A federal court in Ohio last week held that the cost of investigating ways to make a website more secure after an authorized access into the website in violation of the Computer Fraud and Abuse Act (“CFAA”) constitutes “loss” to meet the $5,000 jurisdictional amount for loss under the CFAA. Jedson Engineering, Inc. v. Spirit Construction Services, Inc., 2010 WL 2541619 *19 (S.D. Ohio June 18, 2010)
The court rejected the defendant’s motion for summary judgment on Jedson’s CFAA claim on the ground that Jedson had not met the $5,000 jurisdictional amount for loss required by the CFAA. Jedson relied on the Affidavit of the person “who was involved in the set-up and management of the . . . website” and who attested “that as a result of the unauthorized access of the website by Baisch, he was asked to investigate ways to make the website more secure.” Id. Baisch, however, asserted “that Jedson cannot recover for costs associated with investigating ways to make the website more secure” and “that the statute only allows recovery for costs associated with investigating and remedying damage to a computer, or a cost incurred because the computer’s service was interrupted.” Id.
In rejecting Baisch’s argument the court held that “Jedson can recover for costs associated with investigating ways to make the website more secure” because “the statute itself provides that losses comprise costs incurred in “responding to an offense: and “restoring the data, program, system or information to its condition prior to the offense.” 18 U.S.C. § 1030(e)(11). Id.
Next week in my column in the National Law Journal I will be providing a comprehensive up-to-date summary of where the courts are in interpreting the CFAA’s jurisdictional loss requirement and will be posting that article on this site