US v. Nosal Court Provides Guidance on Calculation of “Loss” Under the Computer Fraud and Abuse Act (CFAA)

On January 13, 2014, the District Court in United States v. Nosal issued an Order Regarding the Calculation of Loss for Purposes of the Guidelines which, while aimed primarily at addressing the criminal sentencing guidelines, also provided some helpful principles for calculating a “loss” for purposes of 18 U.S.C. § 1030(g) of the Computer Fraud and Abuse Act (CFAA).

One of the things that makes this analysis of the loss issue so helpful is that it is being done after having so much activity in the case (including trial and appeal) on multiple issues and the record of the case is very well developed. Most of the loss cases out there are cases rulings on motions to dismiss or motions for summary judgment, both of which usually have a less developed record. In this case the court had already seen all of the evidence there was to see and, then looking backwards, was able to analyze whether the loss requirement had been satisfied.

Here are the principles the court looked to and provided in its analysis.

Principles from Case Law Broadly Construing the CFAA’s Definition of Loss

• District courts have split on whether a victim’s internal investigations may be included within the the definition of “loss” in 1030 § 1030(e)(11).
• Where the offense involves unauthorized access and the use of protected information, discovering who has that information and what information he or she has is essential to remedying the harm.
• The “cost of discovering the identity of the offender or the method by which the offender accessed the protected information” would be deemed to be “part of the loss for purposes of the CFAA.
• Costs associated with “identifying and ascertaining the extent” of defendant’s unauthorized access could satisfy the CFAA’s definition of loss.
• It is not necessary for data to be physically changed or erased to constitute a loss or damage under the CFAA.
• It is sufficient to show that there has been an impairment to the integrity of data, as when an intruder retrieves password information from a computer and the rightful computer owner must take corrective measures `to prevent the infiltration and gathering of confidential information.’ Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute.

Principles from Case Law Narrowly Construing the CFAA’s Definition of Loss

• Expending resources to analyze the system so as to discover how information was accessed is not considered.
• The CFAA loss requirement was limited to “actual computer impairment” and where the plaintiff did not provide any evidence that its computer system was impaired or that its service was interrupted, it had failed to demonstrate a CFAA loss.
• To state a claim based on loss, the loss must relate to the impairment or unavailability of data on a computer, and that loss does not include the cost of responding to a security breach.

Nosal Court’s Reasoning Adopting the Broad Construction of the CFAA’s Definition of Loss

• Actual loss includes those costs incurred as part of an internal investigation reasonably necessary to respond to the offense, for example by identifying the perpetrator or the method by which the offender accessed the protected information.
• The definition of loss includes, in part, costs reasonably necessary to resecure the data, program, system, or information from further damage.
• The plain language of § 1030 includes in the definition of loss the cost of generally “responding to an offense.” In addition to this general statement, both provisions then expressly state that (1) conducting a damage assessment; (2) restoring data or a system to its prior condition; or (3) lost revenue resulting from any interruption of service all qualify as “loss.” If, as the cases which narrowly construe loss suggest, “loss” required some actual damage to a computer system or data, the phrase “responding to an offense” would be rendered superfluous by the more specific provisions.
• in situations where the CFAA violation constitutes covert, unauthorized access into a computer system, taking corrective actions or otherwise “responding to an offense” will often be difficult (if not impossible) until the victim knows (1) who perpetrated the offense; (2) how the offense was perpetrated, and (3) the scope of any resulting damage or the degree to which the integrity of its data has been compromised. Individuals who access a computer without authorization and with an intent to defraud are unlikely to announce their presence, inform the victim what information they have accessed, and advise the victim on how it could protect itself in the future. Rather, an internal investigation will often be necessary to determine these critical facts. The very purpose of the “loss” enhancement to a Guideline offense level is that the reasonably foreseeable loss caused by an offender’s actions represents a proxy for that offender’s culpability.
• Determining who breached the system security and the manner and extent of the intrusion, is a reasonable and foreseeable step a victim is expected to take in response to a CFAA violation; it may well inform what remedial steps need be taken, steps which are clearly cognizable as losses under the CFAA.
• Costs in resecuring data, program, system or information from further damage constitutes loss under the CFAA.
• There may be instances where a victim has the information necessary to take corrective action without the need of an extensive investigation.
• Costs incurred for the purpose of building or supporting the victim’s civil case should not be considered “loss” for purposes of the Guidelines calculation.