A Colorado federal district court recently held that the computer forensic investigator costs of investigating Computer Fraud and Abuse Act (CFAA) violations constitute “loss” under the statute. (AssociationVoice, Inc. v. AtHomeNet,Inc.,No. 10-cv-00109-CMA-MEH, 2011 WL 63508 (D.Colo 2011)). The court echoed the growing trend in circuit and district courts, which permit civil claims under the CFAA absent any damage or interruption of service. Consequently, this decision underscores the viability of asserting CFAA claims in cases involving data theft and the importance of utilizing qualified computer forensic investigators in such cases.
The plaintiff and defendants in AssociationVoice offered competing web-based software applications for homeowners associations (HOA). The defendants allegedly acted as fictitious HOA customers in order to purchase the plaintiff’s software and access the plaintiff’s password-protected “site admin” areas. In order to access the web site, the defendants also allegedly entered into a Services Agreement, which prohibited the defendants from reverse engineering and copying the plaintiff’s source code or using the plaintiff’s confidential and proprietary information.
The defendants allegedly copied, reverse engineered, and misappropriated information from the plaintiff’s password-protected site and allegedly added at least forty-four new features to the defendants’ own applications.
The plaintiff filed suit against the defendants, alleging, inter alia, violations of the CFAA, copyright infringement, trade secret misappropriation, and breach of the Services Agreement.
The plaintiff moved for two preliminary injunctions. The plaintiff sought to enjoin the defendants, per the Services Agreement, from providing the defendants’ customers with the allegedly copied, reverse engineered, and misappropriated features. Additionally, the plaintiff sought to enjoin the defendants, pursuant to the CFAA, from further accessing the password-protected “site admin” areas.
The court denied the Services Agreement injunction because the plaintiff did not make a “strong showing” of the four injunction factors to justify altering the status quo. However, the court granted the CFAA injunction.
The noteworthy aspect of this case is the court's analysis of the “likelihood of success” factor in granting the plaintiff’s CFAA injunction.
In order to bring a civil claim under the CFAA, the plaintiff was required to prove that the violations resulted in the loss of at least $5,000 within a one-year period. (18 U.S.C. § 1030(g) and (c)(4)(A)(i)). The parties disputed whether the plaintiff’s hiring of a third-party computer forensic investigator to assist with its investigations constituted a “loss.” Additionally, the defendants argued that the plaintiff could not bring a claim because it suffered no interruption of service.
The court recognized that the majority of courts find the costs of investigations and responses to security breaches constitute “loss,” regardless of whether service is interrupted. (See, e.g.,A.V. v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009);EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (1st Cir. 2001);SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 980-81 (N.D.Cal. 2008); Res. Ctr. for Indep. Living v. Ability Res., Inc., 534 F.Supp.2d 1204, 2111 (D.Kan. 2008);Patrick Patterson Custom Homes, Inc. v. Bach, 586 F.Supp.2d 1026, 1036 (N.D.Ill 2008); NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042, 1064 (S.D. Iowa 2009)).
The court reasoned that the plain language of “loss” defined in § 1030(e)(11) distinguishes between the costs of responding to CFAA violations and the consequential damages from interruptions of service. In fact, the legislative history of the CFAA indicates that it the statute was designed to address situations in which damage never occurred. The court found this case almost identical to the California district court decision in SuccessFactors. In SuccessFactors, the court held that when confidential information is obtained, it is necessary for the violated party to discover who has the confidential information, how they accessed it, and what the violators were doing with it. Thus, the defendants’ alleged access of the plaintiff’s protectable confidential information naturally incurred the costs of an investigation. Specifically, the court stated "[i]t, therefore, is not surprising that Plaintiff also had to go to great lengths to uncover Defendants’ identity, as well as to uncover the extent of their unauthorized access and the methods they used. Accordingly, Defendants should not be allowed to complain about the costs Plaintiff incurred in doing so."
While the court in AssociationVoice followed the growing majority, the Second Circuit and district courts in Florida, Virginia, Connecticut, and Louisiana still require an interruption of service in order to bring a claim under the CFAA. (See, e.g., Nexans Wires S.S. v. Sark-USA, Inc., 166 Fed.Appx. 559, 563 (2d Cir. 2006)).
What does this mean? The CFAA remains a viable option to combat data theft. Although some courts have narrowed the applicability of the CFAA, many courts, like the AssociationVoice court, recognize CFAA claims even where the defendants' actions do not result in any interruptions of service. Some courts have even extended the “costs to respond” to include investigations into ways to improve security. (See, e. g., JedsonEng’g, Inc., v Spirit Construction Services, Inc., (S.D. Ohio 2010). Accordingly, in order to satisfy the "loss" requirement under the CFAA, make sure that qualified computer forensic investigators are utilized (in coordination with legal counsel) to respond to and assess the computer breach as soon as your company learns of the data theft