The Computer Fraud And Abuse Act, 18 U.S.C. s. 1030 et seq. (CFAA) – the Federal statute that criminalizes various forms of computer hacking – is an odd mix of precise terms of art and vague, amorphous phrasing.
One CFAA area rife with unsettled litigation is the Act’s “damage” and “loss” requirements. The CFAA specifically defines both terms but the unsettled question concerns whether underlying physical damage to the computer or computer data is necessary to prove “loss.” That is, does a CFAA plaintiff have to prove computer damage FIRST before it can try to satisfy the $5,000 loss threshold?
Under the CFAA, “Damage” means any impairment to the integrity or availability of data, a program, a system, or information (e.g. physical damage to a computer or its data). 18 U.S.C. § 1030(e)(8). “Loss” equals the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense as well as any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C. § 1030(11)
Q: What Constitutes Damage Under the CFAA?
A: A synthesis of Seventh Circuit cases provides the following “damage” examples:
(i) destruction, corruption, or deletion of electronic files;
(ii) physical destruction of a hard drive;
(iii) smashing hard drive with a hammer; installing shredding software;
(iv) installing secure-erasure software; and
(v) diminishing usability of computer system.
Q: What Does Not Constitute Damage?
A: (i) copying, e-mailing or printing electronic files;
(ii) stealing employer computer data and sending it to competitor;
(iii) e-mailing confidential data to private email address to use in competing business; and
(iv) disclosure of trade secrets.
Q: What Constitutes ‘Loss’ Under the CFAA
A: The Northern District (Ill.) holds that CFAA “loss” encompasses
(1) the cost of investigating or repairing a computer or computer system following a violation that caused damage to a computer or computer system, or
(2) revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.
TriTeq, 2012 WL 394229, * 7; Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816, *8 (N.D.Ill. 2012); Farmers Ins. Exchange v. Auto Club Group, 823 F.Supp.2d 847 (N.D.Ill. 2011)
Q: Is Physical Computer Damage Required In Order to Establish CFAA ‘Loss’?
A: This is the question that is the most unsettled, both in the Seventh Circuit and nation-wide. Some courts adopt an expansive view of loss and hold that damage isn’t required. Others give a restrictive reading to CFAA loss and hold that a CFAA plaintiff can still satisfy the statutory loss element even if there’s no underlying computer damage.
Some District Court cases in the Seventh Circuit that hold that underlying computer damage is required to show loss include: TriTeq Lock & Sec. LLC v. Innovative Secured Solutions,LLC, 2012 WL 394229 (N.D.Ill. 2012); Farmers Ins. Exchange v. Auto Club Group, 823 F.Supp.2d 847, 851-856 (N.D.Ill. 2011); 1st Rate Mortg. Corp. v. Vision Mortg. Servs. Corp., 2011 WL 666088 at *2 (E.D.Wis. Feb. 15, 2011).
Cases that represent a broader of view of loss – that physical damage or data destruction is not required to show loss – include Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816, *8 (N.D.Ill. 2012); SKF USA, Inc. v. Bjerkness, 636 F.Supp.2d 696, 721 (N.D.Ill. 2009).
The statutory text supports the expansive application of the latter cases: that physical damage is not a prerequisite to establishing CFAA loss; at least with respect to CFAA information (defendant accesses protected computer and obtains information) and fraud (defendant breaches computer in connection with furthering a fraud) claims. 18 U.S.C. § 1030(a)(2), (4).
Afterwords: The strongest case from a CFAA plaintiff’s perspective is where the defendant has caused physical damage including data destruction or deletion, coupled with quantifiable monetary loss to remedy the damage.
The weakest case will be where there the plaintiff is trying to recover money damages in the absence of physical harm to computer equipment or data. In cases where a computer or its data hasn’t been harmed or compromised, a CFAA plaintiff’s claim will likely hinge on the severity of the defendant’s conduct; such as whether he violated a non-disclosure or non-compete and whether he accessed trade secrets or confidential information belonging to the plaintiff.