Aug 292025

Van Buren in Action: Third Circuit Rejects Application of the Computer Fraud and Abuse Act (CFAA) to Violations of Workplace Policies

David Lashway, John Woods, Philip Robbins and Brad A. Carney
, ,

On August 26, 2025, the Third Circuit issued an opinion in NRA Group, LLC v. Durenleau, limiting the application of the CFAA in the workplace. In a case of first impression for the Third Circuit, the Court specifically held that employees with legitimate access to company systems did not violate the CFAA by violating their employer’s computer-use policies absent any “evidence of code-based hacking.” Applying the Supreme Court’s Van Buren v. United States “gates-up-or-down” framework, the Third Circuit interpreted “without authorization” and “exceeds authorized access” under the CFAA narrowly – focusing on actual access prohibitions and restrictions. The ruling thus shields workplace computer-use policy violations by current employees, such as password sharing or improper data use, from CFAA liability (both civil and criminal) and steers employers toward other legal remedies.

Background

The underlying matter initially stemmed from two employees at a debt-collection firm handling an urgent state licensing issue while one was home sick without remote access. In an effort to resolve the licensing issue, one employee shared her corporate credentials with the other, who then logged in, retrieved a spreadsheet containing passwords for corporate systems and accounts, and emailed it to the other employee’s personal and work email – in violation of company policies. The employer subsequently filed suit alleging, among other things, violations of the CFAA. The district court granted summary judgment to the employees on all of the employer’s claims, and the Third Circuit affirmed on August 26, 2025, with certain counterclaims stayed pending further proceedings.

Van Buren Context

In Van Buren, the Supreme Court interpreted “exceeds authorized access” based on a “gates-up-or-down inquiry,” noting that one either can or cannot access a computer system and certain areas within the system. The Court also cautioned, but did not decide, that violations of workplace computer-use policies should not constitute CFAA violations, given the “breathtaking amount of commonplace computer activity” that would be criminalized by such a holding. In Durenleau, the Third Circuit relied heavily on the Supreme Court’s “gates-up-or-down” approach and its warning about drastically expanding the application of the CFAA.

Gates-Up:  No CFAA Violations Absent Code-based Hacking

Addressing the “exceeding authorized access” and “without authorization” prongs of the CFAA separately, the Third Circuit concluded that the employees’ actions did not violate either prong, despite acknowledging that the employees’ actions “no doubt” violated their employer’s policies. Applying Van Buren’s “gates up-or-down” test and adopting a definition of “authorization” consistent with those adopted by the Fourth and Ninth Circuits, the Court held that current employees who have legitimate system access do not “exceed authorized access” by misusing that access or by violating internal policies. Here, the Circuit Court determined that both employees had permission to access the system, readily rejecting the employer’s claim that one of the employees could not access her computer from home and therefore “was hacking.”  The court further acknowledged the “breathtaking” implications of making the employees’ actions a federal crime before turning to the second prong.

Regarding the “without authorization” prong, the Court held that infractions of workplace computer-use policies by current employees do not violate the CFAA, absent evidence of code-based hacking. In the Court’s view, and consistent with decisions in the Fourth and Ninth Circuits, expanding the CFAA to cover internal policy violations would effectively “transform[] a statute meant to target hackers into a vehicle for imputing liability to workers who . . . disregard a use policy.”  Distinguishing the cases relied on by the employer, the Court recognized the “many other causes of action” providing employers a remedy for employees’ gross violations of computer use policies.

The decision in Durenleau signals a close adherence to Van Buren’s “gates-up-or-down” approach across the Courts of Appeals, and guides future litigants, particularly employers, away from the CFAA as a means of policing workplace computer-use policy violations.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

David Lashway

Washington D.C.

dlashway@sidley.com

John Woods

Washington, D.C.

jwoods@sidley.com

Philip Robbins

Brad A. Carney

Washington, D.C.

brad.carney@sidley.com

You might also like
The UK Data (Use and Access) Act 2025: Implications For Financial Services

The new UK Data (Use and Access) Act 2025 came into force on June 19. Applying in phases through June 2026, the Act will reform, in part, how the UK regulates personal and non-personal data.

Meeting EU Data, Cybersecurity, and Artificial Intelligence Law Obligations: A Checklist for Swiss Life Sciences Companies

For Swiss companies, the next six months are critical for preparing to meet new Digital Data Law obligations. In this briefing, we outline the key timelines, compliance requirements, and practical steps to align with EU requirements.

Action Items for U.S. Public Companies for 2025

Rapid rulemaking and aggressive enforcement by the SEC, combined with legislative, judicial, and regulatory developments, have created new requirements and expectations for U.S. public companies.