On June 3, 2021, the US Supreme Court issued a much-anticipated decision interpreting the scope of the federal Computer Fraud and Abuse Act of 1986 (CFAA) not to cover situations in which the defendant was authorized to access information on a computer yet did so for an improper purpose. The decision, which was widely expected after oral argument in November, carries a range of cybersecurity implications for businesses, such as the need to reassess employee access and website terms of service, while simultaneously narrowing the types of trade secret misappropriation that can be addressed through civil claims under the CFAA. In addition, one aspect of the Court’s reasoning, involving the types of “damages” or “loss” required for civil CFAA claims, may further limit the damages available in civil claims brought under the CFAA to harm caused by the intrusion itself rather than any downstream harm caused by misappropriation or misuse of the information obtained. At the same time, the decision leaves several key issues unresolved.
To read the full alert, please click here.