Another CFAA Circuit Split: Damages

There is a circuit split related to the CFAA regarding the scope of recovery. The
Second Circuit and some district courts in the Fifth, Sixth, Seventh and Eleventh Circuits
have held that a private cause of action can only be maintained if the company’s
computer system has suffered “an interruption in service.” This requirement is based on
the CFAA’s definitions of “damage” and “loss”, which do not include economic damages
and losses that are not tied to a service interruption. 18 U.S.C. § 1030(e). The limitation
poses a particular challenge in situations where a departing employee has copied
electronic data, since this kind of access usually does not result in an interruption in
service. See ReMedPar, Inc. v. AllParts Medical, LLC, No. 3:09-cv-00807 (M.D. Tenn.
Jan. 4, 2010). Other district courts, including some in the Third, Fourth and Eighth
Circuits, have taken a broader view of the damage and loss requirements of the CFAA,
choosing to allow claims to go forward in the absence of “an interruption in service.”
See, e.g., CoStar Realty Information, Inc. v. Field, 612 F. Supp. 2d 660 (D. Md. 2009).

There is a second long-term federal court split regarding CFAA - whether CFAA permits suits
for purely economic losses that are not accompanied by an interruption in service to the company
computer system. In Section 1030(g), CFAA provides that "[a]ny person who suffers damage or loss
by reason of a violation of this section may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. 1030(g). CFAA
defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or
information." Id. at § 1030(e)(8). CFAA defines "loss" as "any reasonable cost to any victim, including
the cost of responding to an offense, conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of interruption of service." Id. at § 1030(e)
(11).
Courts finding that economic losses not accompanied by an interruption in service are not
actionable look at Section 1030(g) as specifying the types of harms for which CFAA provides a civil
remedy - namely, "damage" and "loss" as those terms are defined in CFAA. CFAA's definition of
damage doesn't mention economic losses and its definition of "loss" only includes "any revenue lost,
cost incurred, or other consequential damages incurred because of interruption of service." See
American Family Mutual Ins. Co. v. Rickman, 544 F.Supp.2d 766 (N.D. Ohio 2008); ES&H, Inc. v.
Allied Safety Consultants, Inc., 2009 WL 2996340 (E.D. Tenn. 2009). See Fn 1.
Court finding that such losses are actionable have provided a variety of justifications for this position.
The best argument I have seen is from a Louisiana District Court judge in Frees, Inc. v.
MaMillian, W.D. La., No. 5:05-cv-01979 (Aug. 6, 2007). The judge reasoned that Section 1030(g) only
provides a jurisdictional threshold that a civil litigant must jump over to obtain compensatory damages -
it must have incurred "damage" or "loss" as defined by CFAA. But once it has leaped this hurdle, a
litigant may recover any type of compensatory damages, including for economic losses. See Fn 2.
This split matters because many unauthorized uses of a computer that cause economic losses are not
accompanied by any interruption in computer service. These include the use of bots to scrape
customer, product or trade secret data, phishing attacks to obtain bank transfer authorization
credentials, use of authorized access by employees, contractors or business partners to steal trade
secrets, or use of computer by a licensee beyond the scope of the license.
For example, the Remedpar v. Allparts case involved a stereotypical "absconding employee" scenario,
in which several ex-Remedpar employees allegedly took trade secret information from its computer
system and gave it to a competitor. Remedpar, Inc. v. Allparts Medical, LLC, M.D. Tenn., No. 3:09-cv-
00807, Memorandum Opinion (January 4, 2010).
Remedpar sells after-market medical diagnostic imaging equipment and replacement parts. In 2006,
several Remedpar employees left to form a competing business, AllParts. Over the years, Remedpar
had created an extensive database of customer and product-related information which it called
"ROCS." Remedpar considered this system to be proprietary and worked to keep it secret, including by
having employees sign an express confidentiality policy statement.
In 2009, Remedpar learned that AllParts had been using an early version of ROCS since 2007.
Remedpar further learned that in July 2009, AllParts' version of ROCS had been updated to reflect the
same screen appearance and layout as Remedpar's current version of ROCS. Remedpar also learned
that one of its former employees, Thomas Comacho, had been in frequent contact with several
AllParts executives since January 2008. Comacho's responsibilities at Remedpar had included
maintenance, modification and enhancement of ROCS. Remedpar had given Comacho access to its
ROCS system for this work.
Remedpar sued Camacho and AllParts under CFAA alleging that they had accessed the ROCS
system and appropriated data from it without authorization. Remedpar alleged that these actions had
damaged its business interests by causing a reduction in its business volume as compared to previous
years -- a classic claim for lost profits.
However, Judge Wiseman rejected Remedpar's CFAA claims. Citing the line of cases which hold that
Section 1030(g) only permits a civil plaintiff to recover for damage and loss as those terms are defined
in CFAA, he stated that "Under the statute, lost revenue is only recoverable if it was incurred because
of an interruption in service." Here, "AllPart's use of the [ROCS] program did not impair [Remedpar's]
ability to use it" and "Comacho's copying or use of information did not actually damage [Remedpar's]
system or impair [Remedpar's] ability to use it." As a result Remedpar's claim for lost profits was not
actionable under CFAA.
Prospective litigants should take note that even if a federal court dismisses a CFAA claim on the
grounds cited by Judge Wiseman, this does not mean that the plaintiff has been left without a legal
remedy. In most cases, common law causes of action, such as interference with business relations,
trespass, conversion or fraud, cover the types of behavior targeted in CFAA. However, the plaintiff may
be required to bring these claims in state, rather than federal court - as was the result in Remedpar.

The other major issue that has split the courts is the threshold requirement for
determining damages under the CFAA. Specifically, is the act of misappropriation
sufficient, or must there also be misuse? Some courts have held that the misappropriation
of a trade secret, without more, constitutes “damages” under the CFAA. See Shurgard,
119 F. Supp. 2d at 1127 (holding that “damage” occurred where former employee e-
mailed trade secrets to plaintiff’s competitor, reasoning that the term is defined in a way
to focus on the harm the CFAA seeks to prevent, and does not define specific acts which
would constitute “damage”); see also HUB Group, Inc. v. Clancy, 2006 WL 208684
(E.D. Pa. 2006) (“damage” requirement met where employee downloaded employer’s
customer database to a thumb drive for use at a future employer); Four Seasons Hotel &
Resorts B.V. v. Consorcio Barr, S.A., 267 F. Supp. 2d 1268 (S.D. Fla. 2003) (awarding
$2,090,000 in compensatory damages based on the value of the trade secret information
misappropriated, and $28,000 in losses based on expenses plaintiff incurred in
investigating and remedying defendant’s unauthorized access). Other courts have held
that trade secret misappropriation in itself does not constitute “damage” under the CFAA.
See Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008)
(copying trade secret data alone does not constitute “damage” under the CFAA); Resdev,
LLC v. Lot Builders Ass’n, 2005 WL 1924743 (M.D. Fla. Aug. 10, 2005) (denying
recovery to plaintiffs based on the trade secret’s lost value, holding that the lost value of a
trade secret was not a cognizable loss under the CFAA because it was neither a “but-for”
result nor a “proximate consequence” of the damage related to the unauthorized access);
see also Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187
(M.D. Ga. Jan 7, 2009) (“loss” and “damage” do not include “lost revenue caused by the
misappropriation of proprietary information and intellectual property from an employer’s
computer”). Once again, the Fourth Circuit has not been called upon to address this issue.