Too often, disgruntled departing employees will abuse their employer’s computer system on their way out, snooping into coworkers’ email accounts, erasing important files, downloading trade secrets or other confidential commercial information, or intentionally infecting computers with viruses. In recent years, the Computer Fraud and Abuse Act (CFAA) has become an important weapon in an employer’s arsenal for combating such computer crimes. Civil remedies are available under the CFAA for damage to any “protected computer,” which includes any “computer used in interstate or foreign commerce or communication.” However, a Virginia court recently clarified that the CFAA will not provide a remedy absent an actual “loss” as defined by the statute.
In Global Policy Partners, LLC, v. Yessin, a plaintiff brought claims against her husband and business partner under the CFAA and the Stored Communications Act (SCA), claiming that he had accessed her work email account in order to review her confidential communications with her divorce lawyer. The court rejected the husband’s initial attempts to dismiss the case on the ground that his access to his wife’s email was authorized in that he was a co-manager of the couple’s business. The court reasoned that because there was no legitimate business reason for the snooping, the access was unauthorized. At the summary judgment stage, however, the court granted summary judgment in his favor because the wife did not introduce sufficient evidence to show she had incurred a $5,000 “loss.”
To prevail on a claim brought under the CFAA, a plaintiff must demonstrate that the alleged violation “caused … loss … aggregating at least $5,000 in value.” 18 U.S.C. Section 1030(c)(4)(A)(i). The CFAA specifically defines four categories of potential loss: “[i] the cost of responding to an offense, [ii] [costs of] conducting a damage assessment, and [iii] [costs of] restoring the data, program, system, or information to its condition prior to the offense, and [iv] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.” 18 U.S.C. § 1030(e)(11). According to the Fourth Circuit Court of Appeals, this list “plainly contemplates … costs incurred as part of the response to a CFAA violation, including the investigation of an offense.” A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009).
Just because an unauthorized person reads an e-mail, however, does not necessarily mean that he is liable under the CFAA. In order to recover damages under the CFAA, a plaintiff must establish three main facts: (1) A violation of the plaintiff’s computer system; (2) costs incurred by the plaintiff due to the violation, and (3) those costs must aggregate to $5,000 or more. 18 U.S.C. § 1030. The court indicated that it would view critically a plaintiff’s post hoc claims that a violation “caused” costs to be incurred simply because money was spent subsequent to the violations. Furthermore, 18 U.S.C. § 1030(e)(11) only compensates for “reasonable” costs, so a plaintiff must establish, not only that the defendant’s violation caused the plaintiff to suffer costs but that those costs were a reasonably foreseeable result of the violation. The court held that even if a defendant breaks into a plaintiff’s computer system and reads email without authority, that would not give the plaintiff a blank check to perform system updates that were not reasonably necessary to restore and re-secure the system.
If a victim of computer fraud can establish a loss, however, the CFAA offers a potentially powerful deterrent in the form of a federal cause of action.