Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Anayisis is Good Too

Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement

Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data?

The United States District Court for the Southern District of Texas was poised to answer this question but did not reach the issue. The court found, as in most of these cases, the plaintiff did not satisfy the jurisdictional threshold $5,000 loss requirement.

What we did get, however, is a strong analysis of how the federal courts in Texas interpret the loss requirement of the CFAA. 

Something to think about — would this have violated the CFAA?

The plaintiff in Rajaee v. Design Tech Homes, Ltd. claimed that his job required him to have constant access to email to do his job. His employer did not provide him with a mobile device so he used his own personal iPhone 4 to conduct his work for Defendants. Plaintiff’s iPhone was connected to his employer’s network server to allow him to remotely access the email, contact manager, and calendar provided by the employer. The parties disagreed over who connected the device or whether it was authorized.

Plaintiff resigned his employment with Defendants and, a few days later, Defendants’ network administrator remotely wiped Plaintiff’s iPhone, restoring it to factory settings and deleting all the data–both personal and work-related–on the iPhone.

Plaintiff sued Defendants alleging that their actions caused him to lose more than 600 business contacts collected during his career, family contacts, family photos, business records, irreplaceable business and personal photos , and videos, and numerous passwords.

Plaintiff sued for violations of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and various state law claims.

Violation of the Electronic Communications Privacy Act

The Court found the Defendants’ actions did not violate the Stored Communication Act prong of the ECPA: “the Fifth Circuit has held that ‘information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.’” The information Plaintiff claimed was deleted was stored on his cell phone and not covered by the SCA.

Unauthorized Access Under the Computer Fraud and Abuse Act

The Court does not reach the issue of whether Defendants’ actions were an unauthorized access under the CFAA but that doesn’t mean we can’t think about it ourselves. In fact, over a year ago my friend Jim Brashear (@JFBrashear) and I talked about this and he suggested I write something about it. I didn’t. I should have.

What we do know from the court’s opinion are the following things:

  • Plaintiff owned the iPhone
  • The iPhone contained Plaintiff’s personal data
  • The iPhone was connected to Defendants’ server
  • The iPhone contained Defendants’ data
  • Defendants’ network administrator somehow remotely wiped all of the data — Plaintiff’s and Defendants’ — from the iPhone

We also know that a cell phone is considered a “protected computer” under the CFAA (post). So, we have a protected computer that — somehow — has its data wiped by someone other than its owner.  What we do not know from the opinion, but need to know, are:

  • What authorization did Plaintiff have to retain Defendants’ data on his device after his employment terminated?
  • What authorization did Plaintiff give Defendants to access his device when (whomever) connected it to Defendants’ server (beyond the fact that by connecting to the server Plaintiff was necessarily giving Defendants authorization for their server to communicate with his device)?
  • Assuming Plaintiff gave any authorization to Defendants, did that authorization continue for as long as Plaintiff maintained the connection to Defendants’ server?
  • What means did Defendant’s network administrator use to remotely wipe the device and what steps were taken beforehand to give Defendants the ability to do that?

I believe the answers to these questions are important in this analysis. If I were the judge, these are things I would want to know.

A hack back?

Thinking in the big picture, this scenario reminds me of the ongoing debate over whether it is acceptable for a company to “hack back” — that is, after a hacker has stolen data from a company, whether the company can in turn hack the attacking hacker (“you drew first blood” – Rambo) to either retrieve or destroy its (or its customers) data that is now residing on the hacker’s system likely in some far off land.

The arguments on both sides of the hack back issue are vigorous and I am not foolish enough to think I could resolve the issue here. I just want to point out that, in the big picture, the rationale seems somewhat similar: someone else has your data, they are not entitled to keep it, you do not want them to keep it, so go zap it!

Loss Under the Computer Fraud and Abuse Act

The real value in the Rajaee Opinion comes from the court’s analysis of the loss issue. As I discussed the CFAA’s loss requirement in another post, “I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify ‘having a federal case made out of it.’”

Meeting the loss requirement is a jurisdictional threshold that must be met before a plaintiff can bring a civil claim under the CFAA. “Although the CFAA is a criminal statute, Section 1030(g) provides a private right of action ‘for [a]ny person who suffers damage or loss by reason of a violation of this section.’”

The terms “damage” and “loss” are statutorily defined terms that each have a unique meaning under the CFAA, which meanings also differ from the meaning of “damages.” This is important to remember.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Courts still routinely get this wrong despite the fact that “loss” is defined in subsection (e)(11): “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

While the Rajaee Opinion does not rise to the level of analysis of the Nosal Court’s Opinion which throughly discusses the various views of the CFAA loss jurisprudence, it is one of the more thorough ones I have seen from a federal court in Texas.

Because this case involves a ruling on a motion for summary judgment, the Plaintiff has the burden of providing evidence to support its allegations. The Rajaee Court required Plaintiff to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Plaintiff referred the court to a declaration in which he described the losses he suffered as a result of Defendants’ deletion of his personal data as being:

  1. pictures of his personal home rehabilitation project, which decreased the value of the remodel by at least $50,000;
  2. pictures and video of family, friends, and his dogs, which he values at $3,500;
  3. all cell phone contacts after 2009, which he values at over $50,000 based on his diminished employability;
  4. all of Plaintiff’s text messages, which he values at $1,000; and
  5. all of his notes and email accounts, which he values at $600.

The court was correct in agreeing with the Defendants who argued that none of these items qualified as loss. “Plaintiff [did] not produce[] evidence of any costs he incurred to investigate or respond to the deletion of his data, nor do the losses and damages for which he does produce evidence arise from an ‘interruption of service.’”

Because of this, the court dismissed the CFAA claim. 

Important CFAA Loss Principles Applied in this Case

In reaching its decision, the court referenced and stated the following propositions of law that will be helpful for any party to understand in a civil case in the federal courts in Texas, especially the Southern District:

Yes, Texas is a good state for plaintiffs to bring a CFAA claim.

©2011 Braydon Fuller

©2011 Braydon Fuller

Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?

Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence.

On February 3, 2014, the United States District Court, Southern District of Texas, denied the defendants’ Motion to Dismiss in Absolute Energy Solutions, LLC v. Trosclair, 2014 WL 360503 (S.D. Tex. Feb. 3, 2014) (related CFAAdigest post). This case involved 2 claims: misappropriation of trade secrets and Computer Fraud and Abuse Act.

Facts of the Case

The facts are fairly typical. According to the Complaint, Absolute Energy, the plaintiff, employed J. Trosclair. On April 18, 2013, Absolute Energy terminated J. Trosclair who then opened SBJ Resources, a company that competed with Absolute Energy. Absolute Energy alleges that upon J. Trosclair’s termination, his authorization to access Absolute Energy’s computer system (including email system) was terminated. R. Trosclair is J. Trosclair’s wife and was not employed by Absolute Energy which alleges R. Trosclair was never authorized to access its computer system.

After his termination, J. Trosclair and R. Trosclair accessed Absolute Energy’s computer system without authorization, sent, received, and forwarded email messages belonging to Absolute Energy, and engaged in a business endeavor that directly competed with Absolute Energy using Absolute Energy’s computer system, including to conduct business with Absolute Energy’s customers.

Absolute Energy Filed a Lawsuit

Absolute Energy filed a lawsuit against J. Trosclair and R. Trosclair for violating 18 U.S.C. § 1030 (a)(2) and (a)(4) of the Computer Fraud and Abuse Act and misappropriation of trade secrets (though it is not clear if this claim was pursuant to the newly enacted Texas Uniform Trade Secrets Act (TUTSA)).

The Trosclairs filed a Motion to Dismiss arguing the following points, and included declarations which contradicted the allegations in the Complaint:

  1. J. Trosclair was a 25% owner of Absolute Energy which gave him authorization to access its computers;
  2. the email account he was given was an email address and password for a Google operated email account that utilized computers and servers owned by Google, not Absolute Energy;
  3. The Google email system was used through J. Trosclair’s own personal computer and information received was automatically downloaded to that computer;
  4. Absolute Energy did not ever de-activate the Google email account that was assigned to J. Trosclair or notify him that he was not supposed to be using that account from his own personal computer;
  5. R. Trosclair’s only use of the Google email account was when she was gathering emails to forward to their attorney for purposes of an earlier lawsuit that J. Trosclair had filed against Absolute Energy in state court;
  6. Absolute Energy did not have a written employment agreement nor did it promulgate employee guidelines that prohibited employees from emailing Absolute Energy documents to other personal computers; and
  7. Absolute Energy failed to adequately plead a loss pursuant to 18 U.S.C. § 1030(g).

Absolute Energy filed a Response to the Motion to Dismiss in which it argued the following points:

  1. The allegations in the Complaint were adequate to support the CFAA claim and, instead of attacking the sufficiency of the allegations, the Trosclairs include declarations as evidence to contradict the substance of the allegations, which is improper for a Rule 12(b)(6) motion to dismiss;
  2. The allegations in the Complaint were sufficient to establish a loss as it alleged the Trosclairs caused a loss that exceeded $5,000 in value; and
  3. Given that for purposes of a Rule 12(b)(6) motion to dismiss the allegations asserted in the Complaint are to be taken as true, the motion should be denied.

Legal Principles and Court’s Analysis in Denying the Motion to Dismiss

The primary reason why the court denied the motion to dismiss is, what many laymen may feel like is a technicality, but in reality is a well-settled principle when dealing with motions to dismiss; that is, they are generally not the proper vehicle for addressing factual disputes. Generally they are intended for such cases where you say, “even if we assume that everything the plaintiff says is true, he still has no case because of x, y or z …” In this case, the Trosclairs tried to dispute the veracity of Absolute Energy’s factual allegations which, by definition, created a factual dispute that almost always requires denial of a motion to dismiss on such grounds. And, it did.

Point of Law 1. A motion to dismiss a Computer Fraud and Abuse Act claim in which the the defendants’ argue that the plaintiff’s allegations are false because, contrary to plaintiff’s allegations, the defendants really were authorized to access plaintiff’s computers, is an argument that raises a factual dispute that could not be decided on a motion to dismiss. This is a procedural issue that is germane to all motions to dismiss, regardless of the particular subject matter of the claim.

In ruling on the motion, the court also provided some succinct statements of important principles concerning the Computer Fraud and Abuse Act:

Point of Law 2. The elements to a Section 1030(a)(2) claim require a plaintiff to show that a defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information, (4) from any protected computer, and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 3. The elements to a Section 1030(a)(4) claim require a plaintiff to show that a defendant: (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 4. The court reaffirmed its adherence to the Intended Use Theory that is followed in the Fifth Circuit which stated that “[a]ccess to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.” quoting United States v. John, 597 F.3d 263, 272 (5th Cir. 2010).

Finally, the court addressed the 18 U.S.C. § 1030(g) jurisdictional loss issue.

Point of Law 5. To satisfy the loss requirement and state a civil claim under the CFAA, plaintiff is not required to allege details or the exact nature of the loss. Rather, plaintiff must simply allege sufficient damages to establish that the elements of a 18 U.S.C. § 1030(g) claim have been met.

My Thoughts on the Case

Did the plaintiff adequate plead an unauthorized access to a protected computer?

Regarding the dispute over the access issue, I believe the court was correct in its ruling based on the arguments that counsel presented in their motions. As a general rule, a motion to dismiss should be denied when the arguments supporting the motion are that the plaintiff’s facts are wrong, as was the case here. However, I have a problem with it — and regular readers know that if I have a problem with a successful CFAA case, there just may be a problem there!

I recently defended a CFAA case in which the plaintiff’s allegations of access were simply bald allegations that were too vague and conclusory to determine how the wrongful access purportedly occurred or, more importantly, what protected computer was even accessed. In my view, two things that should be required for any CFAA wrongful access claim are (1) specificity as to what protected computer was accessed and (2) how the plaintiff believes the access occurred, in general. Because neither of these points had been pleaded in my case, in my motion to dismiss I thoroughly briefed the law that says a court is not always required to accept the plaintiff’s allegations as true because in cases where the plaintiff makes nothing more than “bald allegations” because they are conclusory and, as a matter of law, not entitled to be assumed true. Here is the general gist of the three questions a court should ask per this argument, a “no” to any one question means the allegations in the complaint are insufficient:

  1. Ignoring all “bald allegations” and “legal conclusions,” do the “factual allegations” support the elements of the claim?
  2. If so, does common sense and judicial experience suggest the plaintiff’s theory of the claim is plausible or that there are more likely alternative explanations?
  3. If not, are the factual allegations supporting the discrete nuances of the claim strong enough to nudge the claim across the line from conceivable to plausible?

If you are interested in reading more of this argument, here is the Brief in Support of Motion to Dismiss Amended Complaint. There are also significant issues with the “information and belief” allegations, which is another issue that I briefed in the foregoing motion, which could be helpful in this case as they are used quite freely.

There are several key allegations in Absolute Energy’s Complaint that are pleaded as bald allegations and/or pleaded on information and belief and, therefore, should not be entitled to the presumption of truth:

“12.     Upon information and belief, Jason and Rhonda did, after Jason’s termination from Absolute, access on multiple occasions the computer system and e-mail system and accounts of Absolute, without the knowledge, permission, or authorization of Absolute.”

      • “computer system and e-mail system and accounts” is too generic of an allegation — which specific device or account is being claimed as a protected computer that was wrongfully accessed?
      • without more specificity as to what actual device or account was accessed, such a generic allegation should not suffice
      • how were the accesses accomplished? this too is important to know because it sheds a lot of light on the plausibility issue mentioned in the 3 question test.

“10.     Upon termination of Jason Trosclair’s employment, his authorization to access the computer system and e-mail accounts and/or system of Absolute was terminated.”

        • This goes to the plausibility issue — how was his authorization terminated?
        • Was he notified in an exit interview? Were his credentials revoked? Was there a policy somewhere that said it was terminated?
        • Without some specificity on this issue, this is nothing more than a “threadbare” legal conclusion that is not entitled to a presumption of truth.
        • Now add in the fact that he was a 25% owner of the company and his access to the email account was never shut off — does the mere fact that plaintiff pleaded “his authorization … was terminated” with nothing more push this across the line from conceivable to plausible?

The court ruled on the issues presented by counsel and, based on the arguments in the motions and responses, it made the safe ruling. However, based on the facts we learned from the Trosclair’s declarations, there are some significant issues that Absolute Energy will need to address with its case — if not its Complaint — otherwise this may be a short lived victory.

Did the Plaintiff adequately plead the jurisdictional threshold $5,000 loss?

Not even close (IMHO). I have written extensively about the $5,000 loss requirement (see posts). Have you, the readers of this blog, been paying attention? Let’s find out … according to the court:

Plaintiff has alleged a loss exceeding $5,000. See Complaint, ¶ 23. To state a claim under the CFAA, Plaintiff is not required to allege … details or the exact nature of the loss. Rather, Plaintiff must simply allege sufficient damages to establish that the elements of a Section 1030(g) claim have been met, as Plaintiff has done here. [The court then footnotes the following:] Plaintiff’s damages allegations are sparse but are sufficient for present purposes, when read in light of the allegations in ¶ 29 of the Complaint. Because it is better practice, Plaintiff will be required to elaborate on the damages in an amended complaint ….”

What do you think? Do you see what I see? 3 references to damages?!?! Damages??? Ok, let’s review: Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

Let’s have a look at what Absolute Energy pleaded as its loss:

Absolute Energy - Loss

And then we have Paragraph 29, which the court found to be important:

Let me put this as simply as I can:



What did Absolute Energy plead?

  • “actual damages in excess of $75,000” NO!
  • “obtaining value of more than $5,000” NO!
  • “obtained information with a value in excess of $5,000” NO!
  • “loss of business” NO!
  • “loss of prospective business” NO!
  • “economic costs associated with Defendants’ tortious acts” MAYBE
  • “attorneys’ fees” MAYBE

I have said all I can say about this case for now and it will be interesting to see how it progresses.

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Will Sprint’s Multiple Computer Fraud and Abuse Act Lawsuits Highlight the District Court Split on Loss Jurisprudence?

©2011 Braydon Fuller

©2011 Braydon Fuller

Much has been written about the circuit split with regard to Computer Fraud and Abuse Act access jurisprudence. While this has been the primary focus of attention, there has been a similar divide among the district courts with regard to the loss jurisprudence. Given that the $5,000 loss requirement is the jurisdictional threshold that must be met in order to bring a civil CFAA claim — that is, the gatekeeper — the loss issue could prove to be more important than the access issue when it comes to expanding or limiting the use of the often criticized use of the Computer Fraud and Abuse Act in civil cases.

Sprint’s CFAA Lawsuits In Multiple Jurisdictions

Sprint has gone to war against unauthorized resellers of Sprint telephones who allegedly unlock those phones so that they will operate on a network other than Sprint’s.  For this battle, the Computer Fraud and Abuse Act is one of Sprint’s weapons of choice. Since January 1, 2014, Sprint has filed lawsuits in several different jurisdictions throughout the country in which it asserts claims under the CFAA, including one right next door to me in the Northern District of Texas. Here are 3 that I found rather quickly:

  1. Sprint Solutions, Inc., and Sprint Communications Company L.P. v. Alain Martinez, Sr., Cause No. 2:14-cv-00224 in the United States District Court of New Jersey (Complaint filed Jan. 13, 2014);
  2. Sprint Solutions, Inc. and Sprint Communications Company L.P. v. Liang Jin Shao, individually and d/b/a Leo’s Computer Repair and Liberty Laundromat, Cause No. 2:14-cv-00545 in the United States District Court, Eastern District of Pennsylvania (Complaint filed Jan. 17, 2014); and
  3. Sprint Solutions, Inc. and Sprint Communications Company L.P. v. Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi, Cause No. 4:14-cv-00053 in the United States District Court, Northern District of Texas, Fort Worth Division (Complaint filed Jan. 27, 2014).

While the complaints in these three cases are very similar though tailored as necessary to fit the unique facts of each case, the fact that they are in three different jurisdictions will make it interesting to see how the cases fare insofar as the CFAA claims are concerned. Especially how the “loss” analysis will play out for each. There is still quite a bit of evolution going on with regard to the loss jurisprudence in the various districts and quite a few conflicts between them.

The District Court Split in CFAA Loss Jurisprudence

For example, on one end of the spectrum, in the Northern District of Texas we have seen a case allow the value of the trade secret information taken to be used in calculating the $5,000 loss even though there was no allegation of interruption of service. (see post) For the reasons stated in the post, I believe that particular case is an aberration and the other loss cases in the Northern District of Texas bear that out. Nonetheless, the case is still on the books and will need to be addressed by defendants Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi should they decide to file a Motion to Dismiss based on whether the $5,000 loss was adequately pleaded.

At the other end of the spectrum, the courts in the Eastern District of Pennsylvania are extremely strict when it comes to calculating the loss. Last year I handled the defense of a CFAA case in the Eastern District of Pennsylvania (yes, “that” case) and thoroughly briefed two motions to dismiss that were heavily premised on the EDPA’s strict loss jurisprudence. (Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the EDPA’s standards on this issue and would have been successful.

In many of the cases I see, the plaintiff clearly does not have a clue about the requirements of the $5,000 loss for CFAA claims and how to plead that loss and the courts usually dismiss those claims early on. That is not the case here with Sprint and its lawyers. You can tell from their pleading that they know the standard they need to meet and they do a nice job of trying to put together enough of the required points to get there — do they get there? That’s a tough question that could be broken down into a few others:

  1. Do they get there under the standards of the EDPA cases (and many New Jersey cases)?
  2. Do they get there under the standards of most of the NDTX cases?
  3. Do they get there under the standard of the NDTX Meats by Linz case?
  4. And, perhaps most importantly, do they get there under a correct reading of Section 1030(g) — that is, my understanding of the section?

Let’s see what happens here.

What does this mean?

I have written extensively about the CFAA’s loss jurisprudence (here) and I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify “having a federal case made out of it.” What we now see with the multiple CFAA lawsuits that Sprint has filed are:

  1. the same plaintiff,
  2. with the same lawyer (James B. Baldinger as actual lead counsel),
  3. asserting what are essentially the same claims,
  4. under the same law,
  5. but in different jurisdictions.

This is a great scenario to highlight the district court split on loss jurisprudence under the Computer Fraud and Abuse Act that just may help lead to some clarity and unity on this relatively unnoticed yet crucial issue.

Fortunately for us, defendants Liang Jin Shao, individually and d/b/a Leo’s Computer Repair and Liberty Laundromat, Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi, and of course plaintiff Sprint, will bear the expense of fleshing this issue out but we can sit back and learn from their experiences! And, in reading the complaints, I do need to add that I not only see significant issues on both sides with the loss issue, but with the access issue as well (hint: see my post about policies) — these will be fun cases to watch.

Need Help With The CFAA?

Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about cyber law in general, please feel free to give me a call (469.635.1335) or email me (stuma |at| brittontuma.com).

US v. Nosal Court Provides Guidance on Calculation of “Loss” Under the Computer Fraud and Abuse Act (CFAA)

Zero or One

©2011 Braydon Fuller

On January 13, 2014, the District Court in United States v. Nosal issued an Order Regarding the Calculation of Loss for Purposes of the Guidelines which, while aimed primarily at addressing the criminal sentencing guidelines, also provided some helpful principles for calculating a “loss” for purposes of 18 U.S.C. § 1030(g) of the Computer Fraud and Abuse Act (CFAA).

One of the things that makes this analysis of the loss issue so helpful is that it is being done after having so much activity in the case (including trial and appeal) on multiple issues and the record of the case is very well developed. Most of the loss cases out there are cases rulings on motions to dismiss or motions for summary judgment, both of which usually have a less developed record. In this case the court had already seen all of the evidence there was to see and, then looking backwards, was able to analyze whether the loss requirement had been satisfied.

Here are the principles the court looked to and provided in its analysis.

Principles from Case Law Broadly Construing the CFAA’s Definition of Loss

    • District courts have split on whether a victim’s internal investigations may be included within the the definition of “loss” in 1030 § 1030(e)(11).
    • Where the offense involves unauthorized access and the use of protected information, discovering who has that information and what information he or she has is essential to remedying the harm.
    • The “cost of discovering the identity of the offender or the method by which the offender accessed the protected information” would be deemed to be “part of the loss for purposes of the CFAA.
    • Costs associated with “identifying and ascertaining the extent” of defendant’s unauthorized access could satisfy the CFAA’s definition of loss.
    • It is not necessary for data to be physically changed or erased to constitute a loss or damage under the CFAA.
    • It is sufficient to show that there has been an impairment to the integrity of data, as when an intruder retrieves password information from a computer and the rightful computer owner must take corrective measures `to prevent the infiltration and gathering of confidential information.’ Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute.

Principles from Case Law Narrowly Construing the CFAA’s Definition of Loss

    • Expending resources to analyze the system so as to discover how information was accessed is not considered.
    • The CFAA loss requirement was limited to “actual computer impairment” and where the plaintiff did not provide any evidence that its computer system was impaired or that its service was interrupted, it had failed to demonstrate a CFAA loss.
    • To state a claim based on loss, the loss must relate to the impairment or unavailability of data on a computer, and that loss does not include the cost of responding to a security breach.

Nosal Court’s Reasoning Adopting the Broad Construction of the CFAA’s Definition of Loss

    • Actual loss includes those costs incurred as part of an internal investigation reasonably necessary to respond to the offense, for example by identifying the perpetrator or the method by which the offender accessed the protected information.
    • The definition of loss includes, in part, costs reasonably necessary to resecure the data, program, system, or information from further damage.
    • The plain language of § 1030 includes in the definition of loss the cost of generally “responding to an offense.” In addition to this general statement, both provisions then expressly state that (1) conducting a damage assessment; (2) restoring data or a system to its prior condition; or (3) lost revenue resulting from any interruption of service all qualify as “loss.” If, as the cases which narrowly construe loss suggest, “loss” required some actual damage to a computer system or data, the phrase “responding to an offense” would be rendered superfluous by the more specific provisions.
    • in situations where the CFAA violation constitutes covert, unauthorized access into a computer system, taking corrective actions or otherwise “responding to an offense” will often be difficult (if not impossible) until the victim knows (1) who perpetrated the offense; (2) how the offense was perpetrated, and (3) the scope of any resulting damage or the degree to which the integrity of its data has been compromised. Individuals who access a computer without authorization and with an intent to defraud are unlikely to announce their presence, inform the victim what information they have accessed, and advise the victim on how it could protect itself in the future. Rather, an internal investigation will often be necessary to determine these critical facts. The very purpose of the “loss” enhancement to a Guideline offense level is that the reasonably foreseeable loss caused by an offender’s actions represents a proxy for that offender’s culpability.
    • Determining who breached the system security and the manner and extent of the intrusion, is a reasonable and foreseeable step a victim is expected to take in response to a CFAA violation; it may well inform what remedial steps need be taken, steps which are clearly cognizable as losses under the CFAA.
    • Costs in resecuring data, program, system or information from further damage constitutes loss under the CFAA.
    • There may be instances where a victim has the information necessary to take corrective action without the need of an extensive investigation.
    • Costs incurred for the purpose of building or supporting the victim’s civil case should not be considered “loss” for purposes of the Guidelines calculation.

Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

English: Lascaux Caves - Prehistoric Paintings...

English: Lascaux Caves – Prehistoric Paintings.(Photo credit: Wikipedia)

In denying a motion to dismiss a civil Computer Fraud and Abuse Act claim, a district court found that a departing employee’s purported cover-up of nefarious activity by deleting e-mails from his “sent” and “deleted items” folders on Plaintiffs’ computer system was sufficient to allege damage pursuant to 18 U.S.C. § 1030(c)(4)(A)(i) which provision, however, does not address the issue of damage at all — but only loss. The case is Sysco Corp. v. Katz, et al., 2013 WL 5519411 (N.D. Ill. Oct. 3, 2013) and I find it troubling.

Damage v. Loss — what difference does it make?

A lot. The two terms are completely different and each have their own unique role within the statutory framework of the CFAA.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Plaintiffs’ Allegations

In Sysco Corp., Defendant Katz was employed by Plaintiff Sysco Corp. He began discussing an offer of employment with Defendant Reinhart Foodservice (Plaintiff’s competitor) in April 2013, accepted an offer of employment with Reinhart on May 8, 2013, but did not announce his resignation until July 1, 2013. Plaintiff alleges that during the interim period from April 2013 until July 1, 2013, Katz emailed confidential and proprietary trade secret information from his company email account to his wife’s personal email account. Further, the Complaint states

Katz then deleted the SGR/SC confidential e-mail messages and attachments he had sent to his wife’s e-mail, by first deleting them from his “sent” box. Once he did this, those messages and attachments migrated to his “deleted items” folder. In an effort to permanently delete all of the messages, he then took the additional step of deleting the messages and attachments in the ‘deleted items’ folder, such that the record of Katz sending the e-mail messages and documents to his wife’s e-mail account all but vanished. Only because the Sysco Companies acted quickly, did they discover that Katz had intentionally attempted to delete e-mails containing confidential documents that he had sent to his wife. But because Plaintiff’s acted quickly, they were able to restore this information in Outlook and review the messages that Katz had sent to his wife’s email account, and the types of documents attached to those messages.

Complaint ¶ 40. Plaintiff alleges both access violations (Complaint ¶¶ 63, 65) and transmission violations (Complaint ¶ 66) of the CFAA. Plaintiff’s Complaint alleges that it sustained a $5,000 loss and properly references the costs for which such loss are typically acceptable: “Through their actions in violation of 18 U.S.C. § 1030 (a)(2), 18 U.S.C. § 1030(a)(4), 18 U.S.C. § 1030(a)(5)(A)-(C), Defendants have caused Plaintiffs to incur losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues. Such losses exceed $5,000.00 in a one-year period, in violation of 18 U.S.C. § 1030(g) and (c)(4)(A)(i)(I).” Complaint ¶67.

Defendants’ Motions to Dismiss

Defendants Reinhart filed a Motion to Dismiss and Katz filed a Motion to Dismiss which basically adopted Reinhart’s. Katz argued “Plaintiffs’ claim under the CFAA must fail because Plaintiffs have not alleged that they suffered either “loss” or “damage” as defined under the CFAA. Katz joins and incorporates by reference Reinhart’s arguments as if fully stated herein.” Id. at p. 7. Reinhart’s Motion seems to have adequately raises the issue of whether Plaintiff sufficiently alleged a loss which, as addressed ad nauseum in these posts, this article, and this article, and is an absolute prerequisite jurisdictional threshold to moving forward on a civil CFAA claim. Motion to Dismiss p. 7-8.

The Court’s Focus on Damage — Ignoring the Jurisdictional Threshold Requirement of Loss

The court in this case seems to treat damage and loss as an either/or proposition — where finding one will suffice for the other: “To succeed on a CFAA claim brought under § 1030(a)(5)(B), a plaintiff must prove the damage or loss resulted in losses to one or more persons during any one-year period aggregating at least $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i). Technically, that may be correct, however, to prevail on a civil claim pursuant to that section, there must be a loss. Section 1030(c)(4)(A)(i) is the second level of what must be established to assert a civil claim for violating the CFAA. Here is how it works:

  1. Section 1030(g) is what authorizes a civil claim for violations of the CFAA: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).
  2. Of the 5 factors listed in subsection (c)(4)(A)(i), only one applies to business cases (for all practical purposes) — the loss requirement — without which there can be no civil claim: “(1) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;”
  3. Unless both steps 1 and 2 above are satisfied, there can be no civil claim for violating the CFAA in most business cases, including this one.

Loss and Damage Are Not Interchangeable — If There Is No Loss, There Is No Civil CFAA Claim

In its analysis, the Sysco Court completely blows past the loss requirement of 18 U.S.C. §1030(c)(4)(A)(i)(1) and addresses only whether there is damage which does not satisfy the jurisdictional threshold for bringing a civil CFAA claim: “Reinhard and Katz contend that Plaintiffs have not alleged damage or loss as those terms are used by the CFAA…. These allegations are sufficient to allege damage as to Katz, but not as to Reinhart.”

Perhaps the Sysco Court simply assumes, without stating, that the Complaint adequately pleaded the loss and it did not need to be addressed any further. However, the language used by the court suggests otherwise; it suggests that the court treated the loss and damage requirements as being interchangeable although the statutory language of section 1030(g) is very clear that they are not — “A civil action … may be brought only if” — is a pretty direct statement.

As to the allegations of loss in the Complaint, the Plaintiff did a better job than most do by invoking alleged costs in responding to the wrongful activity, however, given the facts of the case it is not certain that such facts are plausible and they may require further elaboration. Plaintiffs claim “losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues.” Complaint ¶67. However, the facts alleged are that Defendant Katz deleted email from the Outlook program on Plaintiff’s computer system, specifically from the “sent” and “deleted items” folders. Determining whether $5,000 in costs is reasonable for restoring Outlook emails — most likely by in-house IT folks — is reasonable is also a requirement and should certainly be addressed whether in a Motion for Reconsideration or Motion for Summary Judgment.

Computer Fraud and Abuse Act Cases Update (March 6, 2013)

Colorplay on Monday

Here are some recent Computer Fraud and Abuse Act (“CFAA”) cases that have been decided (or published) over the last couple of weeks:

Tracfone Wireless, Inc. v. Cabrera, 883 F. Supp.2d 1220 (S.D. Fla. July 11, 2012). Defendant and former employee who engaged in selling stolen TracFone Prepaid Phones violated the unauthorized access with intent to defraud (18 U.S.C. § 1030(a)(4)) and unauthorized access (18 U.S.C. § 1030(a)(5)) by his unauthorized access TracFone’s computer system using improperly obtained codes and information to obtain access to the system and alter information in the system to generate and obtain stolen airtime and services which he then sold. This is a default judgment case but the court goes through a detailed explanation of the loss / interruption of service analysis that is worth reading.

Dalzell Management Co., Inc. v. Bardonia Plaza, LLC, 2013 WL 592672 (S.D.N.Y. Feb. 15, 2013). This is an interesting case where there are two lawsuits, one state and one federal, and the Defendants moved to dismiss the federal (alleging the Computer Fraud and Abuse Act claim) based on the Colorado River Abstention Doctrine. The court denied the motion to dismiss. The allegations giving rise to the CFAA claim were given but the decision did not address the substantive merits of the CFAA claim. Plaintiff (a real estate management company) leased office space in Defendant’s building with a portion of the rent being a percentage of rents collected by Plaintiff. Defendant evicted Plaintiff and, during the process, had its IT staff copy data from Plaintiff’s computer system which included Plaintiff’s proprietary and confidential information as well as banking information. According to Plaintiff, Defendant did not have authorization to access its computer system which gave rise to the CFAA claim under (18 U.S.C. § 1030(a)(2)) for unauthorized access to obtain information from a protected computer.

Sebrite Agency, Inc. v. Platt, 884 F. Supp.2d 912 (D. Minn. Aug. 7, 2012). The court granted a motion to dismiss Plaintiff’s Computer Fraud and Abuse Act claim. The Plaintiff, an insurance agency, alleged that its former agent (and his girlfriend) set up a competing agency and was trying to steal its clients and, for purposes of the CFAA claim, accessed Plaintiff’s computers without authorization or in excess of authorization by forwarding e-mails containing confidential company information for roughly 74 of its clients to their own e-mail. The court followed the Strict Access Theory (see explanation toward bottom of post) and determined that, because the former agent had been authorized to access all of this information at the time of the access, he did not access computers were databases that he was forbidden to use.

As the parties recognize, the federal courts have disagreed about whether the CFAA is violated when a person who has authority to “access[] a protected computer” misuses the information that he or she obtains.[2] This Court previously endorsed the narrower interpretation of the CFAA, holding that the misuse or misappropriation of confidential information stored on a computer to which the defendant has authority to access does not give rise to liability. See Xcedex, Inc. v. VMware, Inc, No. 10-CV-3589 (PJS/JJK), 2011 WL 2600688, at *4-5 (D. Minn. June 8, 2011), adopted by 2011 WL 2581754, at *1 (D. Minn. June 30, 2011). The Eighth Circuit still has not directly addressed this question, and nothing in the cases decided since Xcedex has persuaded the Court to change its mind.[3] The Court continues to believe that the narrower interpretation of the CFAA is more consistent with statutory text, legislative history, and the rule of lenity. See Walsh Bishop, 2012 WL 669069, at *3. Moreover, the broader interpretation would transform just about every state-law claim for misappropriation of trade secrets into a federal lawsuit, see Condux, 2008 WL 5244818, at *6, not to mention expose employees who violate their employers’ computer-use restrictions to criminal liability, see Nosal, 676 F.3d at 861-62. The Court continues to believe that, if Congress meant to so vastly expand the jurisdiction of the federal courts, Congress would have been much more explicit.

Under the Court’s interpretation of the CFAA, Sebrite’s allegation that Plattimproperly used confidential information that he had authority to access fails to state a claim under 18 U.S.C. § 1030(a)(4). Count IX is therefore dismissed.

West Plains, L.L.C. V. Retzlaff Grain Co. Inc., 2013 WL 705859 (D. Neb. Feb. 26, 2013). This is an opinion granting a Motion for Preliminary Injunction based primarily on misappropriation of trade secrets. The Plaintiff did bring a claim for violating the Computer Fraud and Abuse Act though the substantive merits of the claim were not addressed in this opinion, but the opinion is still worth reading because of the trade secrets analysis in the context of a preliminary injunction.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Plaintiff’s CFAA Claim Dismissed Because of Simple Pleading Error

This blog is full of posts about the Computer Fraud and Abuse Act‘s requirement that, for a civil claim, the claimant must plead a $5,000 loss. Click here to see. One of the operative words in that sentence is plead — not argue — but plead! This means it must be in your pleading which is either the Complaint in Federal Court or the Petition in State Court (Texas, anyway).

Unfortunately for the Plaintiff in Sharma v. Howard County, 2013 WL 530948 (D. Md. Feb. 12, 2013), they apparently simply forgot to include that $5,000 loss allegation in the pleading. The Plaintiff brought the CFAA claim in the Original Complaint and then the Defendant filed a Motion to Dismiss on the basis of a failure to plead the requisite $5,000 loss.  The Plaintiff then filed a Response to Motion to Dismiss and Brief in Support as well as an Amended Complaint. While the Court implies that Plaintiff did an adequate job of arguing the $5,000 loss in its Brief, apparently the Plaintiff (i.e., Plaintiff’s attorney) forgot to include the substance of that argument in the Amended Complaint and, therefore, the Court dismissed the CFAA claim:

Plaintiff asserts in his brief that he incurred costs as a result of his counsel’s investigation of the alleged CFAA violation. But the amended complaint does not allege that Plaintiff incurred costs as a result of this investigation or that those costs aggregated to at least $5,000. Therefore, Plaintiff’s CFAA claim must be dismissed.

While this result is certainly unfortunate for the Plaintiff, it is worth noting that courts in general have not decided on a clear-cut rule as to whether the attorneys’ fees associated with investigating a Computer Fraud and Abuse Act violation are calculated in the $5,000 loss. This Court seems to side with those that do include that cost as part of the “loss”.

Now you have one more good reason why, if you suspect you or your company may be the victim of a CFAA violation, you need to contact a qualified attorney and have them lead the investigation. If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).