Lawyers should have a basic understanding of the federal Computer Fraud and Abuse Act, which provides criminal and civil penalties for wrongfully accessing a computer to do harmful things. They also should understand how to allege a loss under CFAA in a business case, which is not straightforward. Failing to satisfy this requirement means a court will not have jurisdiction over a CFAA civil claim. Consequently, many otherwise valid civil claims founder.
CFAA applies to the access of any computer connected to the Internet. Lawyers most commonly bring CFAA causes of action in civil cases when company insiders, usually departing employees, allegedly wrongfully access the company’s computers and improperly delete, alter or take information. CFAA also can apply when companies access competitors’ websites to gain competitive information in violation of the sites’ terms of service, create fictitious profiles to snoop about what people are doing online or wrongfully access other people’s paid online subscription services in violation of the services’ agreements.
To obtain a civil remedy under CFAA, a plaintiff must satisfy the jurisdictional prerequisite of establishing a $5,000 loss. Doing so is not as straightforward as it may appear.
CFAA §1030(g) provides for a civil remedy. The first sentence reads: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
Cross-references in §1030(g) limit the type of conduct for which a civil action is available. Most business-related claims would seem, at first glance, to fall within the requirement that the violation caused a loss aggregating at least $5,000 to one or more persons in any one-year period.
But a “loss” under CFAA is not what lawyers generally understand to be damage or damages, each of which has a different meaning under CFAA. For example, stolen intellectual property, regardless of its value, does not count toward the $5,000 loss. Privacy invasions and personally identifiable information, regardless of how valuable, also do not constitute losses under CFAA.
Instead, a loss must be a cost. It must be a reasonable cost to the victim to investigate, respond or remedy the damage the violation caused to the data or computer, unless the case involves an interruption of service, which is relatively rare.
One example of such a cost would be the fees a computer forensics firm charges to secure the violated computer, to investigate the damage caused to the computer and to restore the data. Another cost that can satisfy this requirement is the value of company employees’ time, if the value can be accurately determined. Other expenditures that might qualify as a cost under CFAA include bartered services, such as a computer forensics company that agrees to perform the investigation in exchange for goods or services from the computer owner’s company, or a limited amount of attorneys’ fees charged for leading the investigation or the remediation process.
An attorney seeking to best position the case to satisfy the loss requirement should lead and coordinate the investigation himself. Even if the attorney’s fees are not ultimately recoverable, there are still procedural and evidentiary reasons why it would be valuable for the attorney to lead and coordinate the investigation, such as obtaining work-product and attorney-client privilege protection.
The lawyer also should retain a licensed computer forensics firm, which should do two things. First, it should secure the computers so the evidence will not be tainted. Securing the computers includes preventing anyone else from using the computer to investigate on his own. Second, the computer forensics firm should conduct a thorough investigation and perform the work necessary to respond to and remediate the problem. The computer forensics firm actually has to perform the work. Speculation about work that likely will be required in the future will be insufficient to constitute a loss.
The lawyer also should keep accurate records of the activities performed by all involved and itemize that information in the federal court complaint or state court petition.
Ideally, the costs for the forensics and remediation services alone will exceed $5,000, but the lawyer should include the other costs, as well, because they may qualify, depending on the court.
If, at the end of the day, the amount of costs is $5,000 or more, there should be no problem meeting the loss requirement for the civil CFAA claim.