Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement
Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data?
The United States District Court for the Southern District of Texas was poised to answer this question but did not reach the issue. The court found, as in most of these cases, the plaintiff did not satisfy the jurisdictional threshold $5,000 loss requirement.
What we did get, however, is a strong analysis of how the federal courts in Texas interpret the loss requirement of the CFAA.
Something to think about — would this have violated the CFAA?
The plaintiff in Rajaee v. Design Tech Homes, Ltd. claimed that his job required him to have constant access to email to do his job. His employer did not provide him with a mobile device so he used his own personal iPhone 4 to conduct his work for Defendants. Plaintiff’s iPhone was connected to his employer’s network server to allow him to remotely access the email, contact manager, and calendar provided by the employer. The parties disagreed over who connected the device or whether it was authorized.
Plaintiff resigned his employment with Defendants and, a few days later, Defendants’ network administrator remotely wiped Plaintiff’s iPhone, restoring it to factory settings and deleting all the data–both personal and work-related–on the iPhone.
Plaintiff sued Defendants alleging that their actions caused him to lose more than 600 business contacts collected during his career, family contacts, family photos, business records, irreplaceable business and personal photos , and videos, and numerous passwords.
Plaintiff sued for violations of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and various state law claims.
Violation of the Electronic Communications Privacy Act
The Court found the Defendants’ actions did not violate the Stored Communication Act prong of the ECPA: “the Fifth Circuit has held that ‘information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.’” The information Plaintiff claimed was deleted was stored on his cell phone and not covered by the SCA.
Unauthorized Access Under the Computer Fraud and Abuse Act
The Court does not reach the issue of whether Defendants’ actions were an unauthorized access under the CFAA but that doesn’t mean we can’t think about it ourselves. In fact, over a year ago my friend Jim Brashear (@JFBrashear) and I talked about this and he suggested I write something about it. I didn’t. I should have.
What we do know from the court’s opinion are the following things:
- Plaintiff owned the iPhone
- The iPhone contained Plaintiff’s personal data
- The iPhone was connected to Defendants’ server
- The iPhone contained Defendants’ data
- Defendants’ network administrator somehow remotely wiped all of the data — Plaintiff’s and Defendants’ — from the iPhone
We also know that a cell phone is considered a “protected computer” under the CFAA (post). So, we have a protected computer that — somehow — has its data wiped by someone other than its owner. What we do not know from the opinion, but need to know, are:
- What authorization did Plaintiff have to retain Defendants’ data on his device after his employment terminated?
- What authorization did Plaintiff give Defendants to access his device when (whomever) connected it to Defendants’ server (beyond the fact that by connecting to the server Plaintiff was necessarily giving Defendants authorization for their server to communicate with his device)?
- Assuming Plaintiff gave any authorization to Defendants, did that authorization continue for as long as Plaintiff maintained the connection to Defendants’ server?
- What means did Defendant’s network administrator use to remotely wipe the device and what steps were taken beforehand to give Defendants the ability to do that?
I believe the answers to these questions are important in this analysis. If I were the judge, these are things I would want to know.
A hack back?
Thinking in the big picture, this scenario reminds me of the ongoing debate over whether it is acceptable for a company to “hack back” — that is, after a hacker has stolen data from a company, whether the company can in turn hack the attacking hacker (“you drew first blood” – Rambo) to either retrieve or destroy its (or its customers) data that is now residing on the hacker’s system likely in some far off land.
The arguments on both sides of the hack back issue are vigorous and I am not foolish enough to think I could resolve the issue here. I just want to point out that, in the big picture, the rationale seems somewhat similar: someone else has your data, they are not entitled to keep it, you do not want them to keep it, so go zap it!
Loss Under the Computer Fraud and Abuse Act
The real value in the Rajaee Opinion comes from the court’s analysis of the loss issue. As I discussed the CFAA’s loss requirement in another post, “I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify ‘having a federal case made out of it.’”
Meeting the loss requirement is a jurisdictional threshold that must be met before a plaintiff can bring a civil claim under the CFAA. “Although the CFAA is a criminal statute, Section 1030(g) provides a private right of action ‘for [a]ny person who suffers damage or loss by reason of a violation of this section.’”
The terms “damage” and “loss” are statutorily defined terms that each have a unique meaning under the CFAA, which meanings also differ from the meaning of “damages.” This is important to remember.
The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)
Courts still routinely get this wrong despite the fact that “loss” is defined in subsection (e)(11): “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
While the Rajaee Opinion does not rise to the level of analysis of the Nosal Court’s Opinion which throughly discusses the various views of the CFAA loss jurisprudence, it is one of the more thorough ones I have seen from a federal court in Texas.
Because this case involves a ruling on a motion for summary judgment, the Plaintiff has the burden of providing evidence to support its allegations. The Rajaee Court required Plaintiff to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Plaintiff referred the court to a declaration in which he described the losses he suffered as a result of Defendants’ deletion of his personal data as being:
- pictures of his personal home rehabilitation project, which decreased the value of the remodel by at least $50,000;
- pictures and video of family, friends, and his dogs, which he values at $3,500;
- all cell phone contacts after 2009, which he values at over $50,000 based on his diminished employability;
- all of Plaintiff’s text messages, which he values at $1,000; and
- all of his notes and email accounts, which he values at $600.
The court was correct in agreeing with the Defendants who argued that none of these items qualified as loss. “Plaintiff [did] not produce evidence of any costs he incurred to investigate or respond to the deletion of his data, nor do the losses and damages for which he does produce evidence arise from an ‘interruption of service.’”
Because of this, the court dismissed the CFAA claim.
Important CFAA Loss Principles Applied in this Case
In reaching its decision, the court referenced and stated the following propositions of law that will be helpful for any party to understand in a civil case in the federal courts in Texas, especially the Southern District:
- Although the CFAA is a criminal statute, Section 1030(g) provides a private right of action “for [a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g); Fiber Sys. Int’l, Inc. v. Roehrs, 470 F.3d 1150, 1156 (5th Cir. 2006).
- The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. § 1030 (e) (11).
- “The term ‘loss’ encompasses only two types of harm: costs to investigate and respond to an offense, and costs incurred because of a service interruption.” Alliantgroup, L.P. v. Feingold, 803 F. Supp. 2d 610, 630 (S.D. Tex. 2011) (Rosenthal, J.) (citing Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 776-77 (S.D. Tex. 2010) (Ellison, J.); Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 472-78 (S.D.N.Y. 2004), aff’d 166 F. App’x. 559, 562-63 (2d Cir. 2006)(holding $10 million in lost profits caused by misappropriation of confidential data was not recoverable under the CFAA, which permits recovery of lost revenue only when connected to an “interruption of service.”)); see also Resdev, LLC v. Lot Builders Ass’n, Inc., 6:04-CV-13740RL31DAB, 2005 WL 1924743, at *4 (M.D. Fla. Aug. 10, 2005) (“By use of the term `cost’ and its listing potential injuries directly associated with, or with addressing, an unauthorized-computer-access event, the CFAA plainly enumerates a narrow grouping of `loss’ distinct from — and thus excluding—the far greater range of losses that could flow from a violation of the CFAA.”).
- “case law has consistently interpreted the loss provision to encompass only the costs incurred as a result of investigating or remedying damage to a computer, or costs incurred because the computer’s service was interrupted” See M-I LLC v. Stelly, 733 F. Supp. 2d 759, 780 (S.D. Tex. 2010) (Ellison, J.).
- “Various courts have interpreted `loss’ to mean the remedial costs of investigating a computer for damage, remedying damage done, and costs incurred while the computer is inoperable.” Clinton Plumbing & Heating of Trenton, Inc. v. Ciaccio, CIV. 09-2751, 2010 WL 4224473, at *6 (E.D. Pa. Oct. 22, 2010).
- “If [plaintiffs] had lost revenue because the computer systems . . . were down, that would seem to be the type of lost revenue contemplated by the statute.” Nexans Wires, 319 F. Supp. 2d at 477, aff’d, 166 F. App’x 559.
- Although defendants allegedly deleted data from plaintiff’s computer, plaintiff “did not suffer an interruption of service.” Frees, Inc. v. McMillian, CIV.A. 05-1979, 2007 WL 2264457, at *2 (W.D. La. Aug. 6, 2007).
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service business law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.