§ 7.06 Civil Liability Under the CFAA

JurisdictionUnited States
Publication year2020

§ 7.06 Civil Liability Under the CFAA

[1] Introduction

The CFAA lists thirteen categories of offense that constitute a violation, and includes a conspiracy clause.390 Although the CFAA is primarily a criminal statute, and was enacted to address the "then-novel problem of [computer] hacking,"391 it has since been amended to permit a civil cause of action.392 Indeed, civil claims under the CFAA may also be subject to arbitration.393 Further, while many of the civil cases involve "classic" hacking activities, courts have held that the civil reach of the CFAA includes instances where a user violates the terms of use of a website by, for example, using a scraper program to harvest data from the website.394 However, the Ninth Circuit has found that since the CFAA enacted "primarily to address the growing problem of computer hacking," it has favored an interpretation of the statute that "maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate."395

Moreover, the Supreme Court has held that where a statute "has both criminal and noncriminal applications," courts should interpret the statute consistently in both criminal and noncriminal contexts.396 It is well established that "ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity."397 The Supreme Court has also long warned against interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants.398 "This venerable rule . . . vindicates the fundamental principle that no citizen should be held accountable for a violation of a statute whose commands are uncertain, or subjected to punishment that is not clearly prescribed."399 Therefore, "[t]he rule of lenity, which is rooted in considerations of notice, requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government."400

[2] 18 U.S.C. § 1030(g)

The requirements for a civil violation are set forth in § 1030(g):

"[a]ny person who suffers damage or loss by reasons of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief401 or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(a)(I). Damages for a violation involving only conduct described in subsection(c)(4)(a)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.402 No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."403

Thus, section 1030(g) requires:404 (1) establishing the elements of the particular substantive criminal offense under subsection 1030(a);405 (2) establishing that the plaintiff suffered "damage or loss" as a result of such a violation; and (3) establishing one of the five types of conduct specified under subsection (c)(4)(A)(I)-(V)406 of the United States Code.407

Specifically, § 1030(c)(4)(A)(i) provides that an offense would have caused:

"(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety."

Thus, "although proof of at least one of five additional factors is necessary to maintain a civil action,2 a violation of any of the statute's provisions exposes the offender to both civil and criminal liability."408

The interpretation of Section 1030 that has created some substantial disagreement as to whether it is necessary for a plaintiff to plead both damage and loss in order to properly allege a civil CFAA claim. Prior to the enactment of the Identity Theft Enforcement and Restitution Act,409 which amended § 1030(g), the Third, Fifth, Sixth and Ninth Circuits had determined that to state a claim under section 1030(g) for a violation of Sections 1030(a)(2) or (a)(4), a plaintiff was required to allege loss or damage, not both.410 Other courts reached the opposite conclusion.411 With the enactment of the Identity Theft Enforcement and Restitution Act in 2008, it is clear that whether a plaintiff must establish "damage or loss," or both, depends, in part, on the particular subsection that is alleged to have been violated. Section 1030(g) provides that "[a] ny person who suffers damage or loss by reasons of a violation of this section may maintain a civil action . . ."412 so long as the conduct involves "1 of the factors set forth in subclasses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)" (emphasis added). In turn, factor (I), which is the most commonly used subclass, requires the action relate to "loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value."413 Damages under this subsection are limited to economic damages and do not include compensatory damages.414 This means that where a plaintiff is proceeding under Sections 1030(a)(2) and 1030(a)(4), which do not require "damage" or "loss," the plaintiff states a cause of action under 18 U.S.C. § 1030(c)(4)(A)(i)(I) where the "loss" exceeds $5,000.

In other words, it is not enough for plaintiff to simply allege damage, but must allege the following that the defendant: "(1) accessed a 'protected computer,' (2) without authorization or exceeding such authorization that was granted, (3) 'knowingly' and with 'intent to defraud,' and thereby (4) 'further[ed] the intended fraud and obtain[ed] anything of value,' causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value."415 By contrast, Sections 1030(a)(5)(A) and (a)(5)(B) require that the defendant causes damage, and, thus, a plaintiff must establish the defendant caused damage and loss if the plaintiff is proceeding under Section 1030(c)(4)(A)(i)(I). Only Section 1030(a)(5)(C) requires that the defendant caused "damage and loss."416 While Section 1030(c)(4)(A)(i)(I) is the most commonly alleged subsection, Section 1030(c)(4)(A)(i)(VI) does provide civil jurisdiction where the action involves "damage affecting 10 or more protected computers during any 1-year period. . . ."

An employer "can be vicariously liable for an employee's violations of the CFAA if those transgressions occur in the scope of employment or the employer directs the employee's conduct."417

[3] Elements

[a] Damage (18 U.S.C. § 1030(e)(8))

The CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information."418 For a detailed analysis and summary of "damage" under the CFAA, see section 7.07[6], infra.

[b] Loss (18 U.S.C. § 1030(e)(11))

The CFAA "loss" as "Loss" is defined as: "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."419 In general, nearly all courts have agreed that there are two categories of statutory "loss:" (1) expenses incurred while responding to or investigating a violation, and (2) costs incurred, or revenue lost, because of a service dis-ruption.420 Further, nearly all courts have held that it is only the second type of loss that requires a plaintiff to prove its losses resulted from an interruption of service, while the first type of loss may be proven independent of interruption of service.421 Moreover, the only circuit courts to address the issue have held that not every loss need be tethered to an interruption of service. No circuit court has held otherwise. The Fourth, Sixth, and Eleventh Circuits conclude that the plain language of the statutory definition includes two separate categories of loss because the loss provision is "written in the disjunctive." As interpreted by these courts, there are two categories of loss. The first type of loss—direct costs of responding to a violation—is recoverable "irrespective of whether there was an interruption of service."422 The second type of loss—consequential damages—is recoverable only if resulting from an interruption of service.

[c] $5,000 Jurisdiction Requirement

The plaintiff is also required to establish that the loss exceeded $5,000.423 The Senate Report explicltly states that "if the loss to the victim meets the required monetary threshold," the victim is entitled to relief under the CFAA.424 In Turner v. Hubbard Systems, Inc., the Fifth Circuit made clear that the $5,000 is statutory requirement and not an affirmative defense.425 At least one appellate court has held that losses attributable to more than one unauthorized computer intrusion may be aggregated to meet the $5,000 jurisdictional minimum which makes it even easier for a plaintiff to establish the requisite damage or loss amount.426 Another court has held that plaintiffs aggregate individual losses caused by the installation of "cookies" to a number of computers to meet the $5,000 requirement.427 However, a number of courts have held that "putative class members' damages may not be aggregated to reach $5,000 because...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT