Under the Computer Fraud and Abuse Act (“CFAA”), an employee’s mere taking of confidential information, without more, does not constitute a “loss” as required by the statute.
On March 28, 2011, the United States District Court for the Eastern District of Wisconsin entered on Order in Direct Supply, Inc. v. Pedersen, No. 10-C-0278 (E.D. Wis. 2011), granting Pedersen’s Motion to Dismiss for failure to state a valid claim under the CFAA. Direct Supply sued Pedersen, its former employee, alleging that during his employment Pedersen had taken confidential information and gave it to a third party, purportedly to later extort Direct Supply. Direct Supply alleged that it
incurred loss of at least $5,000 in a one-year period as a result of Pedersen’s unauthorized possession, access, and copying of Direct Supply’s proprietary information.” (Order p. 4).
The court found that allegation alone did not adequately state a “loss” which the CFAA defines as:
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” (Order p. 3).
Accordingly, the court determined than an employee’s unauthorized accessing, copying, and possessing confidential information–without more–does not constitute a loss to the employer under the CFAA.