Current Month (November 2025)
The Computer Fraud and Abuse Act: A Digital Hammer in Search of Digital Nail
By Alan S. Wernick, Esq., Wernick & Associates, LTD.
The Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. § 1030, addresses fraud and related activities in connection with computers, including prohibiting unauthorized access to “protected computers” and obtaining information through such access. The CFAA can impose civil and criminal liability on anyone who “access[es] a computer without authorization” or by “exceeding authorized access” to a “protected computer” (18 U.S.C. § 1030(a)). In several cases employers have tried using the CFAA to pursue ex-employees for alleged violations of workplace computer use policies. Depending on the facts, it has not worked out well for those employers.
In a recent case, NRA Group, LLC vs. Durenleau (Oct. 7, 2025), the U.S. Court of Appeals for the Third Circuit had occasion to review a case in which the plaintiff (National Recovery Agency) alleged that two ex-employees had violated the CFAA and the federal Defend Trade Secrets Act (“DTSA”), 18 U.S.C. § 1836 et seq., among other allegations. The defendants counterclaimed with allegations including sexual harassment, negligent hiring and retention, and retaliation under state and federal law. On cross-motions for summary judgment, the district court entered judgment for the employees on all claims against them, staying their remaining sexual harassment claims against NRA pending appeal.
In its opening paragraph, the Third Circuit stated, “In the wrong hands, the law becomes a hammer in search of a nail. This is one such case.” In analyzing the CFAA, the Court held that under Van Buren v. United States (593 U. S. 374 (2021)), “the ‘gates’ of access were ‘up’ for both women—neither hacked into NRA’s systems. No doubt [the employees] violated NRA’s policies, but as employees they had access to the systems.” The Court adopted the definition of “authorization” under the CFAA used by the district court by finding “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.”
The Court went on to “hold that, absent evidence of code-based hacking, the CFAA does not countenance claims premised on a breach of workplace computer-use policies by current employees.” Affirming the district court’s grant of summary judgment for the ex-employees on all of NRA’s claims under the CFAA, it noted, “With today’s holding, we mean to turn future litigants to other causes of action so that we do not make ‘millions of otherwise law-abiding citizens [into] criminals.’ Van Buren, 593 U.S. at 394.”
In addressing the plaintiff’s DTSA claims, the Court’s analysis focused on 18 U.S.C. § 1839(3)(b) and whether a password spreadsheet could have independent economic value to elevate it to the level of a trade secret. It held that “because the revealed content would have no economic value to NRA, there is no serious claim the passwords would either.” The Court agreed with the district court and held that the passwords had no independent economic value and, as such, were not trade secrets under the DTSA.
In summary, the NRA Group, LLC, case underscores the need for businesspeople and their legal counsel to have a robust discussion when considering the appropriateness of bringing a CFAA claim. This includes, without limitation, objective consideration of the facts and how they align with the CFAA at that time.
© 2025 Alan S. Wernick
For more information, see Business Law Today’s full-length article on this subject.
The 2025 COPPA Rule Revision: Implications for Child-Directed and Mixed Audience Websites and Services
By James Hamraie, Bracker & Holder, LLC
On April 22, 2025, the Federal Trade Commission (“FTC”) published a revision to the Children’s Online Privacy Protection Act (“COPPA”) Rule (16 C.F.R. § 312 (2025)). COPPA was initially passed to create privacy protections for children, defined in the rule as “individual[s] under the age of 13.” The revised COPPA Rule reflects the FTC’s effort to expand methods for verifiable parental consent as websites increasingly target children with online services and collect their data.
The revised COPPA Rule applies to any “operator,” meaning a legal person who either (1) “operates a website . . . or an online service and who collects or maintains personal information from or about the users of or visitors,” (2) “on whose behalf such information is collected or maintained,” or (3) “offers products or services for sale through that website or online service.”
The revision expands the definition of what qualifies as a “website or online service directed to children.” In determining if a website is child-directed, the revised rule directs companies to evaluate the following factors:
its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children.
The FTC will also consider “competent and reliable empirical evidence regarding audience composition and . . . the intended audience.” Additionally, websites and services are deemed directed to children when they have “actual knowledge” that they are “collecting personal information directly from users of another website or online service directed to children.”
The revision also adds a definition of “mixed audience website or online service,” meaning a “website or online service that is directed to children . . . but that does not target children as its primary audience, and does not collect personal information from any visitor . . . prior to collecting age information or using another means . . . to determine whether the visitor is a child.” Mixed audience websites and services must implement age screening mechanisms in “a neutral manner that does not default to a set age or encourage visitors to falsify age information.”
The revised COPPA Rule will require operators to reassess their COPPA compliance. Operators will need to determine if their website or online service is child-directed or mixed audience, ensure strict adherence with data minimization principles, obtain opt-in consent for advertising and third-party disclosures, and potentially update acceptable methods of verifiable parental consent.
For more information, consult the FTC’s press release and the final COPPA Rule amendments.

