This post was authored by Devin Chwastyk and Frank Lavery, II.  Devin is the Chair of the Privacy & Data Security group at McNees.  Frank is a Law Clerk with McNees.  Frank is currently a student at the University of Notre Dame Law School and expects to earn his J.D. in May of 2022.

On June 3, 2021, the U.S. Supreme Court issued an important opinion in Van Buren v. United States, which provided important clarification of the scope of the Computer Fraud and Abuse Act (CFAA).  The CFAA bars unauthorized access, or access that exceeds authorization, to any computer “used in or affecting interstate or foreign commerce or communication.”  As the Supreme Court aptly explains, this extends protection—at a minimum—to all information from computers that connect to the internet.  Thus, the implications of the CFAA are far reaching. The decision in Van Buren explored what constitutes “unauthorized access” and “access that exceeds authorization.”

Nathan Van Buren was a police sergeant who was provided access to a law enforcement database by the state of Georgia.  Yet, he was only permitted to access the database for legitimate law enforcement purposes.  Nonetheless, Van Buren searched that database for information about a woman with the intent to sell the results for $6,000 to a willing buyer. Unbeknownst to Van Buren, the buyer was a confidential FBI informant posing as a potential romantic partner of the woman.  There was no dispute that Van Buren was prohibited by his Department’s policy from accessing the database for non-work-related purposes, and that he was provided appropriate training on the policy.  Van Buren was arrested and criminally convicted under the CFAA.

Based on its precedent, the 11th Circuit affirmed the conviction, and the Supreme Court granted certiorari to resolve the stark split among the U.S. Courts of Appeal as to what constitutes “exceeding authorized use” under the CFAA.  Van Buren argued that his conduct was not criminal, because he was authorized to access the law enforcement database.  The government argued that his access exceeded his authorization because he was only allowed to access the database for work-related purposes.

The Supreme Court held that while Van Buren undeniably violated his department’s policy in his use of the law enforcement database for personal reasons, there was no ‘gate’ meant to keep Van Buren out of the database.  He simply used his police credentials to access the system for a prohibited purpose.  The Court explained that the CFAA is meant to keep out “outside hackers” through authorization, and “inside hackers” by restricting users from certain parts of a computer system.  The Court went on to hold that “[i]n sum, an individual ‘exceeds authorized access’ when he [or she] accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him [or her].”  Thus, the only relevant question was whether Van Buren could access the database, which both parties agreed he could.  For that reason, Van Buren did not “exceed authorized access” to the law enforcement database as defined by the CFAA, even though he obtained information from the system for a prohibited purpose.

The holding in Van Buren has some very serious real-world implications for those who wish to protect their information from both outside and inside hackers.  Designing access and restricting access are critical for a number of reasons, and a policy alone will not necessarily constitute adequate technical and procedural safeguards to cordon off data within that system.  If your organization wants to properly restrict access to certain information, you must put in place “gates” to keep users out (including employees who are permitted limited access to the system).  These technical IT infrastructure protections should be in addition to policies restricting access and training programs.  Once these safeguards are in place, anyone that ‘hacks’ to gain access to the restricted information will have committed a criminal violation of the CFAA and could be liable to the organization or employer for civil damages.

McNees is hosting a Municipal Roundtable to discuss the issues of disclosure in the secondary market. This discussion will include an overview of SEC Rule 15c2-12 and cover everything from the simple things issuers do wrong to ESG disclosure and disclosure by distressed issuers. Participants will also have the ability to ask questions in this open forum roundtable setting hosted by McNees.

Be sure to sign up to attend!

Download full agenda here

Date:  June 24, 2021

Time:  12:00 – 1:00 pm

Presenters:

David Unkovic (moderator), Of Counsel – McNees Wallace & Nurick LLC

Richard DreherChief Financial Officer – Pennsylvania Turnpike Commission

Stephen Flaherty, Director – RBC Capital Markets, LLC

Timothy J. Horstmann, Member – McNees Wallace & Nurick LL

Leonidas Pandeladis, Deputy Executive Director and Chief Counsel – Pennsylvania Housing Finance Agency

Terry Snyder, Paralegal – McNees Wallace & Nurick LLC

Michael D. Vind, Managing Director – Financial S&Lutions LLC

Is your county, municipality, or municipal authority using a .com, .org, .info, or other domain name other than .gov for email and websites? If so, now is as good a time as any to switch to using the .gov domain.

Recently, the Federal Cybersecurity and Infrastructure Security Agency (CISA) announced that it had successfully taken over administration of the .gov top-level domain, in accordance with the DOTGOV Act, which was signed into law by former President Donald Trump on December 27, 2020. Notably, as part of its takeover of the administration of the .gov domain, CISA announced that, effective immediately, it was eliminating the $400 annual fee previously assessed for use of a .gov domain name – a fee  far higher than the average annual fee of $20 or less for use of other domain names.

Thus, access to a .gov domain will now be free for states, counties, municipalities, and authorities. For more information, please visit A new day for .gov | DotGov, or contact me for assistance.

On March 11, 2021, President Joe Biden signed into law the American Rescue Plan Act of 2021 (“ARPA”), which provides for almost two trillion dollars of new federal spending to combat the ongoing impact of the COVID-19 Pandemic. Of particular interest for Pennsylvania is the approximate $350 Billion of new funding appropriated to tribal governments, states, territories, and local governments, $14 Billion of which is estimated to be received by Pennsylvania and its municipalities. With the United States Department of the Treasury (“Treasury”) mandated to pay out a substantial portion of the funds within 60 days of the enactment of ARPA, Pennsylvania and its municipalities might see initial funding from ARPA as early as May. Continue Reading Billions of Dollars Will Soon Start Flowing to State and Local Governments under the American Rescue Plan Act of 2021. Here’s What to Expect.

Pennsylvania counties and municipalities could see a windfall from the nearly $14 billion in aid that will be delivered to the commonwealth through the recently passed American Rescue Plan Act.

While it will be welcome financial relief, counties and local governments should be aware of the rules and regulations regarding how those funds should be spent. Continue Reading With Great Funding Comes Great Responsibility: Assisting Municipalities with American Rescue Plan Compliance

The Municipal Securities Rulemaking Board (MSRB), the regulatory body that oversees the municipal securities market in the United States, recently released its annual report on the status of the market. The report, which can be reviewed here, offers some fascinating insights into what was a tumultuous year for the market. Our highlights follow:

  • Spring Market Dislocation:  For about two weeks in March, the market simply stopped functioning. During this period, benchmark yields in 3-, 10- and 30-year bonds increased by 213, 193 and 182 basis points, respectively. However, the recovery was similarly swift, with yields substantially returning to their pre-pandemic levels by the end of March.

Continue Reading MSRB Releases 2020 Review of Municipal Bond Market

Recent legislation passed by the Pennsylvania General Assembly offers a new short short-term borrowing option to local governments and school districts dealing with budget uncertainties related to the ongoing COVID-19 Pandemic. House Bill 2536 was signed into law by Governor Tom Wolf on November 23, 2020, as Act 114 of 2020. Among other things, Act 114 created a special, limited emergency tax and revenue anticipation note program for the 2021 calendar year. The new program will provide greater financial flexibility to local governments and school districts as they await the results of tax collections in the coming months. Continue Reading Short-Term Borrowing for Local Governments, School Districts in COVID Uncertainty

Many Pennsylvania municipalities in recent years have struggled to rein in their Other Post Employment Benefits (OPEB) liabilities. OPEB benefits are retirement benefits a public employer has promised to provide its retired employees, other than pension payments. Benefits might include life insurance premiums, post-retirement healthcare, dental and vision benefits and other types of benefits.

OPEB benefits are typically funded using one of two methods: (i) the pay-as-you-go method, which is generally paid each year from the municipality’s general fund; or (2) or an OPEB trust. A trust is typically established through an initial and then subsequent transfers of funds.   The trust funds are invested and the principal and interest are used to pay for the promised OPEB benefits. Continue Reading Budgeting for OPEB Liabilities with an OPEB Trust

McNees Wallace & Nurick LLC today announced the launch of Keystone Municipal Solutions, a new subsidiary aimed at providing municipalities with interim management and professional consulting services.

Keystone Municipal Solutions is headquartered in Harrisburg and will serve municipalities across Pennsylvania, Delaware and New Jersey. Continue Reading McNees Launches Keystone Municipal Solutions

On January 8, 2021, the Pennsylvania Department of Health (“DOH”) announced its COVID-19 Interim Vaccination Plan, Version 4.0 (the “Plan”).  The Plan follows guidance from the Centers for Disease Control and Prevention (the “CDC”).  Categorized as “interim,” DOH intends to continuously make updates to the Plan to reflect the latest recommendations from the Advisory Committee on Immunization Practices and other guidance available, as well as any feedback received. Continue Reading Pennsylvania’s Latest COVID-19 Vaccination Plan Recognizes Local Governments