§ 7.06 Civil Liability Under the CFAA

• Jurisdiction: United States
• Publication year: 2020

§ 7.06 Civil Liability Under the CFAA

[1] Introduction

The CFAA lists thirteen categories of offense that constitute a violation, and includes a conspiracy clause.³⁹⁰ Although the CFAA is primarily a criminal statute, and was enacted to address the "then-novel problem of [computer] hacking,"³⁹¹ it has since been amended to permit a civil cause of action.³⁹² Indeed, civil claims under the CFAA may also be subject to arbitration.³⁹³ Further, while many of the civil cases involve "classic" hacking activities, courts have held that the civil reach of the CFAA includes instances where a user violates the terms of use of a website by, for example, using a scraper program to harvest data from the website.³⁹⁴ However, the Ninth Circuit has found that since the CFAA enacted "primarily to address the growing problem of computer hacking," it has favored an interpretation of the statute that "maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate."³⁹⁵

Moreover, the Supreme Court has held that where a statute "has both criminal and noncriminal applications," courts should interpret the statute consistently in both criminal and noncriminal contexts.³⁹⁶ It is well established that "ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity."³⁹⁷ The Supreme Court has also long warned against interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants.³⁹⁸ "This venerable rule . . . vindicates the fundamental principle that no citizen should be held accountable for a violation of a statute whose commands are uncertain, or subjected to punishment that is not clearly prescribed."³⁹⁹ Therefore, "[t]he rule of lenity, which is rooted in considerations of notice, requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government."⁴⁰⁰

[2] 18 U.S.C. § 1030(g)

The requirements for a civil violation are set forth in § 1030(g):

"[a]ny person who suffers damage or loss by reasons of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief⁴⁰¹ or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(a)(I). Damages for a violation involving only conduct described in subsection(c)(4)(a)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.⁴⁰² No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."⁴⁰³

Thus, section 1030(g) requires:⁴⁰⁴ (1) establishing the elements of the particular substantive criminal offense under subsection 1030(a);⁴⁰⁵ (2) establishing that the plaintiff suffered "damage or loss" as a result of such a violation; and (3) establishing one of the five types of conduct specified under subsection (c)(4)(A)(I)-(V)⁴⁰⁶ of the United States Code.⁴⁰⁷

Specifically, § 1030(c)(4)(A)(i) provides that an offense would have caused:

"(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety."

Thus, "although proof of at least one of five additional factors is necessary to maintain a civil action,² a violation of any of the statute's provisions exposes the offender to both civil and criminal liability."⁴⁰⁸

The interpretation of Section 1030 that has created some substantial disagreement as to whether it is necessary for a plaintiff to plead both damage and loss in order to properly allege a civil CFAA claim. Prior to the enactment of the Identity Theft Enforcement and Restitution Act,⁴⁰⁹ which amended § 1030(g), the Third, Fifth, Sixth and Ninth Circuits had determined that to state a claim under section 1030(g) for a violation of Sections 1030(a)(2) or (a)(4), a plaintiff was required to allege loss or damage, not both.⁴¹⁰ Other courts reached the opposite conclusion.⁴¹¹ With the enactment of the Identity Theft Enforcement and Restitution Act in 2008, it is clear that whether a plaintiff must establish "damage or loss," or both, depends, in part, on the particular subsection that is alleged to have been violated. Section 1030(g) provides that "[a] ny person who suffers damage or loss by reasons of a violation of this section may maintain a civil action . . ."⁴¹² so long as the conduct involves "1 of the factors set forth in subclasses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)" (emphasis added). In turn, factor (I), which is the most commonly used subclass, requires the action relate to "loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value."⁴¹³ Damages under this subsection are limited to economic damages and do not include compensatory damages.⁴¹⁴ This means that where a plaintiff is proceeding under Sections 1030(a)(2) and 1030(a)(4), which do not require "damage" or "loss," the plaintiff states a cause of action under 18 U.S.C. § 1030(c)(4)(A)(i)(I) where the "loss" exceeds $5,000.

In other words, it is not enough for plaintiff to simply allege damage, but must allege the following that the defendant: "(1) accessed a 'protected computer,' (2) without authorization or exceeding such authorization that was granted, (3) 'knowingly' and with 'intent to defraud,' and thereby (4) 'further[ed] the intended fraud and obtain[ed] anything of value,' causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value."⁴¹⁵ By contrast, Sections 1030(a)(5)(A) and (a)(5)(B) require that the defendant causes damage, and, thus, a plaintiff must establish the defendant caused damage and loss if the plaintiff is proceeding under Section 1030(c)(4)(A)(i)(I). Only Section 1030(a)(5)(C) requires that the defendant caused "damage and loss."⁴¹⁶ While Section 1030(c)(4)(A)(i)(I) is the most commonly alleged subsection, Section 1030(c)(4)(A)(i)(VI) does provide civil jurisdiction where the action involves "damage affecting 10 or more protected computers during any 1-year period. . . ."

An employer "can be vicariously liable for an employee's violations of the CFAA if those transgressions occur in the scope of employment or the employer directs the employee's conduct."⁴¹⁷

[3] Elements

[a] Damage (18 U.S.C. § 1030(e)(8))

The CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information."⁴¹⁸ For a detailed analysis and summary of "damage" under the CFAA, see section 7.07[6], infra.

[b] Loss (18 U.S.C. § 1030(e)(11))

The CFAA "loss" as "Loss" is defined as: "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."⁴¹⁹ In general, nearly all courts have agreed that there are two categories of statutory "loss:" (1) expenses incurred while responding to or investigating a violation, and (2) costs incurred, or revenue lost, because of a service dis-ruption.⁴²⁰ Further, nearly all courts have held that it is only the second type of loss that requires a plaintiff to prove its losses resulted from an interruption of service, while the first type of loss may be proven independent of interruption of service.⁴²¹ Moreover, the only circuit courts to address the issue have held that not every loss need be tethered to an interruption of service. No circuit court has held otherwise. The Fourth, Sixth, and Eleventh Circuits conclude that the plain language of the statutory definition includes two separate categories of loss because the loss provision is "written in the disjunctive." As interpreted by these courts, there are two categories of loss. The first type of loss—direct costs of responding to a violation—is recoverable "irrespective of whether there was an interruption of service."⁴²² The second type of loss—consequential damages—is recoverable only if resulting from an interruption of service.

[c] $5,000 Jurisdiction Requirement

The plaintiff is also required to establish that the loss exceeded $5,000.⁴²³ The Senate Report explicltly states that "if the loss to the victim meets the required monetary threshold," the victim is entitled to relief under the CFAA.⁴²⁴ In Turner v. Hubbard Systems, Inc., the Fifth Circuit made clear that the $5,000 is statutory requirement and not an affirmative defense.⁴²⁵ At least one appellate court has held that losses attributable to more than one unauthorized computer intrusion may be aggregated to meet the $5,000 jurisdictional minimum which makes it even easier for a plaintiff to establish the requisite damage or loss amount.⁴²⁶ Another court has held that plaintiffs aggregate individual losses caused by the installation of "cookies" to a number of computers to meet the $5,000 requirement.⁴²⁷ However, a number of courts have held that "putative class members' damages may not be aggregated to reach $5,000 because...