The Computer Fraud and Abuse Act is one of the important “anti-hacking” statutes. The CFAA generally prohibits unlawful access to a protected computer and require that the access be unauthorized or exceed authorized access. Although the CFAA is a criminal statute, it provides for civil (monetary) remedies.
The (CFAA) allows ”[a]ny person who suffers damage or loss” from a violation to bring a civil action against the violator. 18 U.S.C. § 1030(g). One of the possible theories for relief is a violation of § 1030(c)(4)(A)(i)(I), which requires, among other things, proof of “loss to 1 or more persons … aggregating at least $5,000 in value.”
The topic of which losses can be aggregated to meet the $5,000 threshold has been a subject of litigation. Recently, the U.S. District Court for the Northern District of Illinois addressed this issue. Specifically, the Court considered computer forensics expenses in the case of PolyOne v. Martin.
In the case, PolyOne Corporation developed a custom formula for a type of soft plastic for use in synthetic wine corks. It claimed that the formula is a trade secret and that defendants misappropriated the formula by using it to develop their own. PolyOne also claimed that defendants tortiously interfered with its contract with an employee and its prospective relations with customers, conspired with one of its former employees, and violated the Computer Fraud and Abuse Act. The Defendants brought counterclaims of commercial disparagement and violation of the Illinois Uniform Deceptive Trade Practices Act. The defendants moved for judgment on the pleadings and summary judgment on PolyOne’s claims and to exclude the testimony of two PolyOne expert witnesses. PolyOne moved for summary judgment on the counterclaims.
One of the challenges when prosecuting CFAA cases comes from the difficulty of aggregating the direct damages. You may be able to prove that the unauthorized access or hacking activity ocurred but the direct damages to the system may not add up to the threshold amount. That was the defense in this case.
The defendants argued that PolyOne had not shown that it suffered either damage or loss. “Loss” means “any reasonable cost to any victim,” including “the cost of responding to an offense” or “conducting a damage assessment.” § 1030(e)(11). I think that in this case, the Court got it mostly right.
The Court stated:
I agree with the majority view in this district that “a plaintiff can satisfy the CFAA’s definition of loss by alleging costs reasonably incurred in responding to an alleged CFAA offense, even if the alleged offense ultimately is found to have caused no damage as defined by the CFAA.” Farmers Ins. Exch. v. Auto Club Grp., 823 F.Supp.2d 847, 854 (N.D. Ill. 2011) (collecting cites). PolyOne hired and paid a computer forensics company to evaluate Kutka’s computer, [367] ¶ 17, but the parties dispute whether that was done only for litigation purposes or whether it was done to assess the potential damage caused by Kutka’s CFAA violation. Defendants say that PolyOne “readily acknowledges … that the investigation of [Kutka’s computer] was in connection with litigation only,” [366] at 10, but PolyOne clearly disputes that fact. See [339] at 15; [367] ¶ 17. So summary judgment is inappropriate, since the motivations behind PolyOne’s retention of the computer forensics company are in dispute.
The Court continued:
To be complete, I will note that PolyOne did not establish that it suffered damage. PolyOne’s CFAA claim is based on Kutka installing and then uninstalling a computer program, which it argues he did without authorization. Now, PolyOne argues that the act of uninstalling the program constitutes “damage” because it is an “impairment to the integrity or availability of … a program.” § 1030(e)(8). Removal of a program that PolyOne claims should not have been there in the first place qualifies was not damaging under the statute. There is no indication that the installation or deletion of the program harmed the computer system, or any of the data or information on it, in any way. But because PolyOne has established loss, it need not establish damage, and the CFAA claim survives.
The takeaway? Sometimes semantics do get in the way of the spirit of the law. In essence, if the computer forensics examination is done for the purpose of assessing the potential damaged caused by the CFAA violation, then it counts towards the $5,000 minimum threshold. At that point, the case moves forward and other damages, such as punitive and others can come in. On the other hand, if the computer forensics analysis was done only for litigation purposes, you may be out of luck. Get the terminology right and label things correctly,because surviving Summary Judgment may depend on it!