Courts Adopt Tort Standard to Define CFAA “Loss”

The jurisdictional $5,000 “loss” requirement continues to be one of the most hotly contested issues arising out of civil actions filed under the federal Computer Fraud and Abuse Act (“CFAA”). A Washington State federal court last week entered summary judgment for a defendant on a CFAA claim on the ground that the plaintiff failed to produce evidence showing the $5,000 jurisdictional “loss.” Doyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010). The plaintiff, Aaron Doyle, claimed that the defendant stole his thumb drive and disseminated copies of the documents on the thumb drive over the Internet.

The CFAA defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C. § 1030(e)(11). The CFAA requires a Plaintiff to show that any such loss exceeded $5,000 in a one-year period. 18 U.S.C. § 1030(c)(4)(A)(i)(I). Without a showing of the $5,000 “loss” in the one year period the CFAA civil action will be dismissed.

To prove the requisite $5,000 in “loss,” the plaintiff Doyle submitted affidavits from a computer forensic examiner “detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other computers.” Id. at *2. The court found that this claim of “loss” for “examining others’ computer systems and deleting misappropriated files” is “outside the intended scope of the” CFAA. Id. at *3. In effect, the district court appears to be saying that the claimed “loss” of spending money to examine “every computer onto which such information might have been copied” was not proximately caused by the CFAA violation. Id. In other words, the costs of examining third party computers to find and remove stolen files is too far removed from the violation perpetrated on the computer that was the object of the CFAA violation to be considered “loss” under the statute.

This is the precise standard that had been enunciated earlier this year by a Virginia federal district court in Global Policy Partners, LLC v. Yessin, 686 F.Supp2d 642, 647(E.D. Va. 2010) when it adopted the tort standard of causation to decide whether certain costs incurred by the plaintiffs constituted “loss” under the CFAA. Yessin held that the “plaintiffs in this case must show that the losses they claim were the reasonably foreseeable result of the alleged CFAA violations.” Id.