Veksler v. Wipro, LLC: Reaffirming the “Conscious Objective” Intent Standard Under ECPA, SCA, and CFAA

Veksler v. Wipro, LLC: Reaffirming the “Conscious Objective” Intent Standard Under ECPA, SCA, and CFAA

Court: United States Court of Appeals for the Second Circuit (Summary Order)
Docket: No. 25-369
Date: December 19, 2025
Panel: Circuit Judges Robert D. Sack, Myrna Pérez; District Judge Vincent L. Briccetti (sitting by designation)

I. Introduction

This summary order in Veksler v. Wipro, LLC addresses alleged unauthorized installation and use of security software on a freelancer’s personal laptop, framed as violations of three federal statutes:

  • the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511(1)(a);
  • the Stored Communications Act (SCA), 18 U.S.C. § 2701(a); and
  • the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(5)(A)–(C).

The plaintiff, Elvira Veksler, worked remotely for Wipro as a freelance content writer, using her own laptop. She later discovered that Wipro’s security management tool, JAMF, and allegedly CrowdStrike Falcon Sensor (“CrowdStrike”), resided on her device. She claimed Wipro secretly and intentionally installed and used those tools to monitor or access her data and communications.

After discovery, the Southern District of New York (Judge Oetken) granted summary judgment to Wipro on all federal claims and dismissed the state-law claims without prejudice. The Second Circuit, on de novo review, affirmed.

Although labeled a “summary order” without precedential effect under Local Rule 32.1.1, Veksler is citable and provides a clear and practical reaffirmation of a key principle: to prevail under the ECPA, SCA, and CFAA, a plaintiff must produce evidence that the defendant acted with the “conscious objective” of accessing the computer or communications at issue. Mere capability of surveillance tools or speculative expert assertions are not enough to survive summary judgment.

II. Summary of the Opinion

A. Factual Background

  • Between July and November 2021, Veksler worked as a freelance content writer for Wipro, using her personal laptop.
  • Wipro provided her with a Wipro email ID so she could access its web-based email service.
  • On February 10, 2022, several months after the freelance engagement ended, Veksler contacted a Wipro employee to say she was locked out of her laptop and sought Wipro’s assistance.
  • Wipro investigated and determined that its “security management tool,” JAMF, had been installed on her computer.
  • Veksler claimed that CrowdStrike Falcon Sensor was also installed and that both tools were used to access/monitor her personal data and communications without her knowledge or consent.
  • On February 16, 2022, Wipro successfully removed JAMF from the laptop.

B. Claims and Procedural Posture

Veksler asserted that Wipro’s conduct violated:

  • ECPA – by “intercepting” her electronic communications;
  • SCA – by intentionally accessing without authorization a “facility” through which an electronic communication service is provided, and thereby obtaining or altering communications in storage; and
  • CFAA – by intentionally accessing a protected computer without authorization, causing damage and loss.

She also brought unspecified state-law claims, which the district court dismissed without prejudice (a dismissal the Second Circuit summarily affirmed).

Wipro moved for summary judgment after discovery. The district court concluded that Veksler had not produced evidence from which a reasonable jury could find that Wipro intentionally installed or used the software on her laptop, and granted judgment for Wipro on all federal claims.

C. Issues on Appeal

The central appellate questions were:

  1. Whether the record contained sufficient evidence for a reasonable jury to find that:
    • Wipro intentionally caused JAMF or CrowdStrike to be installed on Veksler’s laptop; or
    • Wipro, knowing the tools were present, intentionally used them to intercept her communications or access her data.
  2. Whether Veksler’s expert report (the “Clifton Report”) created a genuine dispute of material fact about Wipro’s intent.

D. Holding

The Second Circuit affirmed summary judgment for Wipro, holding that:

  • The ECPA, SCA, and CFAA all require that the defendant act with a “conscious objective” to engage in the prohibited access or interception.
  • On the evidence presented, no reasonable factfinder could conclude that Wipro:
    • intended for the software to be installed on Veksler’s device in the first place, or
    • intended to use that software to access her data or intercept communications.
  • The Clifton Report was speculative or conclusory on the dispositive issue of intent and therefore did not create a genuine dispute of material fact.

Accordingly, the judgment of the district court was affirmed, and all federal statutory claims were dismissed on summary judgment.

III. Legal Framework

A. Statutory Provisions

The opinion focuses on three interrelated federal statutes governing electronic privacy and unauthorized computer access.

1. ECPA – 18 U.S.C. § 2511(1)(a)

The ECPA makes it unlawful to:

“intentionally intercept[], endeavor[] to intercept, or procure[] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.”

Key concept: the interception must be intentional, not accidental or incidental.

2. SCA – 18 U.S.C. § 2701(a)

The SCA makes it unlawful to:

“intentionally access[] without authorization a facility through which an electronic communication service is provided; or … intentionally exceed[] an authorization to access that facility[,] and thereby obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage in such system.”

Again, the focus is on intentional access without authorization (or intentional exceeding of authorized access).

3. CFAA – 18 U.S.C. § 1030(a)(5)(A)–(C)

The CFAA provisions invoked by the plaintiff cover three types of conduct:

  • § 1030(a)(5)(A): “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;”
  • § 1030(a)(5)(B): “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;”
  • § 1030(a)(5)(C): “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.”

Across these subsections, the court and the parties treated “intentional access” as requiring deliberate, purposeful access, not merely negligent or inadvertent contact with the protected computer.

B. Intent as a Common Element

The Second Circuit emphasized that each statute requires the defendant to have acted intentionally. The panel, citing criminal ECPA precedent, framed the required mental state as a “conscious objective”:

“Here—as both parties agree—that means Veksler’s burden is to establish that Wipro acted with the ‘conscious objective’ of accessing her computer.” (citing United States v. Townsend, 987 F.2d 927, 930 (2d Cir. 1993)).

Under this standard, liability requires more than:

  • a system or process that could lead to access, or
  • an accidental or mistaken interaction with the plaintiff’s computer or communications.

Instead, the defendant’s action must be the product of a deliberate decision: a purposeful plan to access or intercept.

C. Summary Judgment Standard

The court reviewed the district court’s decision de novo and reiterated the familiar standard from Federal Rule of Civil Procedure 56(a), as paraphrased through Roth v. Armistice Capital, LLC, 151 F.4th 21 (2d Cir. 2025):

  • Summary judgment is appropriate where there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.
  • The evidence must be construed in the light most favorable to the non-movant, drawing all reasonable inferences in that party’s favor.

The ultimate question is whether a reasonable jury could find for the non-movant on the record presented. If not, summary judgment is proper even in the presence of conflicting expert opinions.

IV. Precedents and Authorities Cited

A. United States v. Townsend, 987 F.2d 927 (2d Cir. 1993)

In Townsend, the Second Circuit interpreted the ECPA’s “intentionally intercepts” language to require that the defendant’s conduct be the product of a conscious objective, not mere mistake or accident. The court in Veksler quotes this standard:

“[T]o find an ECPA violation, the ‘defendant’s act must have been the product of defendant’s conscious objective rather than the product of a mistake or an accident.’”

By explicitly importing this criminal standard into the civil context and then, via footnote, extending it to the SCA and CFAA, the panel consolidates the intent requirement across the three statutes around the same mental state benchmark.

B. Butera & Andrews v. IBM, 456 F. Supp. 2d 104 (D.D.C. 2006)

The panel relies on the district court’s discussion in Butera & Andrews to support the proposition that the SCA and CFAA’s intentionality requirement is interpreted similarly to the ECPA’s:

“As the District Court pointed out, courts have interpreted the intentionality requirement in the SCA and the CFAA to have the same meaning as it does in the ECPA.” (citing Butera & Andrews v. IBM, 456 F. Supp. 2d 104, 110 (D.D.C. 2006)).

This reinforces a uniform approach: across ECPA, SCA, and CFAA, “intentional” denotes purposeful, volitional action rather than mere foreseeability or carelessness.

C. Expert Evidence Line: Dalberth, Omnicom, Raskin, and Garcia

The court addresses the Clifton Report with a line of Second Circuit authority on expert testimony at the summary judgment stage:

  • Dalberth v. Xerox Corp., 766 F.3d 172, 189 (2d Cir. 2014)
  • In re Omnicom Grp., Inc. Sec. Litig., 597 F.3d 501, 512 (2d Cir. 2010)
  • Raskin v. Wyatt Co., 125 F.3d 55, 66 (2d Cir. 1997)
  • Garcia v. Hartford Police Dep’t, 706 F.3d 120, 128 (2d Cir. 2013)

From these, the panel draws several settled principles:

  • “Summary judgment is not per se precluded because there are conflicting experts.” (Dalberth, quoting Omnicom).
  • “An expert’s report is not a talisman against summary judgment.” (Dalberth, quoting Raskin).
  • Expert conclusions that are “speculative or conclusory” do not create a genuine issue of material fact. (Garcia).

Applying these precedents, the court characterizes many of the Clifton Report’s conclusions as “speculative or conclusory” and emphasizes that the dispositive question—Wipro’s intent—falls outside the report’s legitimate scope as an expert analysis.

D. Roth v. Armistice Capital, LLC, 151 F.4th 21 (2d Cir. 2025)

The panel cites Roth for the basic articulation of de novo review and the Rule 56 standard. The importance here is not doctrinal innovation but reaffirmation: the appellate court rigorously applies the familiar summary judgment framework, even in a technically complex, privacy-related context.

V. The Court’s Legal Reasoning

A. Unifying the Intent Requirement Across ECPA, SCA, and CFAA

Both the district court and the Second Circuit treat the requirement of “intentional” conduct under ECPA, SCA, and CFAA as substantively identical. Adopting the Townsend “conscious objective” standard, the court holds that:

  • the installation of the software must have been intended, and
  • any alleged use of the software to access or intercept communications must also have been an object of Wipro’s purposeful conduct.

Thus, Veksler had to show that:

“at some point in time, Wipro intended for its software to be installed on her laptop.”

If the installation was inadvertent, automatic, or the product of some impersonal technical process without Wipro’s conscious decision, the statutory “intent” element fails.

B. Lack of Evidence of Intentional Installation

1. Timing as Established by Forensic Evidence

Veksler argued that the software was pushed to her device when she first created and used her Wipro email account, implying a deliberate workplace policy of deploying monitoring tools to any device associated with corporate email.

The court, however, relies on undisputed forensic analysis of her laptop, which showed that the relevant software was installed in October 2021, “several months after she created her Wipro account.” This factual finding undermines her specific theory of installation at the moment of account creation:

“Contrary to Veksler’s theory that the software was pushed to her device when she first created a Wipro email account, the only forensic analysis conducted of the device found that the software was not installed until October 2021—several months after she created her Wipro account.”

This timing gap significantly weakens any causal inference linking the act of creating the email account to the installation of JAMF or CrowdStrike.

2. Internal Email: “We’re Responsible”

Veksler highlighted an internal Wipro email stating “this person is locked out of her computer and we’re responsible” as evidence that Wipro intentionally installed the software. The panel rejects this leap:

“But no reasonable factfinder could conclude, based on this isolated line, that Wipro was aware its software had been installed on Veksler’s laptop before Veksler contacted Wipro in February 2022, let alone that Wipro intended that outcome.”

Key points in this reasoning:

  • The email is dated after Veksler contacted Wipro about being locked out.
  • The phrase “we’re responsible” is read as an acknowledgment of remedial responsibility, not as an admission of prior intent to install or misuse software.
  • There is no independent evidence that Wipro ever directed the installation before learning of the laptop lockout.

In effect, the court holds that this isolated email, without more, is insufficient to support a reasonable inference of deliberate, pre-February 2022 conduct by Wipro.

C. No Evidence of Intentional Use of the Software

Even assuming arguendo that JAMF or CrowdStrike ended up on the laptop and were technically capable of accessing data or intercepting communications, the court stresses that capability does not equal use or intent:

“Even if there is a triable issue as to whether JAMF or CrowdStrike could have been used to access Veksler’s data, monitor her communications, or intercept her communications in the way she alleges, nothing in the record suggests that Wipro actually used its software to do so in this case.”

Further:

“And Veksler adduces no evidence that it was ever Wipro’s conscious objective to use the software on Veksler’s device to do so.”

Thus, the chain of required proof has multiple missing links:

  1. Proof that Wipro deliberately caused the installation, and
  2. Proof that, once installed, Wipro actually used the tools to access or intercept her data, and
  3. Proof that such use was Wipro’s conscious objective.

The record, as described by the court, contains no direct evidence (such as logs, directives, admission, or testimony) and no sufficiently strong circumstantial evidence from which a jury could reasonably infer those elements.

D. Treatment of the Clifton Expert Report

The Clifton Report is central to the plaintiff’s effort to avoid summary judgment. The court, however, is clear that the report does not rescue the claims.

1. Conflicting Experts Do Not Automatically Preclude Summary Judgment

The panel begins by reiterating that the mere existence of expert evidence on both sides does not bar summary judgment:

“[S]ummary judgment is not per se precluded because there are conflicting experts.” (quoting Dalberth and Omnicom).

And:

“[A]n expert’s report is not a talisman against summary judgment.” (quoting Raskin).

In other words, the presence of expert testimony, even if admissible, does not shift the burden away from showing that the testimony generates a genuine dispute of material fact.

2. “Speculative or Conclusory” Opinions

The court characterizes “many of the conclusions” in the Clifton Report as:

“speculative or conclusory.” (citing Garcia).

Expert speculation—particularly about a party’s intent or mental state—does not create a trial-worthy factual dispute. Experts generally can:

  • Explain how software works;
  • Describe what logs or artifacts appear on a device;
  • Discuss what could be done with particular tools.

But they cannot fill evidentiary gaps about what the defendant actually intended or did, especially when such conclusions rest on conjecture rather than concrete data.

3. Intent Is Beyond the Expert’s Legitimate Scope

The court emphasizes that “the dispositive issue of Wipro’s intent is beyond the Report’s scope.” That is, even if the Clifton Report is taken at face value on technical matters:

  • It does not—and cannot—provide non-speculative evidence that Wipro had a conscious objective to install or use the software on Veksler’s device.
  • It adds no facts that could allow a reasonable jury to infer that missing intent.

The panel concludes:

“[W]e conclude that the report does not add any facts to the record that create a genuine dispute as to any material fact.”

Accordingly, even accepting the expert’s technical descriptions, the essential legal element of intent remains unproven as a matter of law.

VI. Impact and Practical Implications

A. Persuasive but Nonprecedential Authority

The order explicitly notes that, under Second Circuit Local Rule 32.1.1,

  • Summary orders do not have precedential effect;
  • They may nonetheless be cited, consistent with Federal Rule of Appellate Procedure 32.1, as persuasive authority.

Thus, Veksler does not formally bind future panels, but it is likely to be influential as:

  • a current articulation of the “conscious objective” standard in the remote work / BYOD (bring-your-own-device) context;
  • a practical illustration of how courts evaluate forensic evidence, internal communications, and expert reports in ECPA/SCA/CFAA cases.

B. High Evidentiary Bar for Plaintiffs Alleging Covert Monitoring

For plaintiffs alleging that employers or contractors covertly installed surveillance or security tools on personal devices, Veksler underscores a demanding evidentiary standard:

  • It is not enough to show that software associated with the defendant ultimately appeared on the plaintiff’s device.
  • It is not enough to show that such software could monitor communications or access data.
  • The plaintiff must be able to marshal evidence—from logs, instructions, testimony, or credible circumstantial indicators—of the defendant’s purposeful decision to install and/or use the software in that manner.

Absent such evidence, courts may find, as here, that any access is:

  • the result of mistake, misconfiguration, or automated processes; and
  • insufficient to meet the statutes’ intentionality requirements.

C. Guidance for Companies Using Endpoint Management Tools

Companies deploying remote management or endpoint security tools (such as JAMF, CrowdStrike, or comparable software) can draw several practical lessons:

  • Documentation and audit trails are critical. Clear records of deployment decisions and authorizations can rebut inferences of covert intent.
  • Prompt remedial action (as Wipro took when notified) may support an inference that any installation was unintended and that the company did not seek to exploit access.
  • BYOD policies should be explicit about when and how corporate tools may be installed on personal devices, ideally with written consent, to minimize both legal risk and factual disputes.

While such tools remain legally permissible when properly authorized and used, Veksler shows how disputes can arise when employees or contractors discover software they did not anticipate.

D. Clarifying the Role of Expert Testimony in Privacy/Computer Fraud Cases

The decision reiterates that:

  • Technical experts can illuminate how software operates and what is technically possible, but
  • They cannot, simply by hypothesizing scenarios, create a triable issue of fact as to whether those scenarios actually occurred or were intended by the defendant.

For future litigation:

  • Plaintiffs should ensure that their experts are tethered to forensically observable facts and avoid speculative narratives.
  • Defendants can credibly argue that speculative expert opinions about capabilities, without corroborating evidence of actual use or intent, do not defeat summary judgment.

E. Harmonization of Intent Standards Across Statutes

By explicitly tying the SCA and CFAA intent standards to the ECPA standard via Townsend and Butera & Andrews, the panel reinforces doctrinal consistency:

  • Courts in the Second Circuit are likely to continue applying a single, unified concept of “intentional” across these three key statutes.
  • This benefits both plaintiffs and defendants by making the legal landscape more predictable.

In practice, this harmonization means that civil privacy and computer-fraud claims cannot be premised on merely negligent or automated conduct; purposeful wrongdoing is the touchstone.

VII. Complex Concepts Simplified

A. “Intentionally” and “Conscious Objective”

When the court says Wipro must have had a “conscious objective” to access Veksler’s computer, it is using a familiar criminal-law concept of intent:

  • Conscious objective means the defendant wanted the access or interception to occur and acted to bring it about.
  • It is not enough that the defendant should have known something might happen, or that it was reasonably foreseeable.
  • It must be more than accident, mistake, or unintended collateral consequence of some other action.

In short: the defendant must have purposely chosen conduct aimed at accessing the computer or communications.

B. “Intercept” under ECPA

Under ECPA, “intercept” generally means the acquisition of the contents of a communication (e.g., email, message) as it is being transmitted. The key ideas are:

  • There must be an acquisition of the communication; and
  • The acquisition must be intentional, not accidental.

In Veksler, the court does not resolve detailed definitional disputes about “intercept” because it finds no evidence that Wipro intentionally used the software to capture any communications at all.

C. “Facility through which an Electronic Communication Service is Provided” (SCA)

The SCA’s phrase can be conceptually difficult. In general terms:

  • A “facility” can include servers or systems operated by an email provider or similar service.
  • The SCA prohibits intentional unauthorized access to such facilities to obtain or alter stored communications.

In this case, the court again sidesteps the finer points of what counts as a “facility” because, regardless of definitions, there is no proof of Wipro’s intentional unauthorized access.

D. “Protected Computer” (CFAA)

Under the CFAA, a “protected computer” generally includes any computer used in or affecting interstate or foreign commerce or communication—essentially, almost any internet-connected device.

Veksler’s personal laptop, used in interstate commerce and connected to the internet, would qualify. The question is not whether it is “protected,” but whether Wipro:

  • intentionally accessed it without authorization; and
  • caused “damage” or “loss” as defined by the statute.

No such intentional access was established on the record.

E. Summary Judgment

Summary judgment is a way to resolve a case without trial when there is no genuine dispute about any material fact. A fact is:

  • Material if it could affect the outcome under the governing law.
  • In genuine dispute if a reasonable jury could find for either party on that fact, given the evidence.

If the record, viewed in the non-movant’s favor, still could not convince a reasonable jury to find for that party, the judge may grant summary judgment. That is what happened here: the court concluded no reasonable jury could find the element of intentional conduct on the available evidence.

F. “Without Prejudice” (State-Law Claims)

The district court dismissed Veksler’s state-law claims “without prejudice,” and the Second Circuit affirmed. “Without prejudice” means:

  • The dismissal was not on the merits of those claims, and
  • Veksler is generally free to refile them (e.g., in state court), subject to applicable statutes of limitations and other procedural rules.

This often happens when federal claims are dismissed and the court decides not to exercise supplemental jurisdiction over remaining state-law issues.

VIII. Conclusion

Veksler v. Wipro, LLC does not create new doctrine so much as it crystallizes and applies existing law in a contemporary context: remote work, bring-your-own-device arrangements, and corporate security tooling. The key takeaways are:

  • Unified Intent Standard: Under ECPA, SCA, and CFAA, “intentional” conduct means conduct undertaken with a conscious objective to access a computer or intercept communications. Accidental or automated access does not satisfy this standard.
  • Capability vs. Use: The mere presence of powerful software (JAMF, CrowdStrike) on a device, and its theoretical capability to monitor or intercept, does not create liability. Plaintiffs must show actual use of the software for unlawful purposes, tied to the defendant’s intent.
  • Evidence Matters: Forensic timelines, internal emails, and expert reports must do more than suggest possibilities. They must support non-speculative inferences about what the defendant did and intended.
  • Limits of Expert Testimony: Expert opinions cannot, by themselves, establish a party’s mental state. Speculative or conclusory reports, especially on intent, will not defeat summary judgment.
  • Practical Guidance for BYOD and Security Tools: Employers should adopt transparent policies and maintain clear records regarding installation and use of monitoring or management tools on personal devices, while plaintiffs in similar disputes must focus on concrete proof of intentional deployment and use.

As a citable but nonprecedential summary order, Veksler provides persuasive guidance in the Second Circuit and beyond on how courts will scrutinize allegations of covert digital surveillance and unauthorized computer access. It underscores that these privacy and computer-fraud statutes remain aimed at purposeful intrusions—and that plaintiffs must bring substantial, specific evidence of such intent to reach a jury.

Case Details

Year: 2025
Court: Court of Appeals for the Second Circuit

Comments