Van Buren in Action: Third Circuit Rejects Application of the Computer Fraud and Abuse Act (CFAA) to Violations of Workplace Policies
On August 26, 2025, the Third Circuit issued an opinion in NRA Group, LLC v. Durenleau, limiting the application of the CFAA in the workplace. In a case of first impression for the Third Circuit, the Court specifically held that employees with legitimate access to company systems did not violate the CFAA by violating their employer’s computer-use policies absent any “evidence of code-based hacking.” Applying the Supreme Court’s Van Buren v. United States “gates-up-or-down” framework, the Third Circuit interpreted “without authorization” and “exceeds authorized access” under the CFAA narrowly – focusing on actual access prohibitions and restrictions. The ruling thus shields workplace computer-use policy violations by current employees, such as password sharing or improper data use, from CFAA liability (both civil and criminal) and steers employers toward other legal remedies.
The UK Data (Use and Access) Act 2025: Implications For Financial Services
The new UK Data (Use and Access) Act 2025 came into force on June 19. Applying in phases through June 2026, the Act will reform, in part, how the UK regulates personal and non-personal data.
Meeting EU Data, Cybersecurity, and Artificial Intelligence Law Obligations: A Checklist for Swiss Life Sciences Companies
For Swiss companies, the next six months are critical for preparing to meet new Digital Data Law obligations. In this briefing, we outline the key timelines, compliance requirements, and practical steps to align with EU requirements. (more…)
Now You See Them, Now You Don’t: Regulatory Risks of Ephemeral Messages
Corporate use of ephemeral messaging applications (communications that disappear after a set time) has become increasingly common across the globe in recent years, with companies recognizing its value in decreasing data storage costs and providing employees a convenient method for communicating quickly with customers and clients. However, the prevalence of these messaging applications in the corporate context has caused regulators to grow concerned about how encrypted and ephemeral messaging might affect regulatory obligations related to data preservation, employee monitoring, and compliance.
