with counsel-approved playbooks.

Regulatory and Legal Outcomes: While Van Buren is a criminal statutory interpretation case, civil CFAA litigation strategies and internal investigation narratives in some jurisdictions may shift. Regulated entities may face heightened expectations for monitoring sensitive queries even when access is technically “authorized.”

Control Failures and Root Causes: Program risks the board should track include:

1. Over-broad standing authorization to sensitive databases without purpose-based technical enforcement where feasible;
2. Insufficient session recording and query analytics for high-risk data stores;
3. Outdated insider-threat runbooks citing only CFAA without multi-theory escalation paths;
4. Weak coordination between Security, HR, and Legal on investigations and employment actions.

These areas are the focus of our remediation plan.

Remediation and Oversight Program: The Company is implementing least-privilege recertification, PAM with session monitoring for designated sensitive systems, UEBA tuning for anomalous query patterns, updated acceptable-use and monitoring notices with Legal review, and quarterly cross-functional tabletops on insider scenarios.

Approval and Endorsement Requests: Management requests the Committee’s approval of budget for PAM and UEBA expansion; endorsement of policy that sensitive database access requires periodic re-attestation; and confirmation of quarterly reporting on privileged session recording coverage and insider-case time-to-contain.

Please let me know if additional information or further detail would be helpful.

Respectfully submitted,

Chief Information Security Officer

Document-type guide: Board Security Brief

Writing tips: Writing best practices — Board Security Brief