The Software IP Report
A Narrow View of “Loss” under the CFAA
By Charles Bieneman
Categories: State and Federal Statutes, The Software IP Report
A recent case takes a narrow view of the “loss” that will sustain a civil action under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, a criminal statute that includes a right of civil suit favored by many plaintiffs. Int’l. Chauffeured Service, Inc. v. Faster Operating Corp, No. 11 Civ. 2662 (S.D.N.Y. April 13, 2012). The court granted the defendant’s motion to dismiss the plaintiff’s CFAA claims because, despite pleading over $5 million in damages in business losses flowing from the defendant’s alleged misappropriation of data from a computer database, the plaintiff could plead a “loss” of only $1413, as the Court construed that term under the CFAA.
The plaintiff alleged that the defendant had violated the CFAA by “intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly caus[ing] damage.” 18 U.S.C. § 1030(a)(5)(B). The CFAA provides a civil right of action, 18 U.S.C. § 1030(g), against one who has caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). Further, the CFAA defines “loss” as:
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
18 USC § 1030(e)(11).
Courts have split concerning whether “loss” under the CFAA must include costs directly related to alleged harm to the wrongly accessed computer, or whether the “loss” may include consequential damages flowing from the computer invasion. The court here noted that Second Circuit “case law . . . requires a cost constituting a loss to be directed in some way at the effects of the prior intrusion, not at those of some potential future offense.” Therefore, at most, the court could count the plaintiff’s post-intrusion costs of investigating and remedying any harm from the computer intrusion, which amounted to $1413. Costs of post-intrusion network monitoring and security precautions, which amounted to more than $5000, not to mention an alleged loss of business of $5,919,781, would not be counted.
The court did agree that the plaintiff had adequately pled that a “protected computer” under the CFAA had been improperly accessed. This was probably small solace for the plaintiff in light of the court’s dismissal of all claims (there were state law claims for which supplemental jurisdiction had been lost when the CFAA claims were dismissed, but which could be re-filed in state court).