Federal district courts have been split, and the courts of appeals thus far silent, on what allegation of "loss" a plaintiff must make to state a case under the Computer Fraud and Abuse Act. 18 U.S.C. § 1030. The CFAA, a criminal statute barring unauthorized access of specified categories of computers, provides for a civil right of action for "[a]ny person who suffers damage or loss by reason of a violation of" the Act. 18 U.S.C. § 1030(g). Thus, a claim under the CFAA can be a nice adjunct to many other causes of action, such as claims for copyright infringement and trade secret misappropriation. However, at least two recent cases illustrate that the bar for plaintiffs under the CFAA is uncertain.
Plaintiffs sometimes cannot plead or prove "damage" under the CFAA's definition of that term. 18 U.S.C. § 1030(e)(8) ("Damage means any impairment to the integrity or availability of data, a program, a system, or information"). Thus, courts turn to the CFAA's definition "loss," which is
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
18 USC § 1030(e)(11). As the Court explained in Triteq Lock & Sec. LLC v. Innovative Secured Solutions, LLC, 2012 U.S. Dist. LEXIS 14147, Civil Action No. 10 CV 1304 (N.D. Ill. Feb. 1, 2012), "the issue dividing courts is whether the costs associated with responding to an offense and/or conducting a damage assessment must follow a CFAA violation that caused damage." Or, as the court in Dice Corporation v. Bold Technologies LTD, 2012 U.S. Dist. LEXIS 10727 (E.D. Mich. Jan. 30, 2012), put it, the question is whether the "and" in the definition of "loss" was conjunctive or disjunctive, i.e., whether the phrase "incurred because of interruption of service" modifies "the cost of responding to an offense" in addition to modifying "any revenue lost, cost incurred, or other consequential damages."
The Triteq court thought that "Congress intended to restrict civil actions brought under the CFAA," and intended to limit the extent to which federal courts would adjudicate claims otherwise arising under state law. Because the plaintiff had "not alleged that the costs it incurred followed a CFAA offense that damaged its computers or computer systems, or that its service was interrupted," its claim was dismissed.
The court in Dice, in contrast, concluded after an extensive look at the CFAA's legislative history that there could be "loss" under the CFAA even without "damage." According to the Dice court, "from the beginning, 'loss' has been defined broadly to include not only the harm the intruder directly inflicts, but also the costs the victim incurs in investigating and preventing future incursions." From a standpoint of pure logic, I wonder if the Dice court might have the better argument; the Triteq reading of the statute, requiring "damage" for there to be "loss," would seem to read "loss" entirely out of the CFAA's provision that "[a]ny person who suffers damage or loss" may bring a civil action.
As a final interesting twist, both the Dice and Triteteq courts noted that judges even within their respective districts had split on this question of the proper statutory construction of the "loss" requirement of the CFAA. Surely an appellate court will address the question soon. Even so, given the current state of the law, the standard for bringing a civil action under the CFAA is likely to remain unsettled for some time to come, and is something would-be plaintiffs must carefully consider.