Detailed narrative of event
Detailed Narrative of Events¶
(Extended Documentation for Van Buren v. United States (2021) Case Study)
Table of contents¶
- Overview
- Factual background
- Procedural history (trial and appeal)
- Supreme Court decision (2021)
- Significance for access controls and enforcement
Overview¶
Van Buren v. United States, 593 U.S. 327 (2021), is a Supreme Court decision interpreting the Computer Fraud and Abuse Act (CFAA), particularly the phrase “exceeds authorized access.” The Court reversed the Eleventh Circuit and narrowed the government’s preferred reading of the statute in a criminal prosecution involving a law enforcement officer who accessed a law enforcement database he was permitted to use for work—but allegedly for an improper purpose (payment).
The decision reshapes criminal and civil risk analysis for employee misuse of legitimate credentials, and it informs how organizations draft access policies, monitoring programs, and employment remedies distinct from federal computer crime charges.
Factual background¶
The defendant was a police sergeant authorized to use a law enforcement database (the Georgia Crime Information Center) for law enforcement purposes. According to the allegations, he ran a license plate search for a non-law-enforcement reason in exchange for money, violating department policy. Prosecutors charged CFAA violations predicated on “exceeds authorized access” based on use of valid credentials for an unauthorized purpose.
Procedural history (trial and appeal)¶
A jury convicted Van Buren. The Eleventh Circuit affirmed, adopting an interpretation of “exceeds authorized access” that encompassed violations of use restrictions on otherwise permitted access. Certiorari was granted to resolve a circuit split on the meaning of the CFAA’s access provisions.
Supreme Court decision (2021)¶
On June 3, 2021, the Supreme Court reversed. The Court held that an individual “exceeds authorized access” under §1030(a)(2) when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him, rejecting the government’s broader theory that breach of a use policy turns lawful access into exceeding authorized access.
The Court’s reasoning emphasizes gates tied to files and areas of a system rather than purpose-based restrictions alone—altering how prosecutors and civil litigants frame insider access cases.
Significance for access controls and enforcement¶
Organizations increasingly distinguish technical access entitlements (what accounts can reach) from acceptable use policies (what uses are permitted). Van Buren pushes employment and contract remedies for policy-violating uses of otherwise authorized accounts, while reserving CFAA “exceeds authorized access” for cases involving off-limits files or systems under the Court’s gatekeeping analysis—details security architects should align with identity, logging, and investigation playbooks.