Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. Hacker’s CFAA “without authorization” defense rejected

      Articles

    Article

    Hacker’s CFAA “without authorization” defense rejected

    April 7, 2022

    LinkedInX (Twitter)EmailCopy URL

    By Jason Kunze

    Last year, the Supreme Court narrowed the scope of the Computer Fraud and Abuse Act (“CFAA”). In that case, the Court considered whether a police officer who used his valid credentials to access a police database for a nefarious purpose had “exceeded authorized access” under the CFAA. The Court determined that he had not, as his use of police-provided access credentials made his access authorized, even if the ultimate use of the data he accessed was improper.

    Last year, the Supreme Court narrowed the scope of the Computer Fraud and Abuse Act (“CFAA”). In that case, the Court considered whether a police officer who used his valid credentials to access a police database for a nefarious purpose had “exceeded authorized access” under the CFAA. The Court determined that he had not, as his use of police-provided access credentials made his access authorized, even if the ultimate use of the data he accessed was improper.

    In that decision, the Court discussed its “gates up/gates down” approach to authorization under the CFAA. The Supreme Court did explain that the “without authorization” clause “protects computers themselves by targeting so-called outside hackers—those who ‘access a computer without any permission at all’”—but left it to future cases to determine the precise contours of the “without authorization” prong of the CFAA.

    In a recent case in the Western District of Washington involving an alleged computer hacker, Judge Lasnik had the opportunity to do exactly that, in one of the first tests of the CFAA’s without authorization clause since Van Buren. See U.S. v. Paige Thompson, Case No. CR19-159. Ruling on a motion to dismiss the CFAA claims, the Judge denied the hacker’s argument, which attempted to attack the “without authorization” prong based on a theory that her technology usage (a “proxy scanner”) merely detected misconfigured websites and leveraged available security credentials. The defendant leveraged these credentials to copy voluminous data, including data from Capital One with personally identifying information for about 100 million US residents who had completed credit card applications.

    Ultimately, Judge Lasnik allowed the claim to proceed based on the fact that the hacker acted on security credentials that did not belong to her, and she was not authorized to use. Thus, even if the initial step of detecting misconfigured servers arguably did not violate the CFAA, it is clear that the later steps did. The Judge compared the defendant’s argument to a claim that “because she is alleged to have found a key rather than smashed the window, she cannot have been ‘without authorization.’” Regardless of the technology used to obtain the security credentials, the further use of those stolen credentials was without authorization, according to the Court.

    Practices

    Cybersecurity & Privacy
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved