Much has been written about the circuit split with regard to Computer Fraud and Abuse Act access jurisprudence. While this has been the primary focus of attention, there has been a similar divide among the district courts with regard to the loss jurisprudence. Given that the $5,000 loss requirement is the jurisdictional threshold that must be met in order to bring a civil CFAA claim — that is, the gatekeeper — the loss issue could prove to be more important than the access issue when it comes to expanding or limiting the use of the often criticized use of the Computer Fraud and Abuse Act in civil cases.
Sprint’s CFAA Lawsuits In Multiple Jurisdictions
Sprint has gone to war against unauthorized resellers of Sprint telephones who allegedly unlock those phones so that they will operate on a network other than Sprint’s. For this battle, the Computer Fraud and Abuse Act is one of Sprint’s weapons of choice. Since January 1, 2014, Sprint has filed lawsuits in several different jurisdictions throughout the country in which it asserts claims under the CFAA, including one right next door to me in the Northern District of Texas. Here are 3 that I found rather quickly:
Sprint Solutions, Inc., and Sprint Communications Company L.P. v. Alain Martinez, Sr., Cause No. 2:14-cv-00224 in the United States District Court of New Jersey (Complaint filed Jan. 13, 2014);
Sprint Solutions, Inc. and Sprint Communications Company L.P. v. Liang Jin Shao, individually and d/b/a Leo’s Computer Repair and Liberty Laundromat, Cause No. 2:14-cv-00545 in the United States District Court, Eastern District of Pennsylvania (Complaint filed Jan. 17, 2014); and
Sprint Solutions, Inc. and Sprint Communications Company L.P. v. Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi, Cause No. 4:14-cv-00053 in the United States District Court, Northern District of Texas, Fort Worth Division (Complaint filed Jan. 27, 2014).
While the complaints in these three cases are very similar though tailored as necessary to fit the unique facts of each case, the fact that they are in three different jurisdictions will make it interesting to see how the cases fare insofar as the CFAA claims are concerned. Especially how the “loss” analysis will play out for each. There is still quite a bit of evolution going on with regard to the loss jurisprudence in the various districts and quite a few conflicts between them.
The District Court Split in CFAA Loss Jurisprudence
For example, on one end of the spectrum, in the Northern District of Texas we have seen a case allow the value of the trade secret information taken to be used in calculating the $5,000 loss even though there was no allegation of interruption of service. (see post) For the reasons stated in the post, I believe that particular case is an aberration and the other loss cases in the Northern District of Texas bear that out. Nonetheless, the case is still on the books and will need to be addressed by defendants Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi should they decide to file a Motion to Dismiss based on whether the $5,000 loss was adequately pleaded.
At the other end of the spectrum, the courts in the Eastern District of Pennsylvania are extremely strict when it comes to calculating the loss. Last year I handled the defense of a CFAA case in the Eastern District of Pennsylvania (yes, “that” case) and thoroughly briefed two motions to dismiss that were heavily premised on the EDPA’s strict loss jurisprudence. (Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the EDPA’s standards on this issue and would have been successful.
In many of the cases I see, the plaintiff clearly does not have a clue about the requirements of the $5,000 loss for CFAA claims and how to plead that loss and the courts usually dismiss those claims early on. That is not the case here with Sprint and its lawyers. You can tell from their pleading that they know the standard they need to meet and they do a nice job of trying to put together enough of the required points to get there — do they get there? That’s a tough question that could be broken down into a few others:
Do they get there under the standards of the EDPA cases (and many New Jersey cases)?
Do they get there under the standards of most of the NDTX cases?
Do they get there under the standard of the NDTX Meats by Linz case?
And, perhaps most importantly, do they get there under a correct reading of Section 1030(g) — that is, my understanding of the section?
Let’s see what happens here.
What does this mean?
I have written extensively about the CFAA’s loss jurisprudence (here) and I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify “having a federal case made out of it.” What we now see with the multiple CFAA lawsuits that Sprint has filed are:
This is a great scenario to highlight the district court split on loss jurisprudence under the Computer Fraud and Abuse Act that just may help lead to some clarity and unity on this relatively unnoticed yet crucial issue.
Fortunately for us, defendants Liang Jin Shao, individually and d/b/a Leo’s Computer Repair and Liberty Laundromat, Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi, and of course plaintiff Sprint, will bear the expense of fleshing this issue out but we can sit back and learn from their experiences! And, in reading the complaints, I do need to add that I not only see significant issues on both sides with the loss issue, but with the access issue as well (hint: see my post about policies) — these will be fun cases to watch.
Need Help With The CFAA?
Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about cyber law in general, please feel free to give me a call (469.635.1335) or email me (stuma |at| brittontuma.com).
On January 13, 2014, the District Court in United States v. Nosal issued an Order Regarding the Calculation of Loss for Purposes of the Guidelines which, while aimed primarily at addressing the criminal sentencing guidelines, also provided some helpful principles for calculating a “loss” for purposes of 18 U.S.C. § 1030(g) of the Computer Fraud and Abuse Act (CFAA).
One of the things that makes this analysis of the loss issue so helpful is that it is being done after having so much activity in the case (including trial and appeal) on multiple issues and the record of the case is very well developed. Most of the loss cases out there are cases rulings on motions to dismiss or motions for summary judgment, both of which usually have a less developed record. In this case the court had already seen all of the evidence there was to see and, then looking backwards, was able to analyze whether the loss requirement had been satisfied.
Here are the principles the court looked to and provided in its analysis.
Principles from Case Law Broadly Construing the CFAA’s Definition of Loss
District courts have split on whether a victim’s internal investigations may be included within the the definition of “loss” in 1030 § 1030(e)(11).
Where the offense involves unauthorized access and the use of protected information, discovering who has that information and what information he or she has is essential to remedying the harm.
The “cost of discovering the identity of the offender or the method by which the offender accessed the protected information” would be deemed to be “part of the loss for purposes of the CFAA.
Costs associated with “identifying and ascertaining the extent” of defendant’s unauthorized access could satisfy the CFAA’s definition of loss.
It is not necessary for data to be physically changed or erased to constitute a loss or damage under the CFAA.
It is sufficient to show that there has been an impairment to the integrity of data, as when an intruder retrieves password information from a computer and the rightful computer owner must take corrective measures `to prevent the infiltration and gathering of confidential information.’ Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute.
Principles from Case Law Narrowly Construing the CFAA’s Definition of Loss
Expending resources to analyze the system so as to discover how information was accessed is not considered.
The CFAA loss requirement was limited to “actual computer impairment” and where the plaintiff did not provide any evidence that its computer system was impaired or that its service was interrupted, it had failed to demonstrate a CFAA loss.
To state a claim based on loss, the loss must relate to the impairment or unavailability of data on a computer, and that loss does not include the cost of responding to a security breach.
Nosal Court’s Reasoning Adopting the Broad Construction of the CFAA’s Definition of Loss
Actual loss includes those costs incurred as part of an internal investigation reasonably necessary to respond to the offense, for example by identifying the perpetrator or the method by which the offender accessed the protected information.
The definition of loss includes, in part, costs reasonably necessary to resecure the data, program, system, or information from further damage.
The plain language of § 1030 includes in the definition of loss the cost of generally “responding to an offense.” In addition to this general statement, both provisions then expressly state that (1) conducting a damage assessment; (2) restoring data or a system to its prior condition; or (3) lost revenue resulting from any interruption of service all qualify as “loss.” If, as the cases which narrowly construe loss suggest, “loss” required some actual damage to a computer system or data, the phrase “responding to an offense” would be rendered superfluous by the more specific provisions.
in situations where the CFAA violation constitutes covert, unauthorized access into a computer system, taking corrective actions or otherwise “responding to an offense” will often be difficult (if not impossible) until the victim knows (1) who perpetrated the offense; (2) how the offense was perpetrated, and (3) the scope of any resulting damage or the degree to which the integrity of its data has been compromised. Individuals who access a computer without authorization and with an intent to defraud are unlikely to announce their presence, inform the victim what information they have accessed, and advise the victim on how it could protect itself in the future. Rather, an internal investigation will often be necessary to determine these critical facts. The very purpose of the “loss” enhancement to a Guideline offense level is that the reasonably foreseeable loss caused by an offender’s actions represents a proxy for that offender’s culpability.
Determining who breached the system security and the manner and extent of the intrusion, is a reasonable and foreseeable step a victim is expected to take in response to a CFAA violation; it may well inform what remedial steps need be taken, steps which are clearly cognizable as losses under the CFAA.
Costs in resecuring data, program, system or information from further damage constitutes loss under the CFAA.
There may be instances where a victim has the information necessary to take corrective action without the need of an extensive investigation.
Costs incurred for the purpose of building or supporting the victim’s civil case should not be considered “loss” for purposes of the Guidelines calculation.
In denying a motion to dismiss a civil Computer Fraud and Abuse Act claim, a district court found that a departing employee’s purported cover-up of nefarious activity by deleting e-mails from his “sent” and “deleted items” folders on Plaintiffs’ computer system was sufficient to allege damage pursuant to 18 U.S.C. § 1030(c)(4)(A)(i) which provision, however, does not address the issue of damage at all — but only loss. The case is Sysco Corp. v. Katz, et al., 2013 WL 5519411 (N.D. Ill. Oct. 3, 2013) and I find it troubling.
Damage v. Loss — what difference does it make?
A lot. The two terms are completely different and each have their own unique role within the statutory framework of the CFAA.
The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)
In Sysco Corp., Defendant Katz was employed by Plaintiff Sysco Corp. He began discussing an offer of employment with Defendant Reinhart Foodservice (Plaintiff’s competitor) in April 2013, accepted an offer of employment with Reinhart on May 8, 2013, but did not announce his resignation until July 1, 2013. Plaintiff alleges that during the interim period from April 2013 until July 1, 2013, Katz emailed confidential and proprietary trade secret information from his company email account to his wife’s personal email account. Further, the Complaint states
Katz then deleted the SGR/SC confidential e-mail messages and attachments he had sent to his wife’s e-mail, by first deleting them from his “sent” box. Once he did this, those messages and attachments migrated to his “deleted items” folder. In an effort to permanently delete all of the messages, he then took the additional step of deleting the messages and attachments in the ‘deleted items’ folder, such that the record of Katz sending the e-mail messages and documents to his wife’s e-mail account all but vanished. Only because the Sysco Companies acted quickly, did they discover that Katz had intentionally attempted to delete e-mails containing confidential documents that he had sent to his wife. But because Plaintiff’s acted quickly, they were able to restore this information in Outlook and review the messages that Katz had sent to his wife’s email account, and the types of documents attached to those messages.
Complaint ¶ 40. Plaintiff alleges both access violations (Complaint ¶¶ 63, 65) and transmission violations (Complaint ¶ 66) of the CFAA. Plaintiff’s Complaint alleges that it sustained a $5,000 loss and properly references the costs for which such loss are typically acceptable: “Through their actions in violation of 18 U.S.C. § 1030 (a)(2), 18 U.S.C. § 1030(a)(4), 18 U.S.C. § 1030(a)(5)(A)-(C), Defendants have caused Plaintiffs to incur losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues. Such losses exceed $5,000.00 in a one-year period, in violation of 18 U.S.C. § 1030(g) and (c)(4)(A)(i)(I).” Complaint ¶67.
Defendants’ Motions to Dismiss
Defendants Reinhart filed a Motion to Dismiss and Katz filed a Motion to Dismiss which basically adopted Reinhart’s. Katz argued “Plaintiffs’ claim under the CFAA must fail because Plaintiffs have not alleged that they suffered either “loss” or “damage” as defined under the CFAA. Katz joins and incorporates by reference Reinhart’s arguments as if fully stated herein.” Id. at p. 7. Reinhart’s Motion seems to have adequately raises the issue of whether Plaintiff sufficiently alleged a loss which, as addressed ad nauseum in these posts, this article, and this article, and is an absolute prerequisite jurisdictional threshold to moving forward on a civil CFAA claim. Motion to Dismiss p. 7-8.
The Court’s Focus on Damage — Ignoring the Jurisdictional Threshold Requirement of Loss
The court in this case seems to treat damage and loss as an either/or proposition — where finding one will suffice for the other: “To succeed on a CFAA claim brought under § 1030(a)(5)(B), a plaintiff must prove the damage or loss resulted in losses to one or more persons during any one-year period aggregating at least $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i). Technically, that may be correct, however, to prevail on a civil claim pursuant to that section, there must be a loss. Section 1030(c)(4)(A)(i) is the second level of what must be established to assert a civil claim for violating the CFAA. Here is how it works:
Section 1030(g) is what authorizes a civil claim for violations of the CFAA: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).“
Of the 5 factors listed in subsection (c)(4)(A)(i), only one applies to business cases (for all practical purposes) — the loss requirement — without which there can be no civil claim: “(1) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;”
Unless both steps 1 and 2 above are satisfied, there can be no civil claim for violating the CFAA in most business cases, including this one.
Loss and Damage Are Not Interchangeable — If There Is No Loss, There Is No Civil CFAA Claim
In its analysis, the Sysco Court completely blows past the loss requirement of 18 U.S.C. §1030(c)(4)(A)(i)(1) and addresses only whether there is damage which does not satisfy the jurisdictional threshold for bringing a civil CFAA claim: “Reinhard and Katz contend that Plaintiffs have not alleged damage or loss as those terms are used by the CFAA…. These allegations are sufficient to allege damage as to Katz, but not as to Reinhart.”
Perhaps the Sysco Court simply assumes, without stating, that the Complaint adequately pleaded the loss and it did not need to be addressed any further. However, the language used by the court suggests otherwise; it suggests that the court treated the loss and damage requirements as being interchangeable although the statutory language of section 1030(g) is very clear that they are not — “A civil action … may be brought only if” — is a pretty direct statement.
As to the allegations of loss in the Complaint, the Plaintiff did a better job than most do by invoking alleged costs in responding to the wrongful activity, however, given the facts of the case it is not certain that such facts are plausible and they may require further elaboration. Plaintiffs claim “losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues.” Complaint ¶67. However, the facts alleged are that Defendant Katz deleted email from the Outlook program on Plaintiff’s computer system, specifically from the “sent” and “deleted items” folders. Determining whether $5,000 in costs is reasonable for restoring Outlook emails — most likely by in-house IT folks — is reasonable is also a requirement and should certainly be addressed whether in a Motion for Reconsideration or Motion for Summary Judgment.