Trend Continues on Limiting Actionable “Loss” Under CFAA

March 19, 2010

Although much attention has been focused on the split within the courts on the meaning of  permissible “authorization” to access a computer (see 10/20/09 Tech Razor post), the differing interpretations of the types of losses that may be pursued under the CFAA also pose a substantial hurdle to employers seeking to use the CFAA as a means of pursuing a trade secret misappropriation claim in federal court.  Two recent federal  district court decisions continue the trend of limiting the scope of what may be regarded as an actionable “loss” under the Computer Fraud and Abuse Act (CFAA).

Liability Under The CFAA

The CFAA provides, in part, that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. . . .”  Section 1030(g).   Based on this an employer or other person who has had a “protected computer” accessed without authorization (or in a manner that exceeds the scope of authorization) may pursue a CFAA claim.  However, if “damage” or “loss” cannot be shown then the CFAA does not provide any source of recovery.   Section 1030(e)(8) defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information” and Section 1030 (e)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

While some courts have been liberal about construing the scope of eligible losses under the CFAA, the majority of courts that have addressed the issue have made clear that unless there has been actual damage to data, program or a system or an interruption of service, then a CFAA claim may not be pursued.  Adding to the majority view are two cases decided earlier this year, ReMedPar v. AllParts Medical, et al., Civ.  Action No. 3:09-cv-00807 (M.D. Tenn. Jan. 4, 2010), and Mintel International Group v. Neergheen, Case No. 08-cv-3939 (N.D. Ill. Jan. 12, 2010). 

ReMedPar and Mintel

ReMedPar presented the situation of a competitor company, AllParts, aided by former employees of the plaintiff, ReMedPar, making use of proprietary ERP and CRM systems developed by ReMedPar.   While it was very likely that the former employees breached confidentiality and other obligations to ReMedPar, at no time was ReMedPar prevented from use of its systems or data and there was no physical damage.   Because of this, the court found that while the business of plaintiff, ReMedPar, may very well have suffered from the defendant’s wrongful action, ReMedPar did not suffer a recoverable “loss” covered by the statute.

Mintel involved a former employee, Neergheen, who in the course of his employment copied a wide variety of confidential information of his then employer, Mintel, which the employee then utilized when he went to work with a competitor business.   Again, because there was no impairment or damage to the employer’s data or systems and no interruption of use by the former employer, the court observed, “[defendant’s] allegedly unauthorized acts of copying and e-mailing Mintel’s computer files did not impair the integrity or availability of the information in Mintel’s system . . . .  As several judges in this district have already found (or confirmed), the ‘underlying concern of the [CFAA] [is] damage to data’ and ‘the statute was not meant to cover the disloyal employee who walks off with confidential information.’ . . . Rather, there must be destruction or impairment to the integrity of the underlying data. . . . Thus, Mintel has not demonstrated that it suffered the type of damage contemplated by [the CFAA]. ”  Mintel also did not suffer a recoverable loss because an “alleged loss” must also have stemmed from the impairment or unavailability of data or interruption of the service of a system.

Bottom Line

In both these recent cases, the plaintiff employers are not without other remedies against the offending parties, particularly under relevant state laws dealing with protection of trade secrets and confidentiality.  The  CFAA has a definite place to play in protecting valuable data and system assets, but its role fits a very specific set of circumstances.  Beacuse of this in many courts, at least, it will  continue to be more difficult to shoehorn within the CFAA framework claims for breaches of trade secrets or confidentiality obligations.  


Opinion in ReMedPar v. AllParts MedicalReMedPar

Opinion in Mintel v. NeergheenMintel

Computer Fraud and Abuse Act Construed Narrowly Against Employer

October 20, 2009

Consider this common enough scenario:  a senior executive, having resolved to shortly leave his current employer to establish a potentially competing business, uses his employer’s e-mail system to send confidential company documents and data to his personal e-mail account.  Has the executive accessed his employer’s computer resources without authorization and thereby violated a key provision of the federal Computer Fraud and Abuse Act (the “CFAA”)?  According to the Ninth Circuit’s recent decision in LVRC Holdings v. Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009), in the absence of a written agreement with the employee or a computer use policy clearly prohibiting such activity, merely acting contrary to an employer’s interest is insufficient to justify an unauthorized access claim for liability under the CFAA.

LVRC Holdings found itself in the above scenario when it learned that its former employee, Brekka, had sent sensitive company materials to his personal e-mail account prior to his resignation.  Interestingly, before any thought of leaving had arisen, Brekka routinely sent company materials to his personal e-mail account with his employer’s tacit consent.  LVRC only sought to hold Brekka liable for unauthorized access to a protected computer once Brekka decided to start a competing business while still employed by LVRC.  LVRC contended that under those circumstances Brekka was no longer authorized to access the company’s e-mail or other computer resources.

The district court and the Ninth Circuit believed that LVRC’s approach to the CFAA was inconsistent with the idea that as both a civil and civil statute, the CFAA’s prohibitions should be read liberally by analyzing any ambiguities in favor of the defendant under the rule of lenity.  The history of the CFAA as a means of addressing concerns over third party hacking into a company’s computer systems also supported the view that an employee exceeding his authority was not the type of harm the “without authorization” prong of the CFAA sought to address.

In addition, while a claim might have been sustained under a separate part of the CFAA dealing with liability for exceeding one’s authority, such a claim requires convincing proof, and the failure of LVRC to have even adopted an acceptable use policy for company computer resources or to produce acceptable evidence of access after Brekka’s resignation doomed LVRC’s claim.

Among other important lessons, this case highlights the need for employers to have either written agreements with their employees on acceptable computer use practices or at least a well publicized company policy statement to the same effect.

Link to Decision: