Under the Computer Fraud and Abuse Act, “loss” and “damage” are not synonyms. The CFAA provides that “any person who suffers damage or loss” caused by a violation of its terms can sue for compensatory damages and or equitable relief. A natural assumption might be that the lawyers who drafted the statute didn’t intend “loss” to mean anything materially different than “damage” and that they just threw in an extra word or two for good measure as lawyers are wont to do. (Only a lawyer would write, “I hereby give, devise, and bequeath” instead of just “I give.”) In the case of the CFAA, however, “loss” and “damage” are not interchangeable; each has a distinct meaning. And suffering either one of them is sufficient to support a compensable claim. Let’s look at a recent real-world example.
Space Systems/Loral v. Orbital ATK was (and remains) a dispute in Virginia federal court between two companies specializing in the design and manufacturing of geostationary satellites, space systems, and robotics technology. In 2015, NASA solicited project proposals through an RFP entitled “Utilizing Public Private Partnerships to Advance Tipping Point Strategies.” NASA awarded Space Systems a contract for its “Dragonfly” project and Orbital a contract for its “CIRAS” project. NASA set up a server to facilitate the sharing of information with the various contractors, and gave both Space Systems and Orbital access to it. Some time later, NASA determined that one or more Orbital employees accessed at least four files on the shared server that contained Space Systems’ proprietary data.
Space Systems brought an action under the CFAA seeking damages for Orbital’s alleged unauthorized access to its data. It claimed that Orbital violated §§ 1030(a)(2)(B), (a)(2)(C), and (a)(5)(C). A cause of action under § 1030(a)(2)(B) requires a showing that the defendant (1) intentionally; (2) accessed a computer; (3) without authorization or exceeded its authorized access; and (4) obtained information from a department or agency of the United States; (5) which resulted in a loss to one or more persons during any one-year period aggregating at least $5,000 in value or damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security. Similarly, to state a cause of action under § 1030(a)(2)(C), the defendant must have: (1) intentionally; (2) accessed a computer; (3) without authorization or exceeded its authorized access; and (4) obtained information from any protected computer; (5) resulting in a loss to one or more persons during any one-year period aggregating at least $5,000 in value or damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security. Lastly, to state a violation of § 1030(a)(5)(C), a plaintiff must assert that a defendant: (1) intentionally (2) accessed a “protected computer” (3) without authorization, and, as a result of such conduct, (4) caused damage and loss (5) to one or more persons during any one-year period aggregating at least $5,000 in value.
Orbital moved to dismiss the case, arguing that (1) because NASA allowed it to access the server, Orbital did not access Space Systems’ data “without authorization,” and (2) Space Systems failed to sufficiently allege “damage” or “loss.”
With respect to the first argument, the court found it was clear that Orbital did not have authority to view or open Space Systems’ proprietary data, despite the fact it was granted some access to NASA’s server. Under binding Fourth Circuit precedent, the terms “without authorization” and “exceeds authorized access” apply when an individual “accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.” That is exactly what the Orbital employees were alleged to have done.
The court went on to analyze separately the questions of whether Space Systems had alleged “loss” and whether it had alleged “damage,” clarifying that either would be sufficient to state a claim under the CFAA.
Orbital argued that Space Systems failed to allege “loss” because it was NASA, not Space Systems, that experienced the security breach. Space Systems was not responsible for the server that was breached. But the CFAA, the court noted, contains no such restriction. Loss is defined as any “reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” (See 18 U.S.C. § 1030 (e)(11)). The reference to “any victim,” the court held, shows that the CFAA can apply to losses incurred by third parties. And prior cases have held that costs incurred as a part of the response to a CFAA violation, including the investigation of an offense, are compensable. Space Systems alleged that it had incurred well over $5000 is losses in the course of investigating and addressing the data breach, so the motion to dismiss was denied.
On the issue of whether Space Systems experienced “damage,” Orbital argued that damage occurs only when the integrity or availability of data is impaired, or when files are used, altered or removed from a server. The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system, or information.” (See 18 U.S.C. § 1030 (e)(8)). Orbital pointed out that some cases from jurisdictions outside of Virginia have held that claims relating solely to the loss of trade secrets, and claims alleging only that files had been accessed and copied, do not satisfy this test for “integrity impairment” and are therefore not covered by the CFAA. The court declined to weigh in on this particular argument in light of the fact Space Systems had properly alleged “loss.” Under §§ 1030(a)(2)(B) and 1030(a)(2)(C), a plaintiff need only show damage or loss; there is no requirement to plead both.