Cost of credit monitoring for victims of data security breach constitutes loss under CFAA

The cost of providing credit monitoring for employees whose personal information was accessed as a result of unauthorized access by an inmate to a prison computer network constitutes a "loss" under the Computer Fraud and Abuse Act, the United States Court of Appeals for the First Circuit ruled. The court held that the district court properly included the cost of the credit monitoring in an order of restitution entered following the inmate's plea of guilty to 18 U.S.C. § 1030(a)(5)(B)(i), causing "loss" as a result of unauthorized computer network access. The court noted that "loss" is defined in the statute as “'any reasonable cost to any victim, including the cost of responding to an offense in addition to the cost of damage assessment, restoration of the damaged system and consequential damage like lost revenue." The court concluded that the cost of a credit check for affected employees was a reasonable cost of responding to the security breach.

United States v. Janosko, No. 10-1046 (1st Cir. Apr. 12, 2011) (Opinion by Associate Justice David Souter, sitting by designation) Opinion