The Computer Fraud and Abuse Act, (CFAA), 18 U.S.C. 1030, which is primarily a criminal statute that prohibits unauthorized access to computers and conspiracies to gain unauthorized access, also contains an increasingly important section permitting anyone who suffered financial loss or damage from such an intrusion to file a civil suit for damages against the intruder.
This civil section of the CFAA was enacted in 1994. It permits recovery of “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
This section also contains a minimum jurisdictional loss provision, requiring a civil plaintiff to show that he or she suffered at least $5,000 in losses of the type described above in order to have a cause of action under the CFAA.
But what kinds of expenses, precisely, count as losses under the statute? The law does attempt to clarify: The costs must be “reasonable,” they must be losses incurred by a “victim,” and they must fall into one of several specific categories of expense.
However, there have been relatively few cases interpreting the $5,000 loss provision. A recent U.S. District Court case will go a long way toward illuminating this portion of the Act and toward making it easier for other plaintiffs to claim damages under the CFAA.
In this case, Animators at Law, Inc., v. Capital Legal Solutions, LLC, No. 1:10cv1341 (E.D. Va., May 10, 2011), Ken Lopez, the president of Animators at Law, discovered that two former employees had taken a laptop computer from the company when they resigned to join a competitor. Based on concerns about what files might have been copied or removed, Animators engaged a forensic firm and had the laptop delivered directly from the former employees to the firm. The investigation determined that hundreds of proprietary files had been removed from the computer.
Animators filed suit under the CFAA against the competing company, Capital Legal Solutions, and against the two former employees. He claimed that he incurred costs as a result of the alleged computer intrusion in a number of ways. First, was the cost of the forensic-analysis company to examine the laptop. Second, Lopez himself spent considerable time investigating the possibility of unauthorized access. Third, Lopez hired his corporate attorney, at his usual rate of $445 per hour, to oversee the investigation and to re-secure the company’s computers.
The defendants moved for partial summary judgment, asserting that on the basis of the undisputed material facts, they were entitled to judgment as a matter of law that the loss incurred by Animators amounted to less than $5,000.
Judge T.S. Ellis of the Eastern District of Virginia denied the motion and found that Animators had indeed created a triable issue of fact on the question of the amount of damages.
Judge Ellis pointed out that the forensic-analysis company, IDS, in its own time and billing records, indicated that it had billed Animators more than $19,500, which by itself considerably exceeds the $5,000 minimum.
The defendants objected, saying that the extensive analysis of the laptop conducted by IDS was not a “reasonable cost” under the CFAA. The judge disagreed and took the view that “a reasonable jury might well disagree and conclude otherwise” and that in the light of the security risks involved, a jury may reasonably conclude, viewing the facts in the light most favorable to Animators, that Animators “acted reasonably in ordering an in-depth investigation complete with forensic analysis of the misappropriated laptop.”
The defendants also said there was no evidence that Animators had actually written a check to IDS for its forensic services. Animators replied that it had paid IDS not in cash or check but in services as a form of barter. Judge Ellis ruled that “the CFAA does not require losses to be paid for in cash,” and that the defendants’ argument that IDS performed more than $19,500 in services for Animators for free is “a contention that defies common sense.”
The $19,500 paid to IDS, then, was enough to satisfy the $5,000 standard in and of itself, and looking at the statutory language, it clearly falls into the category of costs involved with “responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.”
Judge Ellis, noting that it is “unnecessary to analyze” the other costs described by Animators in view of this first conclusion, then went ahead with a brief analysis that could be considered dictum but provides key signposts to plaintiffs in future cases.
Lopez’s own time in the investigation, although not precisely quantified, was corroborated in part by time logs, and it was not unreasonable to “bill” his time at his normal hourly rate of $300 per hour, since he could not make money for the company while investigating the breach. And concerning the attorney’s time, the judge wrote that “a jury may conclude that hiring an attorney to investigate the intrusion and oversee the investigation was reasonably foreseeable and reasonably necessary under the circumstances.”
The judge did make one concession that made no difference to the ultimate denial of the motion. Although the defendants may contend that the attorney carries a high billing rate and possesses legal rather than technical expertise, the judge wrote, it would not matter, since even a complete elimination of those fees would still keep the dollar amount well over $5,000.
In summary, this well-reasoned district court opinion significantly clarifies the scope of damages that can be claimed under the CFAA and encourages plaintiffs to go ahead with cases that allege loss from intrusions into computer systems.