Van Buren in Action: Third Circuit Rejects Application of the Computer Fraud and Abuse Act (CFAA) to Violations of Workplace Policies
On August 26, 2025, the Third Circuit issued an opinion in NRA Group, LLC v. Durenleau, limiting the application of the CFAA in the workplace. In a case of first impression for the Third Circuit, the Court specifically held that employees with legitimate access to company systems did not violate the CFAA by violating their employer’s computer-use policies absent any “evidence of code-based hacking.” Applying the Supreme Court’s Van Buren v. United States “gates-up-or-down” framework, the Third Circuit interpreted “without authorization” and “exceeds authorized access” under the CFAA narrowly – focusing on actual access prohibitions and restrictions. The ruling thus shields workplace computer-use policy violations by current employees, such as password sharing or improper data use, from CFAA liability (both civil and criminal) and steers employers toward other legal remedies.
DOL Confirms Cybersecurity Guidance Applies to All Employee Benefit Plans
The U.S. Department of Labor (DOL) published Compliance Assistance Release No. 2024-01 on September 6, 2024. The release, titled “Cybersecurity Guidance Update,” clarifies that the cybersecurity guidance the DOL issued in April 2021 applies to all employee benefit plans, including health and welfare plans. The DOL states that since the guidance was published, service providers have told plan fiduciaries and Employee Benefits Security Administration (EBSA) investigators that the guidance applies only to retirement plans.
President Biden Signs Sweeping Artificial Intelligence Executive Order
On October 30, 2023, President Joe Biden issued an executive order (EO or the Order) on Safe, Secure, and Trustworthy Artificial Intelligence (AI) to advance a coordinated, federal governmentwide approach toward the safe and responsible development of AI. It sets forth a wide range of federal regulatory principles and priorities, directs myriad federal agencies to promulgate standards and technical guidelines, and invokes statutory authority — the Defense Production Act — that has historically been the primary source of presidential authorities to commandeer or regulate private industry to support the national defense. The Order reflects the Biden administration’s desire to make AI more secure and to cement U.S. leadership in global AI policy ahead of other attempts to regulate AI — most notably in the European Union and United Kingdom and to respond to growing competition in AI development from China.
ICO Publishes Guidance on Handling Worker Health Data
On 31 August 2023, the UK Information Commissioner’s Office (ICO) published guidance on the handling of worker health data for employers (ICO Guidance). The ICO Guidance aims to provide tips and good practice advice about how to comply with applicable data protection legislation such as the UK GDPR when collecting and processing worker health data. Helpfully, the ICO Guidance also contains various checklists to help employers assess data protection considerations when processing worker health data.
