Skip to content

Understanding Regulatory and Court Orders (Van Buren — CFAA)

Purpose

Summarize the Supreme Court’s interpretation of the CFAA phrase “exceeds authorized access” in Van Buren v. United States.

1. Supreme Court opinion (2021)

Van Buren v. United States, 593 U.S. 374 (2021).

Holding (high level)

The Court rejected an interpretation that would treat every violation of a computer-use policy as exceeding authorized access. For an employee or other person authorized to access information, improper purpose in using that access—without breaching a gates-up-or-down restriction—is not “exceeds authorized access” under the CFAA as construed in Van Buren. Read the opinion for exact reasoning and limits.

2. Practical takeaway for security teams

  • Distinguish technical access boundaries (accounts, ACLs) from policy-only use restrictions.
  • Maintain clear entitlements and logging for sensitive databases.
  • Coordinate insider threat and employment policies with counsel—CFAA is not the only risk when misuse occurs.
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM