The Computer Fraud and Abuse Act: ‘Damage’ and ‘Loss’ Elements (7th Circuit/ND IL)

Security7_610x426The Computer Fraud And Abuse Act, 18 U.S.C. s. 1030 et seq. (CFAA) – the Federal statute that criminalizes various forms of computer hacking – is an odd mix of precise terms of art and vague, amorphous phrasing.

One CFAA area rife with unsettled litigation is the Act’s “damage” and “loss” requirements.  The CFAA specifically defines both terms but the unsettled question concerns whether underlying physical damage to the computer or computer data is necessary to prove “loss.”  That is, does a CFAA plaintiff have to prove computer damage FIRST before it can try to satisfy the $5,000 loss threshold?

Under the CFAA, “Damage” means any impairment to the integrity or availability of data, a program, a system, or information (e.g. physical damage to a computer or its data).  18 U.S.C. § 1030(e)(8).  “Loss” equals the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense as well as any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.  18 U.S.C. § 1030(11)

Q: What Constitutes Damage Under the CFAA? 

A: A synthesis of Seventh Circuit cases provides the following “damage” examples:

(i) destruction, corruption, or deletion of electronic files;

(ii) physical destruction of a hard drive;

(iii) smashing hard drive with a hammer; installing shredding software;

(iv) installing secure-erasure software; and

(v) diminishing usability of computer system.

Q: What Does Not Constitute Damage?

A:  (i) copying, e-mailing or printing electronic files;

(ii) stealing employer computer data and sending it to competitor;

(iii) e-mailing confidential data to private email address to use in competing business; and

(iv) disclosure of trade secrets.

Q: What Constitutes ‘Loss’ Under the CFAA

A: The Northern District (Ill.) holds that CFAA “loss” encompasses

(1) the cost of investigating or repairing a computer or computer system following a violation that caused damage to a computer or computer system, or

(2) revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.

TriTeq, 2012 WL 394229, * 7; Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816, *8 (N.D.Ill. 2012); Farmers Ins. Exchange v. Auto Club Group, 823 F.Supp.2d 847 (N.D.Ill. 2011) 

Q: Is Physical Computer Damage Required In Order to Establish CFAA ‘Loss’?

A: This is the question that is the most unsettled, both in the Seventh Circuit and nation-wide.  Some courts adopt an expansive view of loss and hold that damage isn’t required. Others give a restrictive reading to CFAA loss and hold that a CFAA plaintiff can still satisfy the statutory loss element even if there’s no underlying computer damage.

Some District Court cases in the Seventh Circuit that hold that underlying computer damage is required to show loss include: TriTeq Lock & Sec. LLC v. Innovative Secured Solutions,LLC, 2012 WL 394229 (N.D.Ill. 2012); Farmers Ins. Exchange v. Auto Club Group, 823 F.Supp.2d 847, 851-856 (N.D.Ill. 2011); 1st Rate Mortg. Corp. v. Vision Mortg. Servs. Corp., 2011 WL 666088 at *2 (E.D.Wis. Feb. 15, 2011).

Cases that represent a broader of view of loss – that physical damage or data destruction is not required to show loss – include Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816, *8 (N.D.Ill. 2012); SKF USA, Inc. v. Bjerkness, 636 F.Supp.2d 696, 721 (N.D.Ill. 2009).

The statutory text supports the expansive application of the latter cases: that physical damage is not a prerequisite to establishing CFAA loss; at least with respect to CFAA information (defendant accesses protected computer and obtains information) and fraud (defendant breaches computer in connection with furthering a fraud) claims.  18 U.S.C. § 1030(a)(2), (4).

Afterwords: The strongest case from a CFAA plaintiff’s perspective is where the defendant has caused physical damage including data destruction or deletion, coupled with quantifiable monetary loss to remedy the damage.

The weakest case will be where there the plaintiff is trying to recover money damages in the absence of physical harm to computer equipment or data.  In cases where a computer or its data hasn’t been harmed or compromised, a CFAA plaintiff’s claim will likely hinge on the severity of the defendant’s conduct; such as whether he violated a non-disclosure or non-compete and whether he accessed trade secrets or confidential information belonging to the plaintiff.

 

 

 

Facebooking at Work: A Federal Offense? (With ‘Aarons Law’ Update)

Can surfing the Net on company time get you fired?  Perhaps.  Can it subject you to Federal criminal and civil penalties?  Not yet.  At least not in the  Tampa, Florida area.  Wendy Lee v. PMSI, 2011 WL 1742028 (M.D.Fla. 2011) illustrates a creative attempt to expand the reach of the Computer Fraud and Abuse Act (CFAA)(which, incidentally, will be the subject of some future posts).  The CFAA, codified at 18 U.S.C. s. 1030, is a criminal statute with a civil component. It provides a private civil cause of action for anyone who sustains damage or loss as a result of an unauthorized user hacking into a computer system who then destroys, erases or transfers computer data.  It also prohibits authorized users from accessing protected information and from exceeding the limits of their authorization.  In this latter context, the CFAA is typically used by an employer when a rogue employee or “insider” accesses private employer computer data and sends the data to a competitor.

In PMSI, the Plaintiff filed a Federal pregnancy discrimination suit against her employer.  The employer fired back with a counterclaim based on the CFAA – saying that the Plaintiff spent her workdays surfing the Internet and playing on Facebook.  So egregious was the Plaintiff’s personal computer use, that the employer asserted a CFAA violation claiming the Plaintiff violated her employer’s published computer/Internet use policy.

The Court dismissed the CFAA count and said that while Facebooking at work may be a fireable offense; it does not subject one to Federal criminal or civil liability.  The court gave a narrow reading to the CFAA and held that the statute did not apply to a private employee’s violation of an employer’s internet policy.  Otherwise, the court said, every employee across the land who used a company computer to send and receive personal e-mails or who surfed the Net for non-work reasons could potentially be subject to Federal liability.

So, for now, Tampa area office workers can safely surf the net on company time without being subject to CFAA liability.   Whether the same workers can be fired for violating an employer computer policy, is an issue for another day and perhaps another post.

Update (7.15.13):  Recently, some proposed changes to CFAA were introduced by Zoe Lofgren and Ron Wyden, democratic congressman and senator from California and Oregon, respectively.  These changes, known as “Aarons” law (named for the late internet activist Aaron Schwartz), are designed to narrow the reach of the CFAA so that the statute is only used to prosecute outside hackers, rather than criminalize every-day violations of private employer computer policies or Internet terms of use.  Some helpful links follow.

http://www.wired.com/opinion/2013/06/aarons-law-is-finally-here/

http://www.lofgren.house.gov/images/stories/pdf/aarons%20law%20summary%20-%20lofgren%20-%20061913.pdf