Background: The Pre-Van Buren Split
Section summaryBefore 2021, federal circuits split on whether "exceeds authorized access" reached people who used permitted access for forbidden purposes. The Fifth Circuit, which covers Texas, had taken a narrower view, but other circuits used the CFAA against employees who violated workplace computer-use policies.
For roughly two decades, federal prosecutors charged 18 U.S.C. §1030(a)(2) in fact patterns that had little to do with hacking. An employee with database credentials who pulled records for a side business. A contractor who downloaded files for a personal purpose. A staffer who searched a system after being told the search was off-limits. Several circuits held those people "exceeded authorized access" — the violation was the forbidden purpose, not the entry.
The Fifth Circuit, which hears appeals from federal district courts in Texas, had been skeptical. So had the Second and Ninth. The Eleventh, First, Fifth (in some opinions), and Seventh had been broader. Defense lawyers had been warning that the broad reading turned the CFAA into a workplace-policy enforcement tool. Our deep dive on §1030(a)(2) walks through the elements as they read today.
Then Van Buren reached the Supreme Court on facts that put the split in stark relief: a Georgia police sergeant ran a license-plate search in a state law-enforcement database in exchange for cash, knowing the search was for a non-law-enforcement purpose. He had login credentials. He had authorization to query that database. The only thing he was not allowed to do was use the query for that reason.
The Holding and the Gates-Up-Or-Down Test
Section summaryThe Court held 6-3 that "exceeds authorized access" requires accessing files, folders, or areas of a computer the user was not entitled to enter. It adopted a "gates-up-or-down" framing: the question is whether the gate was open or closed, not whether you walked through it for a permitted reason.
Justice Barrett's majority opinion zeroed in on the statutory phrase: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The Court read "so" to refer to the manner of access — not the manner of use. If the file was off-limits, accessing it exceeds authorized access. If the file was on-limits but used wrongly, that is a policy or contract problem, not a CFAA crime.
The "gates-up-or-down" framing captures the rule: each piece of information on a system has a gate. Either you are allowed through that gate or you are not. Van Buren was allowed through the license-plate-search gate, so he did not exceed authorized access — even though his reason was indefensible. The dissent argued the Court ignored the practical reality of how insider abuse works, but the majority was concerned about a statute that could "criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook."
For Texas defendants, the key sentence is the Court's narrow construction of the access clause — it constrains federal charging power even on egregious facts, as long as the entry itself was authorized.
What Changed for Federal Cases in Texas
Section summaryFederal prosecutors in the Northern District of Texas (Dallas, Fort Worth) and Eastern District of Texas (Sherman, Plano) have shifted away from §1030(a)(2) on insider-misuse cases and toward wire fraud, theft of trade secrets, and §1030(a)(4) where intent to defraud can be proven.
Three concrete shifts have emerged since 2021:
- Charging strategy. Where an employee misused authorized access for financial gain, prosecutors increasingly pair or substitute §1030(a)(4) (computer fraud) or wire-fraud counts. The §1030(a)(4) provision requires intent to defraud, which is a higher bar but avoids the Van Buren ceiling.
- Loss-driven counts. CFAA loss provisions under §1030(a)(5) and the $5,000 threshold still operate where damage rather than mere access is alleged. Insider deletion or alteration cases remain viable.
- Trade-secret federalization. The Defend Trade Secrets Act (18 U.S.C. §1836) gets more use where the actual misconduct was downloading proprietary information for a competitor.
If you are weighing exposure on a specific fact pattern, our CFAA charge-subsection spotter walks through which subsection most likely applies. For sentencing exposure once a federal charge is fixed, the federal sentencing guidelines calculator models the offense-level math.
Texas §33.02 Overlap
Section summaryTexas Penal Code §33.02 — Breach of Computer Security — is the state parallel. It uses similar "without effective consent" language but has not been narrowed by Van Buren, and Texas appellate courts are not bound by it.
Texas Penal Code §33.02 criminalizes knowingly accessing a computer, computer network, or computer system without the "effective consent" of the owner. The statute's structure has parallels to the CFAA but the text is different — and Texas appellate courts decide its meaning, not the U.S. Supreme Court.
That said, Van Buren is a persuasive — not binding — interpretive guidepost. The phrase "effective consent" has a built-in scope question that maps onto the access-versus-use distinction, and defense counsel can argue that the same logic should apply: consent to access a system is different from a promise to use the system only for permitted purposes. Texas prosecutors disagree, and the appellate record is still developing. Our detailed §33.02 analysis covers the charging tiers and consent framework in depth.
Defense Strategy After Van Buren
Section summaryFor any CFAA case after 2021, the first defense question is whether the conduct was a gate-violation or a purpose-violation. Authorization documents, role-based access controls, and credentialing patterns become the central evidence.
A defense workup now turns on records that may not have been preserved with criminal exposure in mind:
- Role-based access control documentation — what gates did the employee have credentials for?
- Acceptable-use policy text and version history — does it create a "gate" or merely a use restriction?
- System audit logs — did the access events touch resources outside assigned roles?
- Onboarding and credentialing emails — what was the scope of the original grant?
If the documentary record shows the user accessed only resources their role permitted, a motion to dismiss under Van Buren may foreclose the §1030(a)(2) count entirely. The fight then shifts to whether §1030(a)(4) applies (requiring intent to defraud) or whether state law fits better.
Need defense counsel?
L&L Law Group, PLLC handles Computer Crimes Defense cases throughout DFW. Initial consultations are free.
Call (972) 370-5060 →Frequently Asked Questions
Does Van Buren help if I had login credentials but accessed a database I was not supposed to query?
Are state computer-crime cases in Texas affected by Van Buren?
Can I still be charged under §1030(a)(4) if my conduct was misuse of authorized access?
Does Van Buren apply retroactively to older cases?
Read the full Texas Computer Crimes Defense Guide
This article is one section of our comprehensive Texas Computer Crimes Defense Guide. The pillar guide covers recent developments, official resources, and the complete framework with deeper analysis.
Read the Pillar Guide →Next Steps
If you are facing a situation described here, consult counsel promptly. Many issues in this area run on strict deadlines.
- Call (972) 370-5060
- Email info@landllawgroup.com
Cite this guide
Bluebook: Reggie London & Njeri London, How Van Buren Narrowed the CFAA — Texas Implications, L&L Law Group (May 30, 2026), https://landllawgroup.com/insights/van-buren-cfaa-narrowed-texas-implications/.
APA: London, R., & London, N. (2026, May 30). How Van Buren Narrowed the CFAA — Texas Implications. L&L Law Group.