A short cluster of federal statutes defines what counts as unlawful access to computers and communications. Contractors run into them in two directions: as potential defendants (when employees, researchers, or data-collection practices cross a line) and as victims (when someone attacks your systems).
The Computer Fraud and Abuse Act (CFAA)
The CFAA is the main federal anti-hacking law. It reaches anyone who accesses a computer "without authorization" or who "exceeds authorized access." It carries both criminal penalties and a civil cause of action. The pivotal modern question was how far "exceeds authorized access" reaches. In Van Buren v. United States (2021), the Supreme Court read it narrowly: it covers accessing files or areas that are off-limits to you — not misusing data you were allowed to reach. So violating an employer policy or a website's terms of service is not, by itself, a federal computer crime. The civil scraping saga in hiQ v. LinkedIn refined the picture: scraping truly public data likely isn't a CFAA violation, but using fake logins to reach gated pages — and breaching the site's terms — still creates liability.
The communications statutes (ECPA)
The Electronic Communications Privacy Act splits into three parts: the Wiretap Act (Title I) bars intercepting communications in transit; the Stored Communications Act (Title II) governs access to and disclosure of communications and records held by providers (email, cloud); and the Pen Register / Trap-and-Trace statute (Title III) covers capturing metadata — the dialing and routing information, not content.
What contractors should take away
Don't rely on the CFAA as your access policy. After Van Buren, internal misuse of authorized data is a matter for your access controls, contracts, and the False Claims Act — not automatically a federal crime. Data collection needs sourcing rules: if you scrape, ingest third-party data, or train models on web data, document what's public, what's gated, and what terms apply. And know the rules before you investigate — monitoring employees or accessing stored communications can implicate ECPA.