Computers are an integral part of our personal and business lives and they are used for nearly everything. Given the breadth of what is considered a computer under the state and federal computer hacking laws,[1] it takes little effort to comprehend that indeed everything does have a computer in it. Just as computers have become the instruments of war among nations, so too have they in the business world. Business and war, whether they truly are one in the same is a matter of perspective, but they each have the same objective—to win, to defeat the enemy.

In the business world there are scores of business competitors, as well as skilled individuals, who pose a threat to businesses from subversive activities that they can easily cause with computers. Chief among their activities is using computers as artifices of fraud. This threat will not go away until there is something more efficient than a computer to replace it as their weapon of choice. Why? Because for some it is just part of their human nature to do anything to get what they desire, regardless of how dishonest of means they must employ. Because computer fraud is a very lucrative business, it incentivizes the dishonest to continue to adapt their techniques and find more efficient means of accomplishing their reprehensible purposes. The epidemic of computer fraud will certainly continue to increase.[2]

Right now, somewhere, someone is directing a computer fraud attack against businesses that will cause them harm. Those businesses will seek help and guidance from litigators. Many of these situations will result in courtroom battles where attorneys will serve as their clients’ generals. The companies will look to these generals to direct this battle as efficiently as possible, using the most effective weapons available. In all likelihood, the battle will involve the Computer Fraud and Abuse Act and, in Texas, the Breach of Computer Security and Harmful Access by Computer Act.

In such a situation, an attorney’s understanding of these laws will prove invaluable. The CFAA is a highly complex federal law that provides civil remedies for economic damages, equitable relief, and perhaps most important of all, injunctive relief that, when properly used, can end a battle almost as quickly as it begins. This is very powerful. However, the CFAA’s complexity makes it a veritable mine-field of procedural and substantive requirements that must be satisfied in order to successfully assert and ultimately prevail on a CFAA claim. To add to its complexity, the CFAA is a relatively new body of law and its jurisprudence is continuing to evolve in a way that often makes its provisions unpredictable from case to case and court to court No one can predict exactly how courts will apply the CFAA to each case, for it is not static. There are few well-settled rules for the CFAA. Regardless of how skilled a litigator one may be, in order to be adequately prepared, the attorney must not only have an appreciation of this fact, but also have enough of an understanding of how the CFAA works to be able to argue the reasoning for how and why certain rules should apply.

Sun Tzu was correct: in every battle, preparation is indeed the key to winning.[3] Because of the CFAA’s complexity, unsettled evolving nature, and the great many cases interpreting and applying it, both time and effort are required to adequately prepare for this battle. Accordingly, the litigator should prepare himself beforehand—he should “mak[e] many calculations in his temple before the battle is fought”[4] to be the general who wins. That is what clients expect and deserve from their litigators: to be prepared and, more often than not, win.

Will you, as your client’s general, be prepared for this battle?

II. THE TWO PRIMARY COMPUTER HACKING LAWS USED IN TEXAS.

There are two primary laws that are used to prosecute computer hacking in Texas criminal and civil cases. The first is the federal Computer Fraud and Abuse Act[5] (CFAA). The second is the Texas Breach of Computer Security[6] (BCS) law.

These laws are often referred to as “unauthorized access” laws because they prohibit accessing computers by people who are not authorized to do so. The word “access” is very important in understanding how these laws operate because a lot of the litigation focuses on the issue of what is, or is not, an “access” of a computer. As you read through the statutory language of the two laws, pay special attention to the access language and think about what you believe it means to access computers.

III. THE COMPUTER FRAUD AND ABUSE ACT (CFAA).

The CFAA is a criminal statute that was enacted in 1986.[7] In 1994, an amendment to the statute added a provision that allows a complainant to bring a private civil cause of action for many violations of the Act.[8]

Generally, the CFAA prohibits the misuse of computers by intentionally or knowingly accessing a computer “without authorization” or by “exceed[ing] authorized access.”[9] In theory, the statute indicates that the “without authorization” prong should apply to users who do not have any access privileges. These individuals are referred to as “outsiders.” The “exceeds authorized access” prong applies to individuals who have limited access privileges. These users are referred to as “insiders” or “privileged users.” In practice, however, there is significant confusion between the two concepts, and in some cases these prongs are used interchangeably. The author has discussed the interchangeability of the two concepts in other articles and it is beyond the scope of this article.[10] It is sufficient to simply recognize the confusion between the two prongs of the CFAA.

The CFAA is the most frequently used law for combating computer hacking.[11] In the author’s experience, the frequency with which computer fraud claims are brought pursuant to the CFAA vis-à-vis other computer fraud related laws is overwhelming. Practically speaking, the CFAA is the king of all computer fraud laws. It is, therefore, important that litigation attorneys have a working knowledge of what it covers, the basics of how it is used, and the issues that generally pose the most difficulty and are the most frequently litigated.

The CFAA, as a body of law, is still in its infancy. The number of cases applying the CFAA is substantial because of the frequency with which it is used and the complexity of its statutory language.[12] Likewise, the scholarly literature addressing the CFAA is legion.[13]

The CFAA is indeed a complicated statute that is highly nuanced and laden with procedural hurdles with which a practitioner must comply. This has led to conflicting interpretations and applications of various provisions by both judges and scholars. During its 2015 Term, the United States Supreme Court addressed a case involving the CFAA[14] however, it has yet to interpret the CFAA,[15] and there are conflicting interpretations among the various federal courts of appeal.[16] These uncertainties, as well as the sheer volume of cases and scholarly literature, cannot be thoroughly analyzed in one law review article. Thus, this Article merely provides a basic primer of some of the CFAA’s principles, and highlights those that will most often be encountered by litigators.

A. The CFAA Statutory Language.

“The CFAA prohibits, inter alia, unauthorized access to a ‘protected computer’ for the purpose of obtaining information, causing damage, or perpetrating fraud.”[17] In its present form, the relevant provisions of the CFAA apply where someone intentionally accesses a protected computer without authorization or exceeds authorized access.[18] The term “computer” is defined by the CFAA to essentially mean any device for processing or storing data, with perhaps the only identifiable exceptions being automatic typewriters or hand held calculators.[19] A “protected computer” is either a United States government computer, a financial institution computer, or a computer used in interstate or foreign commerce or communication.[20] This final classification—used in interstate or foreign commerce—essentially makes a protected computer out of every computer connected to the Internet and, quite possibly, every computer.[21]

The CFAA prohibits ten general types of activity for which civil liability may be imposed when one:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer . . . or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act;[22]

. . . .

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;[24]

(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;[25]

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;[26] or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.[27]

(6) knowingly and with intent to defraud traffics . . . in any password or similar information through which a computer may be accessed without authorization, if—

(A) such trafficking affects interstate or foreign commerce;[28]

. . . .

(7) with intent to extort from any person any money or thing of value, transmits in interstate or foreign commerce any communication containing any—

(A) threat to cause damage to a protected computer;[29]

(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access;[30]

(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[.][31]

The CFAA also prohibits conspiracies to commit the foregoing conduct as well as attempts at committing such conduct.[32] For private civil claims, which are the primary concern for the litigator, the most useful of these are subsections (2), (4)–(6) and, of those, subsections (2) and (4).

B. Elements of the Most Common CFAA Claims.

While computer fraud is obviously an integral part of the CFAA, its reach goes far beyond computer fraud as that term is used in this Article. As previously mentioned, subsections (a)(2) and (a)(4) are the most useful CFAA subsection for litigators.[33] One of the best ways to determine the validity of the claim is to review the elements necessary to prove the claim.

The elements of a civil claim for violation of § 1030(a)(2) require the plaintiff to show that the defendant did the following:

(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was a loss to one or more persons during any one-year period aggregating at least $5,000 in value.[34]

Subsection 1030(a)(4) of the CFAA encompasses what is generally considered to be the more traditional “fraud” violation of the CFAA:

[Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period [.][35]

The elements of a civil claim for violation of § 1030(a)(4) require the plaintiff to show the defendant did the following:

(1) accessed a “protected computer,” (2) without authorization or exceeding such authorization that was granted, (3) “knowingly” and with “intent to defraud,” and thereby (4) “further[ed] the intended fraud and obtain[ed] anything of value,” causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.[36]

With an understanding of the elements of the most useful causes of action for business related claims under the CFAA, it is helpful to explore the burden by which these elements must be pleaded and proven. Despite the fact that the CFAA incorporates the word “fraud” into its title and statutory language, the pleading requirement for a CFAA claim is only that of general notice pleading of Rule 8(a),[37] and is not subject to the heightened pleading requirements of Rule 9(b)[38] of the Federal Rules of Civil Procedure that is normally required for pleading fraud.[39]

Similarly, the burden of proof for a CFAA claim is not the same as common law fraud. Rather, to defraud under the CFAA simply means wrongdoing and does not require proof of common law fraud.[40] As one court stated, “‘fraud’ under the CFAA only requires a showing of unlawful access; there is no need to plead the elements of common law fraud to state a claim under the Act.”[41]

C. Frequently Litigated Elements of CFAA Claims.

1. What is a Computer Under the CFAA?

One of the first questions to answer is “what is a computer under the CFAA?” A cell phone? Yes.[42] Recent case law has reinforced the proposition that virtually everything that contains a microchip (which, these days, is almost everything) is a “computer.”[43] In United States v. Kramer, the Eighth Circuit analyzed this issue in a case that did not involve a CFAA violation,[44] looking to the CFAA’s definition of computer for guidance.[45] The court held that a standard cell phone is a computer under the CFAA’s definition.[46] It was this court that quoted the cofounder of Apple Computer, Steve Wozniak, as saying, “[e]verything has a computer in it nowadays.”[47] The court’s opinion certainly went a long way toward confirming that proposition insofar as computers are defined under the CFAA. The court observed that the definition of computer in the CFAA is exceedingly broad:

If a device is “an electronic . . . or other high speed data processing device performing logical, arithmetic, or storage functions,” it is a computer. This definition captures any device that makes use of an electronic data processor, examples of which are legion. Accord Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1577 (2010) (“Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of ‘computer.’ That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, in addition to more traditional computers like laptops or desktop computers. . . .” Additionally, each time an electronic processor performs any task—from powering on, to receiving keypad input, to displaying information—it performs logical, arithmetic, or storage functions. These functions are the essence of its operation. See The New Oxford American Dictionary 277 (2nd ed. 2005) (defining “central processing unit” as “the part of the computer in which operations are controlled and executed”).[48]

The court acknowledged that a normal cell phone might not easily fit within the colloquial definition of computer, but that it was bound to follow the definition set forth in the CFAA.[49] It further acknowledged that due to the sweeping nature of this definition, as technology continues to develop even more devices, although neither industry experts nor Congress foresaw their creation, these devices may nonetheless be considered a computer.[50]

Finally, the court analyzed the specific operations and specifications of the cell phone at issue and determined that the phone contained a lithium ion battery, had 5 MB of memory, was capable of running software, used a graphics accelerator to run its display images, and contained a software copyright notice, all of which sufficiently demonstrated that the phone makes use of an electronic data processor.[51] Based upon the definition of computer in the CFAA, the court reasoned that the cell phone at issue was indeed a computer pursuant to the CFAA’s definition.[52]

The court was correct in that most people do not think of a cell phone as a computer in a colloquial sense; however, today’s cell phones may very well be more powerful computers than many of the first computers owned by the readers of this Article. This is certainly true of the author, whose first computer was a TI–99 made by Texas Instruments that had a 3.3 MHz processor and 16 KB of RAM.[53] Comparing the TI-99’s specifications to a current “smart phone” would not be fair. The smart phone is an exponentially more powerful computer.[54] Perhaps a better comparison is to a popular children’s toy: a Leapster game console marketed for children between the ages of four and eight years old.[55] The Leapster has a CPU running at 96 MHz, and has 128 MB of RAM.[56] By 80s standards, this child’s toy is a supercomputer![57]

A video gaming system? Absolutely. Recall that the computer at issue in Sony Computer Entertainment America LLC v. Hotz was a Sony PlayStation3 gaming system.[58] The issue in that case was whether Hotz performed a “jailbreak” on his own PS3, and the court found that, at least for purposes of the Temporary Restraining Order and Preliminary injunction, it was a computer.[59]

A website? Yes. Courts have held that websites are computers for many years,[60] but the infamous MySpace “bully-mom” case[61] brought a great deal of attention to the issue.[62] In that case, Lori Drew was prosecuted for violating the CFAA by creating a fake MySpace account that she then used to harass a thirteen-year-old girl to the point that the girl ultimately committed suicide.[63] The charges alleged that Drew violated MySpace’s Terms of Service by intentionally accessing the MySpace website, a computer, without authorization or in excess of authorization.[64] The court recited the CFAA definition of computer, and reasoned that to access an Internet website requires one to access the server hosting the website, which is a computer.[65] The court followed the well settled standard and found that a website is a computer for purposes of the CFAA.[66] Steve Wozniak was correct: everything does indeed have a computer in it and the trend is increasing.[67]

2. What Does a “Protected” Computer Mean?

A computer is considered a protected computer if it is connected to the Internet.[68] This means the CFAA applies to virtually all computers in today’s modern society. Web-based accounts such as Yahoo!, Gmail, Facebook, Twitter, and me.com/iCloud are protected computers that are owned by the user of that service.[69]

D. What Does it Mean to “Access” a Computer?

The CFAA requires more than simply using a computer in the commission of a wrongful act. It requires the improper access of a computer.[70] Therefore, it does not apply to every fraud involving computer use.[71] The issue of access is integral to establishing a violation of the CFAA, and has been one of the most complicated and highly litigated issues arising under the CFAA.[72] As with other areas of the CFAA, this issue is evolving.

The CFAA prohibits intentionally or knowingly accessing a computer “without authorization” and “exceed[ing] authorized access.”[73] These are two different concepts.[74] The first step of the analysis, however, is that there must be an actual access to a computer.[75] An access can occur in any number of ways, from something as simple as logging in to a computer to viewing information,[76] to sending or receiving an email,[77] or to having an elaborate program using codes and proprietary information to extract data from a web site.[78] Access does not include a computer technician’s misleading statements about services he performed on a computer where his failure or incompetence in performing those services may have resulted in lost data.[79] Regardless of how false or misleading the statements were, they did not constitute access to a computer—they were statements, not access.[80]

The access must be knowing or intentional.[81] A mistaken or accidental access that is neither intentional nor knowing does not constitute a violation of the CFAA.[82] Accessing a computer under color of authority by a court order does not render that access unauthorized when the order is subsequently overturned.[83] However, the CFAA does recognize vicarious liability, and an employer can be responsible for its employees’ wrongful access, under certain circumstances.[84]

Third party issues occasionally arise under the CFAA. For example, a CFAA violator’s access will be wrongful whether he uses his own computer or a third party’s computer to effectuate the access.[85] The focus is on the person causing the access, not on the actual computer used to facilitate the access.[86] Insofar as it is the computer that is the object of the access, however, it is not quite so clear. One court has held that a plaintiff can only bring CFAA claims for wrongful access to its own computers, not the computers of third parties.[87] The Ninth Circuit, however, rejected a district court’s dismissal for the same reason in Theofel v. Farey-Jones,[88] where it explained this issue as follows:

The district court erred by reading an ownership or control requirement into the Act. The civil remedy extends to “[a]ny person who suffers damage or loss by reason of a violation of this section.” “[T]he word ‘any’ has an expansive meaning, that is, ‘one or some indiscriminately of whatever kind.’” Nothing in the provision’s language supports the district court’s restriction. Individuals other than the computer’s owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it.[89]

This was also made clear by another court in ruling that the CFAA “allows a party to seek a civil remedy if it experiences loss or damage due to information obtained from any protected computer.”[90] As discussed, the disagreement of the courts on this issue is indicative of the overall lack of agreement among many courts in interpreting and applying various provisions of the CFAA. At least to some courts, it appears the focus is on the person harmed by the access, not necessarily on who owns the actual device that was accessed.

E. The Circuit Split: Trilogy of Access Theories.

Several of the United States Courts of Appeals are in disagreement about the interpretation of the CFAA’s usage of “exceeds authorized access.” There are three general theories of access: Intended-Use Theory, Strict Access Theory, and Agency Theory. The circuit split focuses on the conflicting interpretations between the First,[91] Third, Fifth,[92] Eighth,[93] and Eleventh[94] Circuits on the one hand, and the Ninth,[95] Fourth,^[96] and Second[97] Circuits on the other. But to be more accurate, there remain three distinct lines of interpretation.[98] The Trilogy of Access Theories include the Strict Access Theory, which describes the Ninth and Fourth Circuit approaches, the Intended-Use Theory, which describes the Fifth Circuit and its brethren, and the Agency Theory, which describes the still-binding precedent in the Seventh Circuit.[99]

1. The Intended-Use Theory.

The First, Fifth, Eighth, and Eleventh Circuits follow the Intended-Use Theory. These courts have held that, when an “insider” / “privileged user” is given authorization to access a computer, but is also given clear and objective restrictions on how she can use that access, by violating those use restrictions, she exceeds authorized access in violation of the CFAA.[100] The Intended-Use Theory occupies the middle ground in the Trilogy of Access Theories.

In 2015, the Fifth Circuit decided a case dealing with the Intended-Use Theory and ruled in a way that could be viewed as placing some limits on the open-ended use of the Intended-Use Theory. In Hunn v. Dan Wilson Homes, Inc.,[101] it held that in order for courts to enforce intended-use restrictions, those restrictions must have been enforced by the owner of the computer during the course the relationship in question. In this particular case, the employer had policies that prohibited employees from transferring company data to themselves, outside of the company. However, the employer knew of and condoned employees sending work-related information to their home computers so they could work on it away from the office. Then, after the employee quit work for the employer, the employer alleged the employee violated the CFAA by violating the use-based restrictions in the policy. The Fifth Circuit found that by failing to consistently enforce those restrictions during their relationship, the employer could not later claim such conduct violated the CFAA.

2. The Strict Access Theory.

The Second, Fourth, and Ninth Circuits follow the Strict Access Theory. These courts have held that when an “insider” / “privileged user” is given authorization to access a computer and is also given clear, unequivocal, objective restrictions on how she can use that computer, even if she uses the computer in violation of those restrictions, her access was still authorized and she has not exceeded authorized access in violation of the CFAA. That is, “one ‘exceeds authorized access’ to a computer by violating an access restriction (e.g., do not access File X), but not by violating a use restriction (e.g., do not use the computer for non-business purposes).”[102] In other words, once authorization to access is given, it continues until it is revoked, no matter how improper such access may be used.

3. The Agency Theory.

The Trilogy started with the Agency Theory established by the Seventh Circuit in International Airport Centers, LLC v. Citrin[103] in which it held that under common law agency principles, an employee’s right to access his employer’s computer is premised on his serving the interests of his employer. Should his loyalties to his employer change and his interests become adverse, so too would his authorization change by becoming unauthorized. Under this “agency theory” the authorization to access was based upon the employee’s own subjective loyalties and interests and, if they changed, his authorization to access the employer’s computer changed with it. The Seventh Circuit has not overruled Citrin.

4. The Five Basic Fact Patterns in CFAA Cases.

The author has argued that there may be a better, unified approach for evaluating insider misuse of computers.^[104] In this argument, he has identified five primary fact patterns that describe most CFAA cases. It is initially helpful to envision with the mind’s eye a continuum with points on each end and three points scattered throughout the middle. The following categories of case fact patterns represent the points on the continuum, with the first category being on the left end, the fifth on the right end, and the others in between:

Privileged user without notice of owner’s intended use misusing the computer or data during privileged access.^[105]
Privileged user with notice of owner’s intended use, properly obtaining data during privileged access but later misusing data.^[106]
Privileged user with notice of owner’s intended use, misusing the computer or data during privileged access.^[107]
Privileged user whose privileges are terminated before access of computer or data.^[108]
Non-privileged user access of computer or data.^[109]

The theoretical argument is beyond the scope of this article, however, understanding the five basic fact patterns and how the respective jurisdictions treat them is helpful when evaluating whether to pursue a CFAA claim. For an exhaustive analysis of how these cases are treated, see In Search Of The Golden Mean: Examining The Impact Of The President’s Proposed Changes To The Cfaa On Combatting Insider Misuse.[110]

F. The Biggest Problem of All: Pleading the Jurisdictional Threshold “Loss” for Civil Cases

Based on his experience, the author estimates that at least eighty percent of the civil CFAA cases that get dismissed at the pleading stage are dismissed because attorneys fail to correctly plead the “loss” that is the jurisdictional threshold requirement to bring a civil claim under the CFAA. This is a critical issue that attorneys very seldom get right and it results in their cases being dismissed – oftentimes, without them even understanding why. If you do not learn anything else from this article, learn what is and is not a “loss” and why it is so critical. Because of the importance of this issue, the author has written numerous articles and blog posts explaining the issue.[111] This is explained in more detail in Section III.H.2.a.

G. Procedural Issues Related to CFAA Claims.

1. 2 Year Statute of Limitation.

The limitation period for bringing a claim for a violation of the CFAA is two years from the date of the wrongful act or the date of the discovery of the damage.[112] Therefore, “a plaintiff must file suit within two years of discovering ‘any impairment to the integrity or availability of data, a program, a system, or information.’”[113] The key inquiry in determining when the limitation period accrues is when the plaintiff learns of the use of a computer in the deception, not just that there has been a deception. For example, it has been held that a plaintiff’s knowledge of being deceived without having specific knowledge of the use of a computer in the deception did not commence the accrual of the limitations period until the plaintiff had knowledge of the use of the computer in the deception.[114]

2. Concurrent Jurisdiction for CFAA Claims.

A significant strategic consideration for many attorneys is choosing the court in which to try a case.[115] The CFAA is a federal statute so a claim for its violation can be brought in federal court[116] or, in some cases, in a state court along with other claims.[117] The ability to bring this claim in a federal court can often be of great strategic benefit as state courts frequently are overburdened and lack the resources and the docket space to address the lawsuit as expeditiously as may be necessary.[118]

Federal courts do not have exclusive jurisdiction over CFAA claims. Rather, federal and state courts have concurrent jurisdiction to decide claims under the CFAA.[119] A CFAA claim may be brought in either the federal or state courts; however, a defendant in a state court proceeding can remove the case to federal court if all other requirements for removal are satisfied.[120] Nevertheless, such removals are not always final, as federal courts are sometimes resistant to removal and remand either the case or the claim.[121] In Liebert Corp. v. Mazur, a federal district court did exactly that and remanded a previously removed CFAA claim back to the state court on an abstention basis.[122]

In another removal case, Landmark Credit Union v. Doberstein,[123] a federal district court analyzed the CFAA claim upon which the removal was premised and determined that because the CFAA claim appeared to be pretextual and not a seriously viable claim—along with the fact that the CFAA claim and the rest of the case was premised on a state law contract claim—the federal law claim was entirely derivative of state law issues, and, therefore, the case did not arise under federal law.[124] Upon this rationale, the court determined that it did not have jurisdiction to hear the case and remanded it to the state court.[125] However, this case appears to be an aberration stemming from the fact that the CFAA claim was very weak on many levels, as the court averred: “[I]t can be fairly said that the claim of federal law in this case is, at best, insubstantial.”[126]

3. CFAA Does Not Preempt State Computer Crime Laws.

In several cases, descendants have argued that Congress’ enactment of the CFAA was intended to be the exclusive remedy for computer related claims and preempt other computer related claims.[127] In each of these cases the courts have found that the CFAA, which does not have clear preemptive language,[128] does not preclude bringing CFAA claims along with other claims.[129]

H. Remedies Available Under the CFAA.

1. Injunctive Relief Under the CFAA.

Litigation strategy often places a higher value on the ability to obtain injunctive relief, for which the CFAA provides,[130] than on damages or attorney’s fees.[131] Strategically, injunctive relief can be the most important litigation factor, because if it is obtained, it may dispose of the case within a very short time.[132] This was exemplified in early 2011 in the matter of Sony Computer Entertainment America LLC v. Hotz.[133]

On January 11, 2011, Sony Computer Entertainment America (Sony) filed a lawsuit against George Hotz (Hotz), and others, for “hacking” into their own Sony PlayStation®3 (PS3) gaming systems.[134] The essential accusation was that they had performed a “jailbreak” of their PS3 and were sharing information on how they did it with other people.[135] Sony sought a temporary restraining order under the CFAA as well as the Digital Millennium Copyright Act (DMCA).[136] The court granted the temporary restraining order.[137] The chronology of how this case proceeded is important, and a review of the relief granted in the temporary restraining order shows the power that injunctive relief under the CFAA can have.

On January 27, 2011, the court entered the temporary restraining order prohibiting Hotz and others from engaging in the following activities:

Offering to the public, creating, posting online, marketing, advertising, promoting, installing, distributing, providing, or otherwise trafficking in any circumvention technology, products, services, methods, codes, software tools, devices, component or part thereof, including but not limited to the Elliptic Curve Digital Signature Algorithm (“ECDSA”) Keys, encryption and/or decryption keys, dePKG firmware decrypter program, Signing Tools, 3.55 Firmware Jailbreak, root keys, and/or any other technologies that enable unauthorized access to and/or copying of PS3 Systems and other copyrighted works (hereinafter, “Circumvention Devices”).
Providing links from any web site to any other web site selling, offering for sale, marketing, advertising, promoting, installing, importing, exporting, offering to the public, distributing, providing, posting, or otherwise trafficking in any Circumvention Devices.
Engaging in acts of circumvention of TPMs in the PS3 System to access, obtain, remove, or traffic in copyrighted works.
Engaging in unauthorized access to the PS3 System or the PlayStation Network (“PSN”) in order to obtain, access, or transmit any program, code, information or command therein.
Publishing, posting, or distributing any information, code, program, instructions, video, or other material obtained by circumventing TPMs in the PS3 System or by engaging in unauthorized access to the PS3 System or the PSN.
Assisting, facilitating or encouraging others to engage in the conduct set forth above in Nos. 1-5.[138]

The court further ordered, among other things, the “impoundment [of] any computers, hard drives, CD-ROMs, DVDs, USB stick, and any other storage devices on which any Circumvention Devices are stored in Defendant Hotz’s possession, custody, or control.”[139]

On February 28, 2011, United States District Judge Susan Illston granted Sony’s request for a Preliminary Injunction that kept in place the prohibitions and mandates of the Temporary Restraining Order during the pendency of the case.[140] At this point, given the breadth of the temporary relief, there were few options for Hotz. In chess this would have been checkmate.

By March 31, 2011—less than three months after the case was filed—the parties settled and agreed to a Final Judgment Upon Consent and Permanent Injunction.[141] The terms of the Permanent Injunction leave little doubt as to who won the case. The Permanent Injunction essentially prohibits the same activities that were included in the Temporary Restraining Order and Preliminary Injunction—permanently—and also provides that any violation thereof constitutes irreparable harm to Sony entitling it to immediate relief—another temporary restraining order[142]—and stipulated liquidated damages of ten thousand dollars per violation capped at a maximum amount of two hundred and fifty thousand dollars.[143]

Had Sony not been able to obtain the Temporary Restraining Order or Preliminary Injunction, it is quite unlikely that this case would have settled on these terms this quickly. Successfully obtaining injunctive relief won this case, just as it wins many cases.[144] This case demonstrates the power and effectiveness of the injunctive remedies available under the CFAA. These are highly effective strategic devices that any litigators, business or otherwise, would want in their arsenal.

2. Civil Remedies Under the CFAA.

While the CFAA is primarily a criminal statute it was amended to add a provision that allows a complainant to bring a private civil cause of action for many violations of the law.

Section 1030(g) of the CFAA authorizes a civil action to seek remedies of compensatory damages and injunctive relief by one who suffers damage or loss from the CFAA violation.[145] Vis-à-vis the range of criminal violations, the civil action is considerably limited and only available if the conduct involves one (or more) of five statutorily specified factors set forth in § 1030 (c)(4)(A)(i).[146] Of these five factors, the most likely factor to be relevant in a business related civil matter is the where the statutory violation caused (or would have caused) a loss to one or more persons in any 1-year period aggregating at least $5,000.[147]

The CFAA defines the term “damage” as “any impairment to the integrity or availability of data, a program, a system, or information,”[148] and the term “loss” as:

[A]ny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service [.][149]

It is very important to note, however, that the CFAA uses both the term “damage” and “damages,” and the two terms are not synonymous for purposes of the statute. Damage relates to the initial showing that must be made to satisfy the necessary conditions for bringing a civil CFAA claim.[150] The term damages on the other hand, relates to what a plaintiff can recover for a CFAA violation.[151]

a) Please—Please Understand that “Damage,” “Loss,” “Damages,” All Have Different Meanings Under the CFAA—You Must Have “Loss”!

In terms of both complexity and frequency litigated, the competition is close between the issues of access and damages. Section 1030(g) of the CFAA seems simple enough in that it provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”[152] The proverbial devil is in the details, however, as the CFAA then incorporates definitions, qualifications, and limitations by cross references to other subsections of the CFAA.[153] This section implicitly sets forth the minimum threshold of damages or loss necessary to bring a civil claim, as well as the types of remedies that are available in a civil claim and additional procedural requirements and limitations for those remedies.[154] It should be noted at the outset that the terms “damage” and “loss” are jurisdictional terms of art and do not limit the damages that are ultimately recoverable.[155] Given this complexity, it is best to start the analysis by looking at the statutory language:

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.[156]

Because a civil action is only available if the violation involves at least one of five subsection (c)(4)(A)(i) factors,[157] that is necessarily the starting point in the analysis.[158]

Of these five factors, the single factor that is almost exclusively relied upon for private civil matters is where the statutory violation caused (or would have caused) a loss to one or more persons in any one year period aggregating at least $5,000.[159] Damages for a violation of this factor are limited to only economic damages.[160] Before moving deeper into this analysis, a summary of the requirements for bringing a civil claim thus far in the analysis will be helpful.

Any person who suffers damage or loss caused by a violation of the CFAA may bring a civil claim against the person violating the CFAA to obtain compensatory damages, injunctive relief, or other equitable relief.[161] However, the claim can only be brought if the conduct violated one of the factors set forth in subsection (c)(4)(A)(i) of the CFAA.[162] In most business cases the only factor that is usually available is where the violation caused loss to one or more persons during any one year period that is at least $5,000 in the aggregate,[163] and in such cases, the only damages that can be recovered are economic damages.[164] Thus, a plaintiff who can establish the threshold loss of a $5,000 is only entitled to sue for economic damages.[165]

3. Meeting the $5,000 Threshold for a Civil Claim

In order to bring a civil claim under the CFAA in most business cases, a plaintiff must plead that, during any one-year period, one or more persons sustained loss of at least $5,000 because of the CFAA violation.[166] This requirement is essential to meeting the jurisdictional threshold for the court to hear the claim, and was purposefully implemented by Congress to keep from clogging the courts with trivial cases by “limit[ing] federal jurisdiction to cases of substantial computer crimes.”[167] Many of the CFAA cases that are dismissed for failure to adequately state a claim are dismissed because the plaintiff has not met this threshold pleading requirement.[168] Thus, whether prosecuting or defending a CFAA claim, it is important to carefully examine the allegations pled to ensure compliance with this threshold requirement. Simply reciting the language of the statute may suffice for some courts.[169] However, the failure to adequately plead a loss can be fatal to a claim.[170] The courts do not have jurisdiction to decide the case unless the $5,000 threshold loss is properly pled, even when it is obvious that the economic damages are in the millions.[171]

The term loss is defined by the CFAA as:

A reading of the statutory language makes it clear that unless there has been an interruption of service, only “costs” can qualify as a loss.[173] A prospective plaintiff that has been harmed by a violation of the CFAA, that is not an interruption of service, and intends to assert a claim under the CFAA should understand the need to conduct a thorough investigation, to undertake sufficient remedial measures, or do both such that it meets the $5,000 loss requirement.[174]

Once the plaintiff has incurred the requisite $5,000 loss, it is required to plead with some particularity the factual allegations establishing that its loss is sufficient to meet this $5,000 minimum threshold.[175] While the subsection authorizing civil claims uses the terms loss and damage, the (c)(4)(A)(i)(I) factor limitation only refers to loss not damage.[176] Given this language, it appears the damage prong is irrelevant for these types of business litigation cases.[177] Nonetheless, the term damage is defined by the statute and means “any impairment to the integrity or availability of data, a program, a system, or information[.]”[178]

To further complicate this issue, there are two categories of losses as well: response costs and interruption of service damages.[179] The most frequently used losses are response costs.[180] There is no requirement that there be both response costs and interruption of service—either will suffice.[181] Regardless of whether the alleged loss is for response costs or interruption of service, it must be adequately proven.[182] In Global Policy Partners, LLC v. Yessin,[183] the United States District Court for the Eastern District of Virginia provided an excellent analysis of the “qualifying-loss” requirement and guidelines.[184] Citing the Fourth Circuit in A.V. v. iParadigms, LLC,[185] the court observed that the loss definition is broadly worded and contemplates costs incurred as part of the response to a CFAA violation, including the investigation of an offense.[186]

The plaintiff must also show “that the costs are ‘reasonable’ and that they were ‘caused’ by a CFAA violation.”[187] The court reasoned that the CFAA incorporates traditional principles of tort causation requiring that plaintiffs must “show that the losses they claim were the reasonably foreseeable result of the alleged CFAA violations, and that any costs incurred as a result of measures undertaken” to restore data, program, system, or information “were reasonably necessary in the circumstances.”[188] The question of reasonableness is often one that invokes questions of practical, rather than legal judgment; it is therefore usually treated as a question of fact that is left for the jury to decide.[189] It should be noted, however, that when the defendant makes it difficult to discover his identity, the extent of the unauthorized access, methods used to obtain access, or activities undertaken therein, the defendant should not be allowed to complain about the reasonableness of the costs the plaintiff must then incur to investigate these matters.[190] The plaintiff is not required, however, to show that there was actual damage caused in order for the costs to be reasonable.[191] For example, when the plaintiff incurs costs for investigating a violation, even thought it may later turn out there was no actual damage caused by the violation, that turn of events alone will not negate the reasonableness of the costs.[192]

a) Specific Examples of What Has and Has Not Constituted a Loss

As with the access issue, courts are taking different positions on what types of costs are qualifying costs for purposes of loss. For each type of cost, with enough research one can likely find case law that permits it to qualify and case law that holds it does not. Listed below are several examples of specific losses that have been argued to fit within the CFAA’s definition of loss. Some have been successful and some have not. For many of them, however, it is important to bear in mind that different courts have found differently in different cases and circumstances, which can be said for each of these examples. The categorization listed below simply represents the Author’s view of how these issues are usually decided. Given the continuously evolving nature of this issue, however, there is no doubt that any given court on any given occasion could find differently.

The CFAA’s definition of loss clearly states that costs are what is contemplated.[193] This has been interpreted to mean “any remedial costs of investigating the computer for damage, remedying the damage and any costs incurred because the computer cannot function while or until repairs are made.”[194] Included within this category have been costs incurred to assess the damage to a computer or to files stored on the computer,[195] costs to conduct a forensic analysis and investigation,[196] and to have diagnostic measures performed.[197] “[R]etaining specialized services that report and record the cyber-attacks and their origins” has been found to be a loss, as well as “security enhancements to Plaintiff’s computer systems” to prevent future incursions.[198] Likewise, costs associated with investigating the offender’s identity and means of access are considered a loss.[199] Costs to repair damage to the computer data qualifies as a loss.[200] It is well settled that the value of time for employees who investigate the access qualifies as a loss.[201] Moreover, some courts may permit losses to be aggregated in some circumstances,[202] though others may not.[203]

The category of claims not usually qualifying as a loss begins with one often argued, but not often successful: lost revenue due to a former employee’s transfer of trade secrets.[204] Likewise, the value of misappropriated trade secret information is not usually considered a loss even if it is extremely valuable because despite its value, it constitutes neither a cost to investigate and respond to a computer intrusion nor a cost associated with a service interruption.[205] Predictably, not all courts rule this way; it has been held that “loss of confidential and proprietary information for the benefit of defendants’ competing enterprise” is considered to be a loss,[206] thus demonstrating the uncertain nature of this issue. Also not typically considered a loss are lost profits, loss of customers, and loss of future business opportunities;[207] while these may certainly be legitimate costs and expenses, they do not qualify because they do not assert “damages whatsoever relating to [an] investigation of computer damage, or costs incurred because any computer service was interrupted.”[208] While there are many more, these are only a few examples that are included only to emphasize the point that this body of law is still evolving and there are many uncertainties. These uncertainties require that the litigators who will be going to battle over these claims keep abreast of how the law continues to evolve.

4. Recovery of Economic Damages.

Subsection § 1030(g) of the CFAA permits any person who has satisfied the requisite showing of damage and loss “to obtain compensatory damages and injunctive relief or other equitable relief.”[209] For all practical purposes, the only compensatory damages usually recoverable in a business related case are economic damages because of the limitation contained in the statutory language.[210] In Frees, Inc. v. McMillian,[211] the court provided a summary of what types of damages have been found to be recoverable for a CFAA violation:

The term “economic damages” was not statutorily defined, but courts have consistently held that this term has its ordinary meaning, i.e., simply prohibiting damages for pain and suffering, emotional distress, and other like damages. Similarly, without an express indication to the contrary, “compensatory damages” must be interpreted to have its ordinary, established meaning, thereby allowing “lost profits” as recoverable damages.

Further, interpreting the statute to limit the recovery of lost revenue would lead to absurd results. The CFAA defines “damage” in terms of non-economic harm and “loss” in terms of economic harm. If the Court were to find that these terms were limitations on damages, a plaintiff would be unable to recover any monetary relief where he suffered only “damage,” but no “loss.” When a defendant copies unauthorized data to gain a competitive edge, it makes no sense to limit the plaintiff’s recovery when the lost revenue is a direct result of defendant’s misconduct.[212]

Courts have also found that loss of business and business goodwill constitutes recoverable damages under the CFAA.[213]

5. Exemplary Damages are Not Recoverable.

The CFAA does not permit recovery of exemplary damages.[214]

Nor does the statutory language of the CFAA provide for the recovery of costs and attorneys fees incurred for the prosecution or defense of a CFAA claim.[215] However, in rare cases courts have permitted the recovery of legal fees that are incurred from responding to the CFAA violation.[216]

6. Costs and Attorney’s Fees Are Generally Not Recoverable.

The CFAA does not permit recovery of costs and attorney’s fees incurred for the prosecution or defense of a CFAA claim.[217] However, in some cases courts have permitted the recovery of legal fees that are incurred from responding to the CFAA violation.[218]

IV. BREACH OF COMPUTER SECURITY (BCS) / HARMFUL ACCESS BY COMPUTER ACT (HACA).

Texas’ computer hacking law is titled Breach of Computer Security (BCS).[219] BCS is a criminal law that has a civil cause of action if the conduct constituting the violation was committed knowingly or intentionally, which is Chapter 143 of the Texas Civil Practice and Remedies Code, titled the Harmful Access by Computer Act (HACA).[220]

Not that it was really needed, but effective September 1, 2015, Texas amended the BCS law to specifically address misuse by insiders / privileged users. The author has always read the prior version of BCS as being one of the broader unauthorized access laws that already prohibiting misuse by insiders. However, as anyone who regularly explains how these laws work to judges and juries can tell you, it never hurts to have something that seems clear be made even more clear. Belts and suspenders can be a good thing in court and on September 1, 2015, both were cinched up a little more though the new law only applies to acts committed after September 1 2015.

Given its focus on shoring up the issue of insider misuse, the BCS was probably intended to track the scope and applicability of the CFAA’s Intended-Use Theory, however, it really is a much broader law that covers a broader range of activities that provides for the recovery of similar damages in addition to costs and attorney’s fees, which is always a plus. More importantly, there is no jurisdictional threshold “loss” required to bring a civil claim, like there is with the CFAA.

A. The BCS Statutory Language

The BCS prohibits knowingly accessing a computer, computer network, or computer system without the effective consent of the owner.

(a) A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.

(b) An offense under Subsection (a) is a Class B misdemeanor, except that the offense is a state jail felony if:

(1) the defendant has been previously convicted two or more times of an offense under this chapter; or

(2) the computer, computer network, or computer system is owned by the government or a critical infrastructure facility.

(b-1) A person commits an offense if, with the intent to defraud or harm another or alter, damage, or delete property, the person knowingly accesses:

(1) a computer, computer network, or computer system without the effective consent of the owner; or

(2) a computer, computer network, or computer system:

(A) that is owned by:

(i) the government; or

(ii) a business or other commercial entity engaged in a business activity;

(B) in violation of:

(i) a clear and conspicuous prohibition by the owner of the computer, computer network, or computer system; or

(ii) a contractual agreement to which the person has expressly agreed; and

(C) with the intent to obtain or use a file, data, or proprietary information stored in the computer, network, or system to defraud or harm another or alter, damage, or delete property.

* * *

(e) It is a defense to prosecution under this section that the person acted with the intent to facilitate a lawful seizure or search of, or lawful access to, a computer, computer network, or computer system for a legitimate law enforcement purpose.

(f) It is a defense to prosecution under Subsection (b-1)(2) that the actor’s conduct consisted solely of action taken pursuant to a contract that was entered into with the owner of the computer, computer network, or computer system for the purpose of assessing the security of the computer, network, or system or providing other security-related services.[221]

The most important aspect of understanding the BCS is understanding what “effective consent” means. The BCS’ definitions provide that “’[e]ffective consent’ includes consent by a person legally authorized to act for the owner. Consent is not effective if:”

(A) induced by deception, as defined by Section 31.01, or induced by coercion;

(B) given by a person the actor knows is not legally authorized to act for the owner;

(C) given by a person who by reason of youth, mental disease or defect, or intoxication is known by the actor to be unable to make reasonable property dispositions;

(D) given solely to detect the commission of an offense; or

(E) used for a purpose other than that for which the consent was given.[222]

B. Elements of the BCS

The elements of a plaintiff’s claim under the BCS are “(1) an individual knowingly and intentionally accessed their computer, computer network, or computer system; (2) the individual did not have the effective consent of the owner to do so; and, (3) the owner suffered damages as a result.”[223]

C. The HACA Statutory Language.

“A person who is injured or whose property has been injured as a result of a violation under Chapter 33, Penal Code, has a civil cause of action if the conduct constituting the violation was committed knowingly or intentionally.”[224] This “knowing” and “intentional” requirement is identical to what is required for a CFAA violation.[225]

D. Frequently Litigated Elements of the BCS

1. What is an “Access”?

“Under the statute, ‘access’ means ‘… to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system.’”[226]

Examining a mobile phone log and text messages from a cell phone necessarily requires retrieving the data on the phone which constitutes an “access” of a computer under HACA.[227]

However, a girlfriend accessing her boyfriend’s iPhone to view pictures did not violate BCS / HACA because she did not know that the lacked his effective consent at the time of access. [Thomas v. State, 2017 WL 4400116 (Tex. App.–Houston [14th Dist.] 2017).

A school principal who viewed improper pictures taken of a femail student on a substitute teacher’s cellphone without the teacher’s consent did not violate BCS / HACA. It was a valid defense that the principal accessed and looked through the phone for the purpose of giving it to the police for investigation. [Ruiz v. State, 577 S.W.3d 543, 547-48 (Tex. Crim. App. 2019)].

This law did not apply to computer repairman to whom defendant had entrusted his computer for repair, which resulted in repairman discovering files on computer containing child pornography, as files were accessed in the course of carrying out defendant’s repair order, and files were accessed in ordinary course of computer repair business’s standard repair procedures.[228]

An information services provider that locked a customer out of a server it was providing, after the customer stopped paying for the service, did not violate HACA. Under the contract, the IT provider had a greater right to possess the server and was considered its owner. [Puig v. High Standards Networking & Computer Services, 2017 WL 4820171 (Tex. App.–Houston [1st Dist.] 2017).

2. What is “Effective Consent”?

a) Surreptitiously Accessing a Spouse’s Device

The frequently stated belief that, because a cell phone used exclusively by one spouse may technically constitute “community property,” the other spouse has “effective consent” to access the data on the cell phone, is false. [229] “Nothing in chapter 33 of the penal code incorporates community property law for the purpose of establishing ownership of the computer. Rather, the statute defines ‘owner’ as a person who: (1) has title to the property, possession of the property, whether lawful or not, or a greater right to possession of the property than the actor; (2) has the right to restrict access to the property; or (3) is the licensee of data or computer software.”

In Miller v. Talley Dunn Gallery, LLC,[230] the trial court and the Dallas Court of Appeals engaged in a fact-intensive approach to analyzing this issue is very important: In this particular case, because both spouses agreed that the phone belonged to one spouse, she used it on a daily basis, it was the only way to reach her, she had the right to place a password on the phone, and had at various times restricted access to it by the password, and the other spouse accessed the phone at night when she was asleep and not using it, the evidence showed she had a greater right to possession of the phone. This approach is the prevailing view, but only when the device is clearly used by only one spouse or the other — this is not the case in instances of things such as family computers, jointly used devices, etc.

This is only the rule in cases where the device is treated by the parties as being only one spouse’s or the others, despite the technicality that it’s true property ownership may be “community property.” In cases where devices are shared, the prevailing view is that both have a right to access the device. Now, where this gets trickier is in a situation where you may have a family computer, that is jointly used by both spouses, but one spouse then uses that family computer device (which is proper) to surreptitiously access an online account such as Facebook, Gmail, etc. that is exclusively the other spouses, because such accounts are considered to be separate “computers” within these laws, which depending upon how the access was gained, would be prohibited by these laws.

b) Not Securing Devices

An employee who used his personal laptop for work purposes and left the laptop unsecured in the workplace, and another employee then accessed the computer to change the background wallpaper, the court found that by leaving his computer open and unsecured, the employee knew he was leaving it for his coworkers to access and it was reasonable to conclude that his co-worker had his effective consent to access the computer.[231] See this post for more about this case.

In Merritt Hawkins & Associates, L.L.C. v. Gresham, the 5th Circuit Court of Appeals upheld a jury’s verdict finding that an employee’s actions violated the Harmful
Access by Computer Act, or HACA, where, before leaving his employment, the employee accessed his employer’s computer network and copied proprietary files and deleted
files in an effort to hide his activities. While the court did not explain its reasoning, an
employee violates Texas’ “hacking” law, HACA, by accessing the employer’s computer system without its “effective consent” and taking data to use for non-company business-related purposes. Effective consent can mean using the computer system (a) for a purpose other than that for which consent was given, (b) in violation of a clear and conspicuous prohibition, or (c) in violation of an express agreement, inter alia. [231.1]

An employee who left an unsecured USB drive in a place where co-workers can obtain the drive, without having any access restrictions or identifiers on the drive, was giving effective consent to his co-workers to access the drive in order to identify whether it belonged to the person.[232]

A student who left an unsecured USB drive in a public computer in a college classroom was giving effective consent to his colleagues to access the drive in order to identify its owner and return the drive.[233]

c) Privileged User Misusing Authorized Access to Obtain Data

An employee who, on the last day of her employment, used her access to her employer’s computer system to access and corrupt the information on the computer system violated the BCS. The employee was not authorized to corrupt her employer’s computer files and she admitted that she did so because she was unhappy with the way she was treated by her employer and was her way of exacting revenge.[234]

An employee who used his access to his employer’s information to obtain that information for his own personal uses, and later used that information while working for a competitor, violated the BCS and HACA. In Institutional Securities Corp. v. Hood,[235] Hood had dual roles for ISC, working as an employee in the role of vice president, for which he received a salary, and also working as an independent contractor in the role of registered representative of ISC, where he was paid commissions for bringing in new clients for ISC. Employees of ISC were authorized to access its computer network to view detailed information on its customers including their contact information, social security numbers, account numbers and balances, and investment preferences. Independent representatives were not authorized or permitted to do so. While he was working for ISC, Hood regularly downloaded this information to his personal hard drive and flash drives. Hood was later terminated by ISC and went to work for a competitor where he used the customer information he had taken from ISC to solicit its customers. ISC sued Hood for violating the BCS and HACA, among other things, and sought damages, costs, attorney’s fees and a temporary restraining order and temporary injunction. The district court granted both the TRO and TI, finding that Hood violated the BCS and HACA and recognized that this was effectively a data breach by ICS:

During the temporary injunction hearing, each side presented as an exhibit the list of directories removed from appellee’s hard drive, highlighting the materials believed to be ISC’s proprietary information that should be subject to protection. The court determined that the materials highlighted on appellee’s exhibit should be protected. The court found that appellee’s use of these materials “will expose [ISC] to professional liability claims and regulatory sanctions, loss of good will, business disruption, and loss of office stability. The damage and potential damage from the exposure to these losses is not subject to mathematical calculation.”[236]

The Dallas Court of Appeals examined the applicability of injunctive relief pursuant to the BCS and HACA as follows (citations omitted):

ISC pleaded that appellee violated section 33.02(a) of the Texas Penal Code by knowingly accessing ISC’s computers and computer system without ISC’s effective consent. Section 143.001 of the Texas Civil Practice and Remedies Code creates a cause of action for a person who is injured or whose property is injured by an intentional or knowing violation of chapter 33 of the Texas Penal Code. A prevailing plaintiff under section 143.001 is entitled to actual damages and reasonable attorney’s fees. Id. § 143.002. Section 33.02 of the Texas Penal Code states, “A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.” A person acts without effective consent if the consent was “used for a purpose other than that for which the consent was given.”

ISC presented evidence that appellee was permitted access to ISC’s computer system in his role as a vice president of ISC. ISC also presented evidence that its registered agents, who were independent contractors and not employees, were not permitted access to the computer system. The evidence before the trial court showed appellee knowingly accessed ISC’s computer system and downloaded its files to maintain a list of his customers for his business as a registered representative. The download of data from the computer system without ISC’s consent could constitute a violation of section 33.02(a) of the Penal Code. We conclude ISC established a cause of action against appellee under section 143.001 of the Civil Practice and Remedies Code and a probable right to the relief sought.[237]

The court not only found the trial court’s injunction was proper, but also that it should have extended to include additional information. One reason for including the additional information is because under the Financial Industry Regulatory Authority’s (FINRA) data security obligations, ISC’s breach of the security of this information could have significant repercussions by FINRA.[238]

d) Misuse of Publicly Available Website

While the nature of a publicly available website implies that the site owner gives consent to virtually anyone to use it, where its use is conditioned on complying various terms and agreements, use in violation of those terms will violate the BCS.[239]

e) Under Color of Authority

Accessing a company’s computer system and downloading information when such activities are authorized by a plan of bankruptcy is accessing it with effective consent under the BCS and HACA: “it was reasonable for a plan agent, or an individual under his direction, to access a computer to obtain information required for the proper implementation of a bankruptcy plan.”[240]

3. What is a “Computer” Under the BCS and HACA?

A cell phone is a “computer” for purposes of the BCS and HACA.[241]

A student wrongfully accessing another student’s University of Houston email account, obtaining information from that account, changing information, and sending emails from that account, violated the BCS.[242]

A company’s publicly facing website is a computer under the BCS and HACA and another company’s use of web-scraping technology to scrape information from the website, where the site’s Terms of Use prohibit such activity, render the scraping an access without effective consent.[243]

4. Are Damages or Injuries Required for a HACA Claim?

A violation of the BCS only requires that the defendant access a computer without effective consent of its owner, without any mention of damages resulting from such access.^[244] The HACA creates a civil cause of action for “[a] person who is injured or whose property has been injured as a result of a violation under Chapter 33, Penal Code . . . .”^[245]

In Southwest Airlines Co. v. Farechase, Inc.,[246] the defendant argued “that the Penal Code requires the alleged injury involve ‘some kind of impairment to the integrity or availability of Southwest’s data, program, system or information.”[247] The Northern District of Texas disagreed: “The statute merely requires that the access be without effective consent; it does not require injury. Section 33.02(b) discusses injury, but only in regard to the level of the offense.”[248] The court did not squarely address the provision of HACA that conditions the civil cause of action on a person or their property being “injured” and, instead, found that even if Southwest must allege injury, it did so.

In TrueBeginnings, LLC v. Spark Network Services, Inc.,[249] the plaintiff asserted both CFAA and HACA claims against the defendant for accessing its website under false pretenses in violation of its Terms of Use. The defendant moved for summary judgment on the claims arguing there is no evidence of damages resulting from the alleged unauthorized use of the website. The Northern District of Texas agreed, finding that damages are an essential element of plaintiff’s claims for violations of the federal and Texas computer protection statute. The “plaintiff fail[ed] to allege, much less prove, that it sustained any damages when [defendant] accessed its website under false pretenses. Without evidence of damages, plaintiff cannot raise a genuine issue of material fact to defeat summary judgment on its claims for negligent misrepresentation, violations of the federal and Texas computer protection statutes, and common law trespass.”[250]

“Injury” as used under HACA is not the same as “damage” or “loss” under the CFAA. “For instance, while certain investigative and responsive costs may be recoverable as a ‘loss’ under the CFAA,” a plaintiff will be required to also establish that such items fall within the “injured” requirement of HACA, which this court did not address.[251]

Note, however, that inartful pleading of a claim under this statute may make it difficult for the court to determine whether the impetus of the claim is a theft of data or an unauthorized access and this could have a determination on how the court analyzes the case. See Vianet Group PLC, et al. v. Tap Acquisition, Inc., et al., 2015 WL 13574336, at *4, (N.D. Tex. May 20, 2015):

For example, to the extent Tap alleges that “the actions of [Vianet and the Tap Employees] in taking and using Tap’s computer-based monitoring systems … amounts to criminal theft,” their complaint could be read as alleging that Vianet and the Tap Employees unlawfully took possession of the physical components of Tap’s computer systems, in which case they may have committed theft of property under Section 31.03. See FAC ¶ 85. As Vianet correctly points out, however, it could not possibly have taken possession of the physical components of Tap’s computer systems, because the systems were installed at the retail locations of Tap’s customers and appear to have remained in their possession at all times relevant to Tap’s complaint. See id. ¶¶ 67, 85. Thus, Tap’s complaint does not plausibly state a claim for civil theft of the physical components of Tap’s computer systems.

*4 Tap’s complaint could also be read, however, as alleging that Vianet and the Tap Employees stole the data from Tap’s computer systems, which is arguably a form of intangible property protected by Section 31.03.3 Id. ¶ 85 (“Fenley, Gould, and/or Rizvi illegally accessed Tap’s computer systems after their resignations” and “caused the data from these systems to be diverted to Vianet Americas”). Also, because such data may plausibly be considered a “trade secret,” Vianet and the Tap Employees may have committed theft of trade secrets under Section 31.05. Tex. Penal Code § 31.05(a)(4) (defining “trade secret” as “the whole or any part of any scientific or technical information, design, process, procedure, formula, or improvement that has value and that the owner has taken measures to prevent from becoming available to persons other than those selected by the owner to have access for limited purposes”).

E. Procedural Issues related to the BCS and HACA.

1. Limitations

The limitations period is the earlier of five years from the date of the last act or two years from the date the plaintiff had a reasonable opportunity to discover the violation.[252]

2. Burden of Proving Intent

The party asserting a BCS or HACA claim has the burden prove that the defendant knowingly accessed a computer, computer network, or computer system, knowing that this act was without the effective consent of the owner.[253] However,

A jury may infer knowledge or intent from the acts, conduct, and remarks of the accused, and from the surrounding circumstances. Direct evidence of the elements of the offense is not required. Indeed, proof of a culpable mental state almost invariably depends upon circumstantial evidence. Juries are permitted to make multiple reasonable inferences from the evidence presented at trial, and circumstantial evidence is as probative as direct evidence in establishing the guilt of an actor. Circumstantial evidence alone can be sufficient to establish guilt.[254]

3. Applicability of the Anti-SLAPP Law to HACA Claims?

Where an HACA claim against a defendant is premised on the defendant allegedly sending an email in violation of the HACA, if the defendant denies that he was the sender of the email, he has no basis for seeking to dismiss the claim under the Texas Citizens Participation Act’s Anti-SLAPP law. The reasons for this is because one purpose of the Anti-SLAPP law is to “encourage and safeguard the constitutional rights of persons to speak freely” but, if the defendant denies that he was the sender of the email, then he was not exercising this right and, therefore, the law is inapplicable to the claims against him.[255]

F. Remedies Available Under the BCS and HACA.

1. Injunctive Relief Under the BCS and HACA.

Injunctive relief is available for violations of the BCS and HACA, as was demonstrated by the case of Institutional Securities Corp. v. Hood,^[256] supra, in which the court granted both temporary restraining order and temporary injunction for violations of the BCS and HACA.[257]

of the company also worked as a representative of the company violated the BCS and HACA by

2. Exemplary Damages May Be Recoverable Under HACA.

While this issue has not been addressed by the courts, there is a legitimate argument that exemplary damages may be recoverable for violations if HACA that result from fraud or malice.[258] Specifically, under certain circumstances, the Civil Practice & Remedies Code permits the recovery of exemplary damages when “the claimant proves by clear and convincing evidence that the harm with respect to which the claimant seeks recovery of exemplary damages results from fraud [or] malice.”[259] In cases such as this, “[m]alice may be inferred from a wrongful act done intentionally in violation of [a party’s] rights.”[260]

[1] See 18 U.S.C. § 1030(e)(1) (2006).

[2] See Internet Crime Complaint Center, 2010 Internet Crime Report 7, 9 (2011), available at http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf (reporting an increase from 231,493 complaints in 2005 to over 300,000 complaints in 2010, 9.1% of which were Computer Crimes).

[3] See Sun Tzu supra note 4, at 12.

[4] Id.

[5] Computer Fraud and Abuse Act of 1986, Pub. L. No. 99–474, 100 Stat. 1213 (codified at 18 U.S.C. § 1030 (2008)).

[6] Tex. Penal Code § 33.02.

[7] CFAA, supra note 1.

[8] Deborah F. Buckman, Annotation, Validity, Construction, and Application of Computer Fraud and Abuse Act, 174 A.L.R. Fed. 101 (2001).

[9] 18 U.S.C. § 1030(a)(1) (2008).

[10] Shawn E. Tuma, “In Search of the Golden Mean: Examining the Impact of the President’s Proposed Changes to the CFAA on Combatting Insider Misuse,” XVIII SMU Sci. & Tech. L. Rev. 3, 8-9 (2015); Shawn E. Tuma, “What Does CFAA Mean and Why Should I Care?” A Primer on the Computer Fraud & Abuse Act for Civil Litigators, 63 S.C. L. Rev. 141, 173-81 (2011).

[11] See id.

[12] See, e.g., Katherine Mesenbring Field, Note, Agency, Code, or Contract: Determining Employees’ Authorization Under the Computer Fraud and Abuse Act, 107 Mich. L. Rev. 819, 821 (2009) (noting the confusion between the courts over the CFAA’s language, providing examples of numerous cases interpreting, and applying the statute).

[13] See, e.g., Kyle W. Brenton, Trade Secret Law and the Computer Fraud and Abuse Act: Two Problems and Two Solutions, 2009 U. Ill. J.L. Tech. & Pol’y 429 (2009) (examining the relationship between trade secret law and the CFAA); Kerr, supra note 63 (reviewing vagueness challenges to the CFAA).

[14] See Musacchio v. U.S., 136 S. Ct. 709, — U.S. – (2016) (Jury instruction erroneously adding additional element to crime did not permit sufficiency challenge to the extra element.).

[15] Nick Akerman, Will the justices rule on the Computer Fraud and Abuse Act?, Nat’l L.J., Sept. 23, 2009, available at http://www.dorsey.com/files/upload/akerman_computer_fraud_july09.pdf.

[16] See, e.g., id. (discussing the conflict between the circuits regarding the interpretation of “without authorization”); John Rosenthal, Navigating the Circuit Split on the Computer Fraud and Abuse Act, Georgetown Law E-Discovery Law Blog (May 3, 2010, 12:42 PM), http://www.law.georgetown.edu/cleblog/post.cfm/navigating-the-circuit-split-on-the-computer-fraud-and-abuse-act (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133–34 (9th Cir. 2009); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006) (discussing the circuit split regarding the interpretation of “authorization,” especially in the employer and employee context).

[17] Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 774 (S.D. Tex. 2010) (footnote omitted) (citing 18 U.S.C. § 1030(a)(2)–(5) (2006)).

[18] See § 1030(a)(1)–(7).

[19] See id. at § 1030(e)(1). The term “computer” is defined as:

[A]n electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device[.]

Id.

[20] 18 U.S.C. § 1030(e)(2) (A)-(B) (2006 & Supp. IV 2010). The term “protected computer” is defined as a computer:

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States[.]

Id.

[21] See Quantlab Techs. Ltd. (BVI), 719 F. Supp. 2d at 775–76; Patrick Patterson Custom Homes, Inc. v. Bach, 586 F. Supp. 2d 1026, 1032–33 (N.D. Ill. 2008) (citing Reno v. ACLU, 521 U.S. 844, 849–50 (1997); Paradigm Alliance, Inc. v. Celeritas Tech., LLC, 248 F.R.D. 598, 602 (D. Kan. 2008); Becker v. Toca, 2008 WL 4443050, at *5 (E.D. La. 2008); Credentials Plus, LLC v. Calderone, 230 F. Supp. 2d 890, 906 (N.D. Ind. 2002), Kerr, supra note 63, at 1561, 1568 (The CFAA “potentially regulates every use of every computer in the United States and even many more millions of computers abroad.”).

[22] 18 U.S.C. § 1030(a)(2)(A) (2006) (citation omitted).

[23] § 1030(a)(2)(C) (Supp. IV 2010).

[24] § 1030(a)(4) (2006).

[25] § 1030(a)(5)(A) (2006 & Supp. IV 2010).

[26] § 1030(a)(5)(B) (Supp. IV 2010).

[27] § 1030(a)(5)(C) (Supp. IV 2010).

[28] § 1030 (a)(6)(A) (2006).

[29] § 1030(a)(7)(A) (Supp. IV 2010).

[30] § 1030(a)(7)(B) (Supp. IV 2010).

[31] § 1030(a)(7)(C) (Supp. IV 2010).

[32] § 1030(b) (2006 & Supp. IV 2010).

[33] See supra Part III.B.

[34] LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009).

[35] 18 U.S.C. § 1030(a)(4) (2006).

[36] LVRC Holdings LLC, 581 F.3d. at 1132.

[37] See Fed. R. Civ. P. 8(a).

[38] Fed. R. Civ. P. 9(b) (“In alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.”).

[39] SKF USA, Inc. v. Bjerkness, 636 F. Supp. 2d 696, 719 n.13 (N.D. Ill. 2009) (“The heightened pleading standards of Rule 9(b) do not apply to the Computer Fraud and Abuse Act.”); see Facebook, Inc. v. MaxBounty, Inc., 274 F.R.D. 279, 284 (N.D. Cal. 2011) (quoting SKF USA, Inc., 636 F. Supp. 2d at 719 n.13); Enviroglas Prods., Inc. v. Enviroglas Prods., LLC, 705 F. Supp. 2d. 560, 572 (N.D. Tex. 2010).

[40] See Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., 556 F. Supp. 2d 1122, 1131 (E.D. Cal. 2008) (“The term ‘defraud’ for purposes of §1030(a)(4) simply means wrongdoing and does not require proof of common law fraud.”); Thundervision, LLC v. Dror International, LP (In re Thundervision, LLC), No. 09-11145, No. 09-1063 A, No. 09-1088, 2010 WL 2219352, at *12 (Bankr. E.D. La. June 1, 2010) (citing eBay, Inc. v. Digital Point Solutions, Inc., 608 F. Supp. 2d. 1156, 1164 (N.D. Cal. 2009)).

[41] eBay, 608 F. Supp. 2d. at 1164 (citing Hanger Prosthetics & Orthotics, Inc., 556 F. Supp. 2d. at 1131.

[42] See United States v. Kramer, 631 F.3d 900, 901 (8th Cir. 2011) (citing 18 U.S.C. § 1030(e)(1) (2006)).

[43] Id. at 902 (citing § 1030(e)(1)).

[44] Id. at 901–02.

[45] Id. at 902–04.

[46] Id. at 901.

[47] Id. at 901 (citing Mark Milian, Apple’s Steve Wozniak: ‘We’ve lost a lot of control’, CNN (Dec. 8, 2010, 12:16 PM), http://www.cnn.com/2010/TECH/innovation/12/08steve.wozniak.com
puters/index.html).

[48] Id. at 902–03.

[49] Id. at 903.

[50] Id. at 903–04 (footnotes omitted).

[51] See id. at 904.

[52] See id. at 904–05.

[53] Texas Instruments introduces the TI-99/4 Home Computer, ti994.com, http://www.ti994.com/1979/brochures/1979pamphlet.pdf (last visited Sept. 16, 2011); Texas Instruments TI-99/4, Oldcomputers.net, http://oldcomputers.net/ti994.html (last visited Sept. 16, 2011).

[54] See Droid Incredible by HTC at Verizon Wireless, htc, http://www.htc.com/us/products/
droid-incredible-verizon#tech-specs (last visited Sept. 16, 2011) (specifying a processor of 1 GHz and memory up to 8 GB).

[55] Leapster 2, LeapFrog, http://www.leapfrog.com/gaming/leapster2/ (last visited Sept. 16, 2011).

[56] LeapFrog LeapSter 2 – handheld game console – pink, CNET, http://shopper.cnet.com/
consoles/leapfrog-leapster-2-handheld/4014-10109_9-33897286.html#info-5 (last visited Sept. 16, 2011).

[57] See John Sheesley, The 80’s Supercomputer That’s Sitting in Your Lap, TechRepublic (Oct. 13, 2008, 3:47PM), http://www.techrepublic.com/blog/classic-tech/the-80s-supercomputer-thats-sitting-in-your-lap/189. In the 1980s, the fastest supercomputer ran at 250 MHz, and the fastest desktop computer available had a processor that ran at 66 MHz. Id.

[58] See Complaint, supra note 188, at 1.

[59] See Temporary Restraining Order, supra note 191, at 1–2; Preliminary Injunction, supra note 194, at 1–2.

[60] See LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1136 (9th Cir. 2009) (“There is no dispute that if Brekka accessed LVRC’s information on the LOAD website after he left the company in September 2003, Brekka would have accessed a protected computer ‘without authorization’ for purposes of the CFAA.”); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581–82 (1st Cir. 2001); Craigslist, Inc. v. Naturemarket, Inc., 694 F. Supp. 2d 1039, 1049, 1057 (N.D. Cal. 2010).

[61] United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).

[62] See, e.g., Mom Indicted in MySpace Suicide Case, MSNBC.com, May 15, 2008, http://www.msnbc.msn.com/id/24652422/ns/us_news-crime_and_courts/t/mom-indicted-myspace-suicide-case/#.TmRGLY5yDvE (discussing the Drew case).

[63] Drew, 259 F.R.D. at 452.

[64] Id. (citing 18 U.S.C. § 1030(a)(2)(C), (c)(2)(B)(ii) (2006 & Supp. III 2009)).

[65] See id. at 456–57 (citing § 1030(e)(2)(B)).

[66] See id. at 458.

[67] See Milian, supra note 12.

[68] Simmonds Equip., LLC v. GGR Intern., Inc., 2015 WL 5069169, at *5 (S.D. Tex. Aug. 27, 2015); Merritt Hawkins & Assoc., LLC v. Gresham, 948 F. Supp. 2d. 671, 673-74 (N.D. Tex. 2013).

[69] See Mahoney v. DeNuzzio, 2014 WL 347624 (D. Mass. Jan. 29, 2014) (Yahoo! and Facebook); Mintz v. Mark Bartelstein & Associates, Inc., 906 F. Supp. 2d 1017, 1029 (C.D. Cal. 2012) (Gmail account); United States v. Alexander, 2010 WL 3238961 (N.D. Cal. Aug. 16, 2010) (Yahoo! email); United States v. Kernell, 2010 WL 1408438 (E.D. Tenn. Apr. 2, 2010) (Yahoo!).

[70] See supra notes 137–146 and accompanying text.

[71] See id.

[72] See, e.g., LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1132–35 (9th Cir. 2009) (citations omitted) (interpreting “exceeds authorized access”); Orbit One Commc’ns., Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) (examining various interpretations of “access” by the courts).

[73] 18 U.S.C. § 1030(a) (2006).

[74] See § 1030(e)(6) (defining the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter[.]” (emphasis added)).

[75] § 1030(a).

[76] See United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).

[77] See Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 121 F. Supp. 2d 1255, 1273 (N.D. Iowa 2000).

[78] See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 579, 581–82 (1st Cir. 2001) (citations omitted).

[79] See Hillsboro Dental, LLC v. Hartford Cas. Ins. Co., No. 410-CV-271 (CEJ), 2010 WL 5184956, at *3 (E.D. Mo. Dec. 15, 2010) (citing 1030(a)).

[80] See id.

[81] See § 1030(a).

[82] See Hunt v. Branch Banking & Trust Co., No. 4:09-cv-2151-JMC-TER, 2011 WL 1101050, at *1, *6 (D.S.C. Mar. 23, 2011) (defendant’s mistaken origination of plaintiff’s bank account in a manner not authorized by the plaintiff was not contemplated by the CFAA).

[83] Land and Bay Gauging L.L.C. v. Shor, 623 Fed. Appx. 674, 683 (5^th Cir. Aug. 21, 2015).

[84] See Clark Street Wine & Spirits v. Emporos Sys. Corp., 754 F. Supp. 2d 474, 486 (E.D.N.Y. 2010) (In the context of the CFAA, “[a]n employer is responsible for an employee’s intentional tort only when the employee was acting within the scope of his or her employment when he or she committed the tort” (quoting Girden v. Sandals Int’l, 262 F.3d 195, 205 (2d Cir. 2001) (internal quotation marks omitted)). This, however, usually raises a predominantly factual issue for the jury, but in some cases it is appropriate for determination as a matter of law. See id. Girden, 262 F.3d at 205.

[85] See eBay Inc. v. Digital Point Solutions, Inc., 608 F. Supp. 2d 1156, 1164 (N.D. Cal. 2009) (citing Binary Semantics, Ltd. v. Minitab, Inc., No. 4:07-CV-1750, 2008 WL 763575, at *5 (M.D. Pa. Mar. 20, 2008)).

[86] See id. (explaining that “hackers may use the computers of unknowing third parties to carry out their schemes”).

[87] See Scottrade, Inc. v. BroCo Invs., Inc., 774 F. Supp. 2d 573, 584 (S.D.N.Y. 2011). Scottrade’s customers’ accounts were hacked and Scottrade reimbursed its customers for their losses, and then asserted a CFAA claim against the hacker and Genesis, the investment broker through which the hacker originally purchased securities fraudulently traded to Scottrade customers. Id. at 575-76. The court held, “[b]ecause Scottrade does not allege that Genesis hacked into its systems, or otherwise accessed its computers without authorization, Scottrade’s CFAA claim against Genesis fails and must be dismissed.” Id. at 584.

[88] 359 F.3d 1066 (9th Cir. 2004) (“The district court dismissed without leave to amend on the theory that the Act does not apply to unauthorized access of a third party’s computer.”).

[89] Id. at 1078 (citations omitted) (internal quotation marks omitted).

[90] Sloan Fin. Grp., LLC v. Coe, No. 0:09-cv-02659-CMC, 2010 WL 4668341, at *5 n.8 (D.S.C. Nov. 18, 2010) (citing 18 U.S.C. § 1030(a)(2)(C), (g) (2006 & Supp. III 2009).

[91]. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

[92]. United States v. John, 597 F.3d 263 (5th Cir. 2010).

[93]. United States v. Teague, 646 F.3d 1119 (8th Cir. 2011).

[94]. United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).

[95]. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012).

[96]. WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).

[97] United States v. Valle, 807 F.3d 508 (2^nd Cir. 2015).

[98]. See Tuma, supra note 9, at 176 (2011).

[99]. Shawn E. Tuma, Emp’t Agreement Restrictions Determined Whether Emps. Exceed Authorized Access Under Computer Fraud & Abuse Act, Cybersecurity Business Law Law Blog (Jan. 27, 2013), http://shawnetuma.com/2013/01/27/employment-agreement-restrictions-determined-whether-employees-exceeded-authorized-access-under-computer-fraud-and-abuse-act/.

[100] See Tuma, “In Search of the Golden Mean”, supra note __ at 8; Shawn E. Tuma, New “Employment” Computer Fraud and Abuse Act Case … But With a Twist!, Cybersecurity Business Law Blog, (Apr. 25, 2011), https://shawnetuma.com/2011/04/25/new-employment-computer-fraud-and-abuse-act-case-but-with-a-twist/.

[101] Hunn v. Dan Wilson Homes, Inc., 789 F.3d 573, 583-84 (5^th Cir. 2015).

[102] Stuyvie Pyne, The Computer Fraud & Abuse Act: Circuit Split & Efforts to Amend, Berkley Tech. L.J. (Mar. 31, 2014), http://btlj.org/2014/03/31/the-computer-fraud-and-abuse-act-circuit-split-and-efforts-to-amend/.

[103] International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (citing Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000)).

[104]. See, e.g., Tuma, supra note 96 at 9.

[105]. See, e.g., Int’l Airport Ctrs. v. Citrin, 440 F.3d 418 (7th Cir. 2006).

[106]. See, e.g., New Show Studios v. Needle, No. 2:14-cv-01250-CAS(MRWx), 2014 WL 2988271 (C.D. Cal. June 30, 2014).

[107]. See, e.g., John, 597 F.3d at 263.

[108]. See, e.g., United States v. Steele, No. 13-4567, 2014 WL 7331679 (4th Cir. Dec. 24, 2014).

[109]. See, e.g., United States v. Morris, 928 F.2d 504 (2nd Cir. 1991).

[110] Shawn E. Tuma, “In Search of the Golden Mean: Examining the Impact of the President’s Proposed Changes to the CFAA on Combatting Insider Misuse,” XVIII SMU Sci. & Tech. L. Rev. 3, 8-9 (2015)

[111] See Shawn E. Tuma, Computer Fraud and Abuse Act 101, Tex. Lawyer (Dec. 19, 2011); Numerous blog posts under the “loss” tag on Business Cybersecurity Law Blog, https://shawnetuma.com/tag/loss/.

[112] Id.

[113] Clark St. Wine & Spirits v. Emporos Sys. Corp., 754 F. Supp. 2d 474, 486 (E.D.N.Y. 2010) (quoting § 1030(e)(8)).

[114] Id. Plaintiff’s notice of “significant fraud activity” was not sufficient to constitute a discovery where plaintiff had not learned that the fraud involved the “impairment to the integrity or availability of data, a program, a system or information,” in other words, that the fraud involved access to a computer. Id. (quoting § 1030(e)(8)) (internal quotation marks omitted); see Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 775 (S.D. Tex. 2010)).

[115] See Kimberly A. Moore & Francesco Parisi, Rethinking Forum Shopping in Cyberspace, 77 Chi.-Kent L. Rev. 1325, 1328 (2002) (“By strategically choosing the forum, a plaintiff can maximize the expected return from litigation.”).

[116] See, e.g., Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th Cir. 2004) (affirming a district court verdict against the appellant for violations of the Computer Fraud and Abuse Act).

[117] See, e.g., Kellman v. Workstation Integrations, Inc., 332 S.W.3d 679, 683 (Tex. Ct. App. 2010) (plaintiff asserted several claims in state court, including claims under the Computer Fraud and Abuse Act, which were tried to a jury).

[118] David L. Balser, State Courts Need More Funding – Now, 16 Metro Corp. Counsel, Feb. 2008, at 27.

[119] Steven J. From & Joseph A. Martin, Trade Secret Litigation, 798 Prac. L. Inst. 655, 679 (2004) (“The absence of any limitations on where . . . [CFAA] civil actions may be filed leaves open the possibility that State courts will have concurrent jurisdiction with the federal courts over such claims.”); see H & R Block Tax Servs., Inc. v. Rivera-Alicea, 570 F. Supp. 2d 255, 268 n.5 (D.P.R. 2008) (“This court does not have exclusive jurisdiction over Block’s CFAA claim.”).

[120] See 28 U.S.C. § 1441 (2006).

[121] See, e.g., Liebert Corp. v. Mazur, No. 05 C 2609, 2005 WL 1563202, at *3 (N.D. Ill. June 6, 2005) (remanding CFAA claims filed by plaintiff in federal court to state court).

[122] Id.

[123] 746 F. Supp. 2d 990 (E.D. Wis. 2010).

[124] Id. at 995.

[125] Id. at 995–96.

[126] Id. at 995.

[127] See United States v. Riggs, 739 F. Supp. 414, 423 (N.D. Ill. 1990); Hecht v. Components Int’l, Inc., 867 N.Y.S.2d. 889, 898 (N.Y. Sup. Ct. 2008).

[128] See Integrated Waste Solutions, Inc. v. Goverdhanam, No. 10-2155, 2010 WL 4910176, at *15 n.10 (E.D. Pa. Nov. 30, 2010).

[129] See Riggs, 739 F. Supp. at 423 (“[T]his court is unable to find [] anything in the legislative history of the CFAA which suggests that the statute was intended to be the exclusive law governing computer-related crimes, or that its enactment precludes the application of other criminal statutes to computer-related conduct.”); Hecht, 867 N.Y.S.2d at 898 (“It appears that the CFAA is not intended to preempt state law claims based on unauthorized access to a computer such as trespass to chattel, conversion, or fraud.”).

[130] 18 U.S.C. § 1030(g) (2006).

[131] See William Frank Carroll & Richard M. Hunt, A Primer on Injunctive Relief in Federal and State Court, 32 Advoc. 34, 34 (2005) (“A suit for injunctive relief is one of the most effective tools available to a litigator, especially when a request for immediate relief is included.”).

[132] See George W. Dent, Jr., Unprofitable Mergers: Toward a Market-Based Legal Response, 80 Nw. U. L. Rev. 777, 797 (1986) (“Indeed, in most cases a court should be able to decide quickly whether to grant a preliminary injunction, and as a practical matter this decision often will dispose of the entire case.”).

[133] Final Judgment Upon Consent and Permanent Injunction, Sony Computer Entm’t Am. LLC v. Hotz, No. 11-cv-000167 SI (N.D. Cal. Apr. 9, 2011) [hereinafter Permanent Injunction].

[134] Id. at 1. The allegations were that Hotz and others were circumventing the effective technological protection measures (TPMs) employed by Sony to protect against unauthorized access to, and potential copying of, Sony’s proprietary PS3 gaming systems. Complaint for Injunctive Relief and Damages Based on Violations of Digital Millennium Copyright Act; Violations of the Computer Fraud and Abuse Act; Contributory Copyright Infringement; Violations of the California Comprehensive Computer Data Access and Fraud Act; Breach of Contract; Tortious Interference with Contractual Relations; Common Law Misappropriation; and Trespass at 1, Sony Computer Entm’t Am. LLC v. Hotz, No. 11-cv-000167 SI (N.D. Cal. Jan. 11, 2011) [hereinafter Complaint].

[135] See Complaint, supra note 188, at 9–10.

[136] See id. at 22.

[137] Order Granting Plaintiff’s ex parte Motion for Temporary Restraining Order, Order to Show Cause re: Preliminary Injunction, and Order of Impoundment at 2–3, Sony Computer Entm’t Am. LLC v. Hotz, No. 11-cv-000167 SI (N.D. Cal. Jan. 27, 2011) [hereinafter Temporary Restraining Order].

[138] Temporary Restraining Order, supra note 191, at 2–3.

[139] Id. at 4.

[140] See Order Granting Preliminary Injunction at 2–4, Sony Computer Entm’t Am. LLC v. Hotz, No. C 11-000167 SI (N.D. Cal. Feb. 28, 2011) [hereinafter Preliminary Injunction]. While the Temporary Restraining Order was granted on the basis of Sony’s CFAA and DMCA claims, see Temporary Restraining Order, supra note 191, at 2, the Preliminary Injunction was granted solely on the basis of the DMCA claim, see Preliminary Injunction, supra, at 2.

[141] See Permanent Injunction, supra note 187, at 1.

[142] Id. at 1, 3–5.

[143] Id. at 4–5.

[144] See Dent, supra note 186, at 797 (“Indeed, in most cases a court should be able to decide quickly whether to grant a preliminary injunction, and as a practical matter this decision often will dispose of the entire case.” (footnote omitted)).

[145] § 1030(g) (2006) (“Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”).

[146] § 1030(g) (Supp. IV 2010) (“A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).”) (footnote omitted). The five specified factors are as follows:

(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;

(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(III) physical injury to any person;

(IV) a threat to public health or safety;

(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security[.]

1030(c)(4)(A)(i)(I)–(V) (Supp. IV 2010).

[147] § 1030(c)(4)(A)(i)(I).

[148] § 1030(e)(8) (2006).

[149] § 1030(e)(11).

[150] See § 1030(e)(8), (g).

[151] See, e.g., § 1030(g) (stating that a person who suffers “damage” as a result of a violation of this section may initiate a civil action to recover compensatory “damages”).

[152] 18 U.S.C. § 1030(g) (2006).

[153] Id. (referencing § 1030(c)(4)(A)(i)(I)–(V) (Supp. IV 2010)).

[154] Id.

[155] Frees, Inc. v. McMillian, No. 05-1979, 2007 WL 2264457, at *5 (W.D. La. Aug. 6, 2007).

[156] 18 U.S.C. § 1030(g) (Supp. IV 2010) (footnote omitted).

[157] § 1030 (g) (Supp. IV 2010). The five specified factors are as follows:

(II) the modification or impairment, or potential modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(III) physical injury to any person;

(IV) a threat to public health or safety;

(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security[.]

1030(c)(4)(A)(i)(I)–(V) (Supp. IV 2010).

[158] See Ipreo Holdings LLC v. Thomson Reuters Corp., No. 09-CV-8099(BSJ), 2011 WL 855872, at * 6–7 (S.D.N.Y. Mar. 8, 2011) (quoting Univ. Sports Publ’ns. Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 387 (S.D.N.Y. 2010)).

[159] See § 1030(c)(4)(A)(i)(I). The other potential qualifying factors—impairment of medical diagnosis or treatments, physical injury, public health or safety, or United States Government computers—are all exempted from the $5,000 loss requirement. Global Policy Partners, LLC v. Yessin, 686 F. Supp. 2d 642, 646 n.2 (E.D. Va. 2010). The aforementioned factors would not often arise in most business cases, though, of course, there will be exceptions to this overly broad statement.

[160] § 1030(g) (2006).

[161] A.V. ex rel Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) (citing § 1030(g)).

[162] § 1030(g).

[163] See supra text accompanying note 343.

[164] § 1030(g).

[165] Id.

[166] Id.

[167] In re Doubleclick, Inc. Privacy Litigation, 154 F. Supp. 2d 497, 522 (S.D.N.Y. 2001).

[168] See supra text accompanying notes 208–209.

[169] See Lapp Insulators LLC v. Gemignani, No. 09-CV-0694A(Sr), 2011 WL 1198648, at *8 (W.D.N.Y. Mar. 9, 2011). In this case, the plaintiff “allege[d] that it ha[d] suffered damage and loss . . . in an amount to be determined at trial, but not less than $5,000.” Id. (citation omitted). Based on this allegation, the court held that the plaintiff “alleged loss and unauthorized access sufficient to withstand the instant motion to dismiss.” Id.

[170] See Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704, 710–11; see also M-I LLC v. Stelly, 733 F. Supp. 2d 759, 780 (S.D. Tex. 2010) (holding that plaintiff failed to allege facts showing at least $5,000 of loss); Mktg. Tech. Solutions, Inc. v. Medizine LLC, No. 09 Civ. 8122(LMM), 2010 WL 2034404, at *7 (S.D.N.Y. 2009) (holding that the complaint was inadequate for failure to “allege with some particularity the ‘damage’ and ‘loss’ (as defined in the CFAA) claimed to be involved, with, moreover, facts showing that the $5,000 threshold of Section 1030(a)(4) is satisfied”).

[171] See Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 770, 776 (S.D. Tex. 2010).

[172] 18 U.S.C. § 1030(e)(11) (2006).

[173] Stelly, 733 F. Supp. 2d at 780 (“[C]ase law has consistently interpreted the loss provision to encompass only the costs incurred as a result of investigating or remedying damage to a computer, or costs incurred because the computer’s service was interrupted.”).

[174] See id. (dismissing plaintiff’s claim for failure to “allege facts showing at least $5,000 of loss, or any loss as a result of investigation or interruption of computer service”).

[175] Mktg. Tech. Solutions, Inc. v. Medizine LLC, No. 09 Civ. 8122(LMM), 2010 WL 2034404, at *7 (S.D.N.Y. May 18, 2010). It is interesting to note that courts have held that the pleading requirement for a CFAA claim is not subject to the heightened pleading requirements of Rule 9 for claims of common law fraud. See supra text accompanying notes 171–173. It now appears, however, as though the requirement for pleading the threshold loss or damage under § 1030(a)(4) may in some courts be evolving to such a heightened pleading standard. Compare Mktg. Tech. Solutions, 2010 WL 2034404, at *7, and supra note 172, with supra note 353 and accompanying text.

[176] § 1030(c)(4)(A)(i)(I) (Supp. IV 2010).

[177] White Buffalo Ventures, LLC v. Univ. of Tex., 420 F.3d 366, 378 n.24 (5th Cir. 2005) (citing EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 585 (1st Cir. 2001)) (“Even in the CFAA context, however, courts rely on the ‘loss’ rather than the ‘damage’ language in the statute.”); see also Mortensen v. Bresnan Commc’n, L.L.C., No. CV 10-13-BLG-RFC, 2010 WL 5140454, at *7 (D. Mont. Dec. 13, 2010) (stating that “‘loss’ is treated differently from ‘damage’” (quoting § 1030(e)(11) (2006))).

[178] § 1030(e)(8).

[179] Alliantgroup, L.P. v. Feingold, No. H–09–0479, 2011 WL 1157315, at *15 (S.D. Tex. Mar. 24, 2011) (“The term ‘loss’ encompasses only two types of harm: costs to investigate and respond to an offense, and costs incurred because of a service interruption.” (citing Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 776 (S.D. Tex. 2010))); see also § 1030(e)(11).

[180] See infra Part III.D.5.b.

[181] See Lapp Insulators LLC v. Gemignani, No. 09–CV–0694A(Sr), 2011 WL 1198648, at *7 (W.D.N.Y. Mar. 9, 2011); AssociationVoice, Inc. v. AtHomeNet, Inc., No. 10-cv-00109-CMA-MEH, 2011 WL 63508, at *7 (D. Colo. Jan. 6, 2011) (“Only those costs in the second half of the definition need to relate to an interruption of service. Costs that need not relate to an interruption include ‘the cost of responding to an offense’ and ‘conducting a damage assessment.’”) (citing § 1030(e)(11)).

[182] Global Policy Partners, LLC v. Yessin, 686 F. Supp. 2d 642, 646 (E.D. Va. 2010) (citing § 1030(c)(4)(A)(i) (Supp. III 2009)).

[183] Id.

[184] See id. at 646–48 (citations omitted).

[185] 562 F.3d 630 (4th Cir. 2009).

[186] Yessin, 686 F. Supp. 2d at 647 (citing iParadigms, LLC, 562 F.3d at 646).

[187] Id. (citing iParadigms, LLC, 562 F.3d at 646).

[188] Id. (citing United States v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000)).

[189] 1st Rate Mortg. Corp. v. Vision Mortg. Servs. Corp., No. 09–C–471, 2011 WL 666088, at *3 (E.D. Wis. Feb. 15, 2011); see also Ipreo Holdings LLC v. Thomson Reuters Corp., No. 09 Cv. 8099(BSJ), 2011 WL 855872, at *7 (S.D.N.Y. Mar. 8, 2011).

[190] AssociationVoice, Inc. v. AtHomeNet, Inc., No. 10-cv-00109-CMA-MEH, 2011 WL 63508, at *8 (D. Colo. Jan. 6, 2011).

[191] Ipreo Holdings LLC, 2011 WL 855872, at *7 (“[T]he costs of investigating security breaches constitute recoverable losses, even if it turns out that no actual data damage or interruption of service resulted from the breach.” (quoting Univ. Sports Publ’ns Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 387 (S.D.N.Y. 2010))).

[192] See id. (citing Univ. Sports Publ’ns Co., 725 F. Supp. 2d at 387).

[193] 18 U.S.C. § 1030(e)(11) (2006).

[194] Lapp Insulators LLC v. Gemignani, No. 09–CV–0694A(Sr), 2011 WL 1198648, at *7 (W.D.N.Y. Mar. 9, 2011) (quoting Penrose Computer Marketgroup, Inc. v. Camin, 682 F. Supp. 2d 202, 208 (N.D.N.Y. 2010) (internal quotations omitted)).

[195] Ipreo Holdings LLC, 2011 WL 855872, at *7; Patrick Patterson Custom Homes, Inc. v. Bach, 586 F. Supp. 2d 1026, 1036 (N.D. Ill. 2008).

[196] Lapp Insulators LLC, 2011 WL 1198648, at *7.

[197] EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (1st Cir. 2001).

[198] Integrated Waste Solutions, Inc. v. Goverdhanam, No. 10-2155, 2010 WL 4910176, at *9 (E.D. Pa. Nov. 30, 2010) (citation omitted).

[199] AssociationVoice, Inc. v. AtHomeNet, Inc., No. 10-cv-00109-CMA-MEH, 2011 WL 63508, at *7 (D. Colo. Jan. 6, 2011); see also SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 980–81 (N.D. Cal. 2008) (citations omitted).

[200] Patrick Patterson Custom Homes, Inc., 586 F. Supp. 2d at 1036.

[201] See AssociationVoice, Inc., 2011 WL 63508, at *8.

[202] See Mortensen v. Bresnan Commc’n, L.L.C., No. CV 10-13-BLG-RFC, 2010 WL 5140454, at *7 (D. Mont. Dec. 13, 2010) (citing In re Apple & AT & TM Antitrust Litigation, 596 F. Supp. 2d 1288, 1308 (N.D. Cal. 2008); In re Toys R Us, Inc., Privacy Litigation, No. 00-CV-2746, 2001 WL 34517252, at *11 (N.D. Cal. 2001)).

[203] See LaCourt v. Specific Media, Inc., No. SACV10–1256–GW(JCGx), 2011 WL 1661532, at *6 & n.4 (C.D. Cal. Apr. 28, 2011).

[204] See Advantage Ambulance Grp., Inc. v. Lugo, No. 08-3300, 2009 WL 839085, at *1, 4 (E.D. Pa. Mar. 30, 2009).

[205] See Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 776 (S.D. Tex. 2010) (citations omitted).

[206] Res. Ctr. for Indep. Living, Inc. v. Ability Res., Inc., 534 F. Supp. 2d 1204, 1211 (D. Kan. 2008); see also Meats by Linz, Inc. v. Dear, No. 3:10–CV–1511–D, 2011 WL 1515028, at *3 (N.D. Tex. Apr. 20, 2011).

[207] M-I LLC v. Stelly, 733 F. Supp. 2d 759, 780 (S.D. Tex. 2010).

[208] Id. at 780.

[209] 18 U.S.C. § 1030(g) (2006).

[210] See § 1030(g) (Supp. IV 2010) (“Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.”).

[211] No. 05-1979, 2007 WL 2264457 (W.D. La. Aug. 6, 2007).

[212] Id. at *5 (citations omitted).

[213] Contract Assocs. Office Interiors, Inc. v. Ruiter, No. CIV. S-07-0334 WBS EFB, 2008 WL 3286798, at *3 (E.D. Cal. Aug. 6, 2008) (citing Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004)).

[214] Liebert Corp. v. Mazur, No. 04 C 3737, 2004 WL 2095666, at *3 (N.D. Ill. Sept. 17, 2004). In a recent CFAA criminal case, the First Circuit ruled that restitution, though usually penal in nature, could be recovered because in the context of that case restitution was analogous to a cost of responding to a loss and, therefore, permissible. United States v. Janosko, 642 F.3d 40, 41–42 (1st Cir. 2011).

[215] Thundervision, LLC v. Dror Int’l, LP (In re Thundervision, LLC), No. 09-11145, No. 09-1063 A, No. 09-1088, 2010 WL 2219352, at *12 (Bankr. E.D. La. June 1, 2010) (“Under the statute, the attorneys fees to assert a CFAA violation are not within the sphere of recoverable damages.”); see also Liebert Corp., 2004 WL 2095666, at *3 (“There is no express [CFAA] provision for . . . attorneys fees.”); Tyco Int’l (US) Inc. v. John Does, No. 01 Civ. 3856(RCC)(DF), 2003 WL 23374767, at *5 (S.D.N.Y. Aug. 29, 2003) (denying claim for attorneys’ fees under CFAA).

[216] See NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1065–66 (S.D. Iowa 2009) (permitting plaintiff to recover legal fees incurred for researching how to appropriately respond to a data breach and for the response thereto, when they were considered necessary for responding to the actual CFAA violation, and, therefore, were “incurred as part of the response to a CFAA violation.” (quoting A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009)) (internal quotation marks omitted)).

[217] Thundervision, LLC v. Dror Int’l, LP (In re Thundervision, LLC), No. 09-11145, No. 09-1063 A, No. 09-1088, 2010 WL 2219352, at *12 (Bankr. E.D. La. June 1, 2010) (“Under the statute, the attorneys fees to assert a CFAA violation are not within the sphere of recoverable damages.”); see also Liebert Corp., 2004 WL 2095666, at *3 (“There is no express [CFAA] provision for . . . attorneys fees.”); Tyco Int’l (US) Inc. v. John Does, No. 01 Civ. 3856(RCC)(DF), 2003 WL 23374767, at *5 (S.D.N.Y. Aug. 29, 2003) (denying claim for attorneys’ fees under CFAA).

[218] See NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1065–66 (S.D. Iowa 2009) (permitting plaintiff to recover legal fees incurred for researching how to appropriately respond to a data breach and for the response thereto, when they were considered necessary for responding to the actual CFAA violation, and, therefore, were “incurred as part of the response to a CFAA violation.” (quoting A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009)) (internal quotation marks omitted)).

[219] Tex. Penal Code § 33.02.

[220] Tex. Civ. Prac. & Rem. Code § 143.001.

[221] Tex. Penal Code § 33.02(b-1)(2).

[222] Tex. Penal Code § 33.01(12).

[223] In re Simons Broadcasting, LP, 2013 WL 9542015, at *18 (W.D. Tex. Nov. 19, 2013); See Muhammed v. State, 331 S.W.3d 187, 193 (Tex. App.—Houston [14^th Dist.] 2011, no pet.).

[224] Tex. Civ. Prac. & Rem. Code § 143.001(a).

[225] See 18 U.S.C. § 1030(a).

[226] Muhammed v. State, 331 S.W.3d 187, 193 (Tex. App.—Houston [14^th Dist.] 2011, no pet.).

[227] Miller v. Talley Dunn Gallery, LLC, 2016 WL 836775 (Tex. App.–Dallas, Mar. 3, 2016).

[228] Signorelli v. State, 2007 WL 4723210 (Tex. App.—Beaumont, Apr. 23, 2008, pet. ref’d).

[229] Miller v. Talley Dunn Gallery, LLC, 2016 WL 836775 (Tex. App.–Dallas, Mar. 3, 2016).

[230] Miller v. Talley Dunn Gallery, LLC, 2016 WL 836775 (Tex. App.–Dallas, Mar. 3, 2016).

[231] Knepp v. State, 2009 WL 638249, at *3 (Tex. App.—Dallas, March 13, 2009, no pet.).

[231.1] Merritt Hawkins & Associates, L.L.C. v. Gresham, 2017 WL 2662840 (5th Cir. June 21, 2017).

[232] Miller v. State, 335 S.W.3d 847, 858 (Tex. App.—Austin 2011, no pet.).

[233] Kane v. State, 458 S.W.3d 180 , 187-88 (Tex. App.—San Antonio 2015, pet. ref’d).

[234] Mitchell v. State, 12 S.W.3d 158 (Tex. App.—Dallas 2000, no pet.).

[235] Institutional Securities Corp. v. Hood, 390 S.W.3d 680 (Tex. App.—Dallas 2012, no pet.).

[236] Id. at 683.

[237] Id. at 684.

[238] Id. at 685.

[239] See Southwest Airlines Co. v. BoardFirst, L.L.C., 2007 WL 4823761, at *16 (N.D. Tex. Sept. 12, 2007).

[240] In re Simons Broadcasting, LP, 2013 WL 9542015, at *18 (W.D. Tex. Nov. 19, 2013).

[241] Miller v. Talley Dunn Gallery, LLC, 2016 WL 836775 (Tex. App.–Dallas, Mar. 3, 2016).

[242] Muhammed v. State, 331 S.W.3d 187 (Tex. App.—Houston [14^th Dist.] 2011, no pet.).

[243] Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435, 442-43 (N.D. Tex. 2004).

[244] Tex. Penal Code § 33.02(b-1)(2).

[245] Tex. Civ. Prac. & Rem. Code § 143.001(a).

[246] Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435 (N.D. Tex. 2004).

[247] Id. at 443.

[248] Id.

[249] TrueBeginnings, LLC, v. Spark Network Services, Inc., 631 F. Supp.2d 849 (N.D. Tex. 2009).

[250] Id. at 858.

[251] See Southwest Airlines Co. v. BoardFirst, L.L.C., 2007 WL 4823761, at *16 (N.D. Tex. Sept. 12, 2007).

[252] Tex. Civ. Prac. & Rem. Code § 143.001(b).

[253] Muhammed v. State, 331 S.W.3d 187, 192 (Tex. App.—Houston [14^th Dist.] 2011, no pet.).

[254] Id. at 193 (internal citations omitted).

[255] Pickens v. Cordia, 433 S.W.3d 179, 188 (Tex. App.—Dallas 2014, no pet.).

[256] Institutional Securities Corp. v. Hood, 390 S.W.3d 680 (Tex. App.—Dallas 2012, no pet.).

[257] Id. at 685.

[258] Tex. Civ. Prac. & Rem. Code § 41.003.

[259] Id.

[260] Burleson State Bank v. Plunkett, 27 S.W.3d 605, 618 (Tex. App.—Waco 2000, pet. denied).

I. INTRODUCTION