Narrow Interpretation of CFAA’s Jurisdictional “Loss” Requirement

A district court in Illinois last week granted summary judgment to a defendant on a Computer Fraud and Abuse Act (“CFAA”) claim by narrowly interpreting the jurisdictional “loss” prerequisite under the CFAA to require a showing that the computer was “impaired” or “suffered an interruption of service.” Von Holdt v. A-1 Tool Corp., 2010 WL 1980101 *12 (N.D. Ill. May 17, 2010). The CFAA is the federal computer crime statute that provides for a private right of action for someone “who suffers damage or loss” as a result of a violation of the statute. Title 18, U.S.C. § 1030(g). Von Holdt and at least one other recent case requiring an actual showing of impairment or interruption of service to prove “loss” are contrary to established law interpreting the CFAA and the CFAA’s legislative history.

As a predicate for filing most CFAA civil actions, it is necessary to show that the offense caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Title 18, U.S.C. § 1030 (c)(4)(A)(i)(I). “Loss” is defined by the CFAA to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Title 18, U.S.C. § 1030(e) (11).

The prevailing interpretation of “loss” is found in the First Circuit Court of Appeal’s decision in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584-85 (1st Cir. 2001). In that case the plaintiff “paid $20,944.92 [to a computer forensic expert] to assess whether their website had been compromised.” Id. at n.17. The court rejected the defendants’ claim “that such diagnostic measures cannot be included in the $5,000 threshold because their actions neither caused any physical damage nor placed any stress on EF’s website.” Id. The court held “[t]hat the physical components were not damaged is fortunate, but it does not lessen the loss represented by consultant fees.” Id. at 585. The court explained that

To parse the words in any other way would not only impair Congress’s intended scope of the Act, but would also serve to reward sophisticated intruders. As we move into an increasingly electronic world, the instances of physical damage will likely be fewer while the value to the victim of what has been stolen and the victim’s costs in shoring up its security features undoubtedly will loom ever-larger. If we were to restrict the statute as appellants urge, we would flout Congress’s intent by effectively permitting the CFAA to languish in the twentieth century, as violators of the Act move into the twenty-first century and beyond.

Id. 585.

At the time of the EF Cultural decision the CFAA did not define “loss.” Shortly after EF Cultural was handed down the CFAA was amended to include, among other things, the definition of “loss” set forth above. The legislative history, however, is clear that this and other amendments to the CFAA were not intended to change the scope of the protections of the CFAA afforded to a civil plaintiff. United States Representative Jerrold Nadler in speaking about the amendment on the floor of the House of Representatives specifically clarified that this amendment was not designed to change the current law supporting the CFAA. Representative Nadler stated as follows:

Mr. Speaker, I rise to make a clarification to ensure that the legislative language of the bill reflects the reality of technology today and will not affect the status of pending civil actions brought under Section 1030. We need to encourage our businesses to protect their information and computer systems with redundant systems, and we must be careful not to limit legal protection to only one computer when an entire network may be affected.

As I understand the bill, the parenthetical in 1030 (a)(5)(B)(i) is not meant to change current law or inhibit the ability of a corporate Section 1030 plaintiff to base a claim upon loss incurred in connection with a database that is run from more than one server or other computer. In light of the interest in greater Internet security that is demonstrated by this legislation, and the need for data and server redundancy, which minimize potential risks to data integrity, such system redundancy is very important. The section amending 18 U.S.C. 1030 should not be read to undermine the current state of the law of or the goals behind data and system redundancy.

Von Holdt does not address EF Cultural– or this legislative history. Instead, it simply followed another district court decision, Mintel v. Neergheen, 2010 WL 145786, at *10 (N.D. Ill. Jan. 12, 2010) which held that “[t]he alleged loss must relate to the investigation or repair of a computer or computer system following a violation that caused impairment or unavailability of data or interruption of service”(emphasis in original). Von Holdt at *11. As the First Circuit pointed out, there is no good reason why there has to be actual impairment or interruption of service to prove “loss.”

Indeed, just last week another district court in Manhattan correctly stated what a plaintiff must establish to prove “loss,” when it recognized that “[t]he term ‘loss’ has been construed to mean a ‘cost of investigating or remedying damage to a computer, or a cost incurred because the computer’s service was interrupted,” Marketing Technology Solutions, Inc. v. Medizine LLC, 2010 WL 2034404, *7 (S.D.N.Y May 18, 2010), quoting Nexan Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 475 (S.D.N.Y. 2004). (emphasis added.)

Von Holdt and Mintel can only be explained as part of a growing trend of a number of federal district courts which are hostile to employers using the CFAA to sue employees who steal trade secret protected data from the company computers. This lower court effort to limit the CFAA is similar to what happened with the Racketeer Influenced and Corrupt Organizations Act (“RICO) to which various district courts repeatedly attempted to limit the statute only to be pushed back by the U.S. Supreme Court. The Supreme Court of course has yet to interpret the CFAA.