The National Law Journal
July 5, 2010
An ALM publication
Daily updates at NLJ.COM
Under Computer Fraud and Abuse Act, plaintiff must properly specify a $5,000 loss or case will be tossed.
BY NICK AKERMAN
The Computer Fraud and Abuse Act (CFAA) is the omnibus federal computer crime statute outlawing theft and destruction of data, hacking, use of viruses, theft of passwords and extortionate threats to damage computers. 18 U.S.C. 1030. Any business or individual “who suffers damage or loss by reason of a violation of the” CFAA is entitled to sue for “compensatory damages and injunctive relief.” However, for there to be subject matter jurisdiction over most CFAA civil suits, the plaintiff must prove that the violation caused “loss to 1 or more persons during any 1-year period…aggregating at least $5,000 in value.” § 1030(c)(4)(A)(i)(I).
Commentary and advice on developments in the law
The $5,000 in loss is not general damages but specific categories of costs to the CFAA victim. Failure to allege and prove these specific categories is fatal to the court’s jurisdiction, resulting in dismissal. This article will survey the current state of the law on what “loss” means and will highlight the pitfalls to avoid in drafting and prosecuting a CFAA action. “Loss” is defined in the statute as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 1030(e)(11). The $5,000 loss requirement reflects “Congress’ general intent to limit federal jurisdiction to cases of substantial computer crimes.” In re Doubleclick, Inc. Privacy Litigation, 154 F. Supp. 2d 497, 522 (S.D.N.Y. 2001).
As an initial matter, “to establish a viable CFAA claim,” the plaintiff must show the costs associated with the “loss” “were reasonable” and “directly causally linked to…the alleged CFAA violation.” A.V. v. iParadigms LLC, 562 F.3d 630, 646 (4th Cir. 2009). The causation requirement has been interpreted “to incorporate traditional principles of tort causation.” Global Policy Partners LLC v. Yessin, 686 F. Supp. 2d 642, 647 (E.D. Va. 2010). Thus, in determining whether a plaintiff has proven “loss,” a jury can “consider only those costs that were a ‘natural and foreseeable result’ of Defendants’ conduct.” U.S. v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000).
The first category of “loss” set out in the statute is “responding to an offense” by “conducting a damage assessment” and “restoring” the computer system “to its condition prior to the offense.” The classic example of this type of loss was upheld in Middleton, in which Nicholas Middleton, a disgruntled former computer administrator for an Internet service provider, entered the company’s computer network and “changed all the administrative passwords, altered the computer’s registry, deleted the entire billing system (including programs that ran the billing software) and deleted two internal databases.” Id. at 1209.
At trial, the government offered proof of $10,092 in loss, required to support a five-year felony, based on the “hourly rates (calculated using their annual salaries)” of the victim company’s employees to respond to Middleton’s offense by investigating and repairing the damage caused to the company computer network. That amount also included the cost of recreating the destroyed databases and the cost of a consultant and new software. Id. at 1214. In addition, lost revenue to the business caused by an employee having to respond to an offense instead of conducting the operations of the business “may qualify as losses under the CFAA.” iParadigms, 562 F.3d at 651.
FORENSIC COMPUTER EXAMINATIONS
The cost of an outside forensic examiner to determine whether a Web site had been “compromised” as a result of a CFAA violation may also constitute “loss.” EF Cultural Travel B.V. v. Explorica Inc, 274 F.3d 577, 584, n.17 (1st Cir. 2001). The court in EF Cultural Travel rejected the defendants’ argument that “such diagnostic measures” do not constitute “loss” when there is no “physical damage” to the plaintiff’s Web site. Id. at 585. While EF Cultural Travel represents the prevailing law adopted by most federal courts, there are several district courts that have recently refused to find loss based on a forensic computer investigation when the plaintiff presented no evidence of “damage to its computers or that it suffered any service interruptions.” von Holdt v. A-1 Tool Corp., 2010 WL 1980101, at *12 (N.D. Ill. May 17, 2010). These cases ignore the plain language of the CFAA’s definition of “loss,” which clearly differentiates between costs of responding to an offense and costs related to interruption of service.
Nonetheless, simply paying for a forensic investigator to conduct an investigation without a focus on the CFAA’s requirements of “loss” is insufficient. In Chas. S. Winner Inc, v. Polistina, 2007 WL 1652292, at *4 (D.N.J. June 4, 2007) the court dismissed the CFAA claim because the plaintiff alleged no facts showing that the amount paid to the investigator “was related to investigating or remedying damage to the computer, or due to interruption of the computer’s service.” Absent such evidence, the court was left to assume that the investigation simply related to the “recovery” of evidence to prove the CFAA violation rather than responding to or remediating the offense.
Nor can “loss” be proved by “costs incurred investigating business losses, unrelated to actual computers or computer services.” Nexans Wires S.A. v. Sark-USA Inc.,166 Fed. Appx. 559, 563 (2d Cir. 2006). In Nexans Wires, the plaintiff argued that it satisfied the CFAA’s “$5,000 loss requirement because it spent approximately $8,000 to send its executives from Germany to New York to investigate the misappropriations of its stored data.” The court found that the plaintiff failed to prove “loss” because there was no connection between the travel costs incurred by its executives in visiting New York City and ” ‘any type of computer investigation or repair,’ or any preventative security measures or inspections.” Id.
Also, the investigation must relate to the computer that was the subject of the CFAA violation. In Doyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010), Aaron Doyle, claimed that the defendant stole his thumb drive and disseminated copies of the documents on the thumb drive via the Internet. To prove the requisite $5,000 in “loss,” Doyle submitted affidavits from a computer forensic examiner “detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other computers.” Id. at *2. The court found that “examining others’ computer systems and deleting misappropriated files” from those other computers is “outside the intended scope of the” CFAA. Id. at *3.
The second independent category of “loss” is lost revenue, costs “or other consequential damages incurred because of interruption of service.” In Nexans Wires, the plaintiff, in addition to its executives’ travel expenses, claimed that the “defendants’ misappropriation of its confidential data caused it to lose ‘profits of at least $10 million.’ ” 166 Fed. Appx. at 562. The court held that “the plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption of service.’” Because there was no interruption of service, the plaintiff’s “asserted loss of $10 million is not a cognizable loss under the CFAA.” Id. at 563.
A motion to dismiss based on a failure to plead proper “loss” is a challenge to the court’s jurisdiction, and therefore the plaintiff must respond “with rebuttal evidence.” Polistina, 2007 WL 1652292, at *4. Given that procedural posture, it is critical that, before filing a CFAA action, a plaintiff carefully formulate its theory of “loss” in conformance with the holdings of the above-described judicial opinions detailing the types of factual circumstances that properly constitute “loss.” In doing so, the complaint must allege:
• “[S]pecific details from which a factfinder could calculate an amount of loss,” Taylor, 2010 WL 2163521, at *3, which can neither be speculative nor conclusory and are reasonable and not overreaching.
• Losses that are linked directly to the CFAA violation and the computer that was the object of the violation.
In Yessin, the court refused to consider plaintiffs’ proper categories of loss- “expenses incurred in…establishing, configuring, and designing a new web site and e-mail addresses” because the plaintiff failed “to provide evidence that may properly be considered on summary judgment” and failed to prove “that certain of these expenditures were a reasonably necessary response to the alleged CFAA violations, as required to prove a causal link.” 686 F. Supp. 2d at 648. Yessin underscores the need for carefully developing the factual basis for loss before filing the CFAA action.
Reprinted with permission from the July 5, 2010 edition of THE NATIONAL LAW JOURNAL (c) 2010 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, firstname.lastname@example.org or visit www.almreprints.com. #005-07-10-12