The Software IP Report

Narrow views of “Authorization,” “Loss,” and “Damages” Under the CFAA

By Charles Bieneman

Categories: State and Federal Statutes, The Software IP Report

As previously reported, in setting standards for civil rights of action under the Computer Fraud and Abuse  Act (CFAA), 18 U.S.C. § 1030, courts have taken varying approaches.  However, a number of recent cases have elected a narrower view of facts creating a cause of action under the CFAA, limiting plaintiffs’ ability to bring CFAA claims.  Two recent cases further suggest that the trend may be toward narrowing the scope of civil actions under the CFAA.

In Ajuba International, L.L.C. v. Saharia, No. 11-12936 (E.D. Mich, May 14, 2012), the defendants argued that a CFAA claim based on accessing a “protected computer ‘without authorization’ or in a manner that ‘exceeds authorized access'” was negated by “complete, unrestricted access to [plaintiffs’] computer systems due to the nature of [one defendant’s] employment.”  The plaintiffs argued that the defendant “lost any authorization he had to access Plaintiffs’ computers, or, at least, exceeded his authorization when he accessed the computers in violation of confidentiality and use limitations.”  After noting the split in authority concerning the scope of these provisions, the Ajuba court noted that other courts in the Sixth Circuit had taken a narrower view.  Further, the court was reluctant to embrace “an interpretation of the CFAA based upon agency principles [that] would greatly expand the reach of the CFAA to any employee who accesses a company’s computer system in a manner that is adverse to her employer’s interests.”  Therefore, the plaintiffs’ CFAA claim was dismissed.

In Bashaw v. Johnson, No. 11-2693 (D. Kans. May 9, 2012), the court had to decide whether the defendant, in a counterclaim,  had adequately pled “loss” and “damage” under the CFAA.  The court easily concluded that the defendant had not adequately pled “damage” because his pleading was conclusory and merely mirrored the language of the statute.  The defendant alleged that “he suffered damages because ‘data was erased,” but nowhere identified the allegedly erased data.  Further, in concluding that the defendant had not pled “loss” under the CFAA, this court followed the “majority of courts,” which “have construed the term ‘loss’ to include only two types of injury–costs incurred (such as lost revenues) because the computer’s service was interrupted and costs to investigate and respond to computer intrusion or damage.”  Here, the defendant alleged in his counterclaim that he had suffered “loss” in excess of $5000 as required by the CFAA, but did “not allege any lost revenues or other losses incurred due to any interruption in service.”  Allegations concerning costs of having employees restore lost data, without allegations that employees actually undertook such tasks and incurred such costs, were insufficient.  Therefore, the CFAA claim was “dismissed in its entirety.”