Why Two District Courts Dismissed Valid Computer Fraud and Abuse Claims for Lack of Jurisdiction

Two federal district courts, one in Maryland and the other in Texas, dismissed what each court considered to be valid civil claims under the Computer Fraud and Abuse Act (“CFAA”). Title 18 U.S.C. § 1030. The CFAA is the federal computer crime statute that provides a civil cause of action to “any person who suffers damage or loss by reason of a violation of the” statute. The ground for dismissal in each case was the lack of federal jurisdiction for failure to meet the CFAA’s jurisdictional requirement of $5,000 in loss. Costar Realty Information, Inc. v. Field, 2010 WL 3369349 *14 (D. Md. August 23, 2010); M-I LLC v. Stelly, 2010 WL 3257972 (S.D. Texas, Aug. 17, 2010).

Both courts acknowledged that the underlying facts for each claim set forth violations of the CFAA.  The CFAA violation in Costar Realty Information, Inc. related to unauthorized access to Costar’s website that “enables its users to find property for sale or rent” and includes information gathered by its field researchers along with photographs. Costar sells licenses to authorized users who were provided with a user and name and password to access the database. Costar Realty Information, Inc. at *1. The defendants were alleged to have accessed the database or to have allowed others to access the database on multiple occasions without having purchased the proper licensees.

On one of the defendants’ motion for summary judgment the court found Costar had “presented sufficient evidence to demonstrate a material dispute of fact as to” CFAA liability.’ Id. at 10. Another defendant did not even “dispute that his actions establish a violation of the CFAA.” Id. at 13. In M-I LLC the defendants, ex-employees, had left M-I LLC, an oilfield contractor, to join a contractor. Before leaving M-I LLC one of the employees had used an “external memory device” to transfer files of confidential and trade secret protected information from a company laptop. M-I LLC at *11.

In both cases the plaintiffs made the fatal error of simply alleging lost profits as their basis for the $5,000 jurisdictional loss. In Costar Realty Information, Inc. the plaintiff claimed that its $5,000 in loss consisted of the$300,000 license fees the defendants would have paid Costar for access to the database.  Costar Realty Information, Inc. at *10. In M-I LLC the plaintiff alleged damages “to its business in the form of lost profits, loss of customers and loss of future business opportunities.” M-I LLC at *12.

Both courts correctly pointed out that lost profits can only constitute “loss” under the statutory definition of “loss” in the CFAA when the lost profits are “incurred because of interruption of service.” Title 18, U.S.C. §  1030(e)(11). If either of these plaintiffs had hired a forensic computer examiner to respond to the offense, to conduct “a damage assessment” or in the case of M-I LLC to restore “the data, program, system, or information to its condition prior to the offense,” their CFAA claims would have qualified for federal subject matter jurisdiction. Id.