In denying a motion to dismiss a civil Computer Fraud and Abuse Act claim, a district court found that a departing employee’s purported cover-up of nefarious activity by deleting e-mails from his “sent” and “deleted items” folders on Plaintiffs’ computer system was sufficient to allege damage pursuant to 18 U.S.C. § 1030(c)(4)(A)(i) which provision, however, does not address the issue of damage at all — but only loss. The case is Sysco Corp. v. Katz, et al., 2013 WL 5519411 (N.D. Ill. Oct. 3, 2013) and I find it troubling.
Damage v. Loss — what difference does it make?
A lot. The two terms are completely different and each have their own unique role within the statutory framework of the CFAA.
The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)
Plaintiffs’ Allegations
In Sysco Corp., Defendant Katz was employed by Plaintiff Sysco Corp. He began discussing an offer of employment with Defendant Reinhart Foodservice (Plaintiff’s competitor) in April 2013, accepted an offer of employment with Reinhart on May 8, 2013, but did not announce his resignation until July 1, 2013. Plaintiff alleges that during the interim period from April 2013 until July 1, 2013, Katz emailed confidential and proprietary trade secret information from his company email account to his wife’s personal email account. Further, the Complaint states
Katz then deleted the SGR/SC confidential e-mail messages and attachments he had sent to his wife’s e-mail, by first deleting them from his “sent” box. Once he did this, those messages and attachments migrated to his “deleted items” folder. In an effort to permanently delete all of the messages, he then took the additional step of deleting the messages and attachments in the ‘deleted items’ folder, such that the record of Katz sending the e-mail messages and documents to his wife’s e-mail account all but vanished. Only because the Sysco Companies acted quickly, did they discover that Katz had intentionally attempted to delete e-mails containing confidential documents that he had sent to his wife. But because Plaintiff’s acted quickly, they were able to restore this information in Outlook and review the messages that Katz had sent to his wife’s email account, and the types of documents attached to those messages.
Complaint ¶ 40. Plaintiff alleges both access violations (Complaint ¶¶ 63, 65) and transmission violations (Complaint ¶ 66) of the CFAA. Plaintiff’s Complaint alleges that it sustained a $5,000 loss and properly references the costs for which such loss are typically acceptable: “Through their actions in violation of 18 U.S.C. § 1030 (a)(2), 18 U.S.C. § 1030(a)(4), 18 U.S.C. § 1030(a)(5)(A)-(C), Defendants have caused Plaintiffs to incur losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues. Such losses exceed $5,000.00 in a one-year period, in violation of 18 U.S.C. § 1030(g) and (c)(4)(A)(i)(I).” Complaint ¶67.
Defendants’ Motions to Dismiss
Defendants Reinhart filed a Motion to Dismiss and Katz filed a Motion to Dismiss which basically adopted Reinhart’s. Katz argued “Plaintiffs’ claim under the CFAA must fail because Plaintiffs have not alleged that they suffered either “loss” or “damage” as defined under the CFAA. Katz joins and incorporates by reference Reinhart’s arguments as if fully stated herein.” Id. at p. 7. Reinhart’s Motion seems to have adequately raises the issue of whether Plaintiff sufficiently alleged a loss which, as addressed ad nauseum in these posts, this article, and this article, and is an absolute prerequisite jurisdictional threshold to moving forward on a civil CFAA claim. Motion to Dismiss p. 7-8.
The Court’s Focus on Damage — Ignoring the Jurisdictional Threshold Requirement of Loss
The court in this case seems to treat damage and loss as an either/or proposition — where finding one will suffice for the other: “To succeed on a CFAA claim brought under § 1030(a)(5)(B), a plaintiff must prove the damage or loss resulted in losses to one or more persons during any one-year period aggregating at least $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i). Technically, that may be correct, however, to prevail on a civil claim pursuant to that section, there must be a loss. Section 1030(c)(4)(A)(i) is the second level of what must be established to assert a civil claim for violating the CFAA. Here is how it works:
- Section 1030(g) is what authorizes a civil claim for violations of the CFAA: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).“
- Of the 5 factors listed in subsection (c)(4)(A)(i), only one applies to business cases (for all practical purposes) — the loss requirement — without which there can be no civil claim: “(1) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;”
- Unless both steps 1 and 2 above are satisfied, there can be no civil claim for violating the CFAA in most business cases, including this one.
Loss and Damage Are Not Interchangeable — If There Is No Loss, There Is No Civil CFAA Claim
In its analysis, the Sysco Court completely blows past the loss requirement of 18 U.S.C. §1030(c)(4)(A)(i)(1) and addresses only whether there is damage which does not satisfy the jurisdictional threshold for bringing a civil CFAA claim: “Reinhard and Katz contend that Plaintiffs have not alleged damage or loss as those terms are used by the CFAA…. These allegations are sufficient to allege damage as to Katz, but not as to Reinhart.”
Perhaps the Sysco Court simply assumes, without stating, that the Complaint adequately pleaded the loss and it did not need to be addressed any further. However, the language used by the court suggests otherwise; it suggests that the court treated the loss and damage requirements as being interchangeable although the statutory language of section 1030(g) is very clear that they are not — “A civil action … may be brought only if” — is a pretty direct statement.
As to the allegations of loss in the Complaint, the Plaintiff did a better job than most do by invoking alleged costs in responding to the wrongful activity, however, given the facts of the case it is not certain that such facts are plausible and they may require further elaboration. Plaintiffs claim “losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues.” Complaint ¶67. However, the facts alleged are that Defendant Katz deleted email from the Outlook program on Plaintiff’s computer system, specifically from the “sent” and “deleted items” folders. Determining whether $5,000 in costs is reasonable for restoring Outlook emails — most likely by in-house IT folks — is reasonable is also a requirement and should certainly be addressed whether in a Motion for Reconsideration or Motion for Summary Judgment.
A truly interesting – and bizarre – ruling. I’d love to hear more about the judge’s reasoning on this one.