On August 26, the U.S. Court of Appeals for the Third Circuit issued a consequential decision in NRA Group LLC v. Durenleau, significantly narrowing employers' recourse under the Computer Fraud and Abuse Act, or CFAA.
The court, relying heavily on the U.S. Supreme Court's 2021 decision in Van Buren v. U.S., held that employers cannot bring claims under the CFAA against employees who misuse information they are authorized to access unless they explicitly breach technical or codebased barriers such as firewalls.
Additionally, the court held that passwords protecting proprietary business information, alone, do not constitute trade secrets under federal or Pennsylvania law.
This decision reshapes the landscape for internal investigations, effectively limiting the reach of the CFAA as one of the primary tools for addressing many insider threats.
While CFAA-based claims remain relevant in scenarios involving explicit hacking or circumvention of technical security measures, organizations must carefully assess each claim and may have to rely on additional legal tools — such as breach of contract, trade secret laws, fiduciary duty claims, and state-level statutes — as a mechanism for recourse.
Corporate counsel and cybersecurity teams may therefore consider recalibrating their investigation strategies to account for these alternative approaches as well as reviewing their information security policies, procedures, and technical controls in light of Durenleau.
