Monday, July 11, 2011

Time Spent Investigating Intrusion Counts Towards $5000 CFAA Damages Threshold

ANIMATORS AT LAW, INC. v. CAPITAL LEGAL SOLUTIONS, LLC Dist Court EDVA May 10, 2011

PROCEDURE: Defendant Motion for Summary Judgment on Grounds Plaintiff Has Failed to Meet $5000 Damage Threshold Required by Computer Fraud and Abuse Act (CFAA)


RULE: "The CFAA prohibits, inter alia, any person from "intentionally accessing] a computer without authorization or exceeding] authorized access, and thereby obtaining]... information from any protected computer." 18 U.S.C. § 1030(a)(2). In addition to setting forth criminal penalties for violations, the statute provides that "[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator." § 1030(g). To maintain a civil action under the CFAA, however, a plaintiff must show that the alleged violation "caused ... loss ... aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i).[11] The CFAA specifies that a qualifying "loss" under the statute
means any reasonable cost to any victim, including [i] the cost of responding to an offense, [ii] conducting a damage assessment, and [iii] restoring the data, program, system, or information to its condition prior to the offense, and [iv] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service[.]"
ISSUE: What Losses Count Towards $5000 Threshold 

"The Fourth Circuit in A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009), considered the types of damages that may qualify as CFAA losses. There, the defendant operated a plagiarism detection service known as "Turnitin," where students submitted papers for their classes online to Turnitin, and papers were automatically compared with other papers to determine the likelihood of plagiarism. In a suit by students against the defendant for copyright infringement, the defendant counterclaimed that one of the plaintiff students violated the CFAA by submitting papers using another student's user name and password. Upon learning that this student had registered and submitted papers on behalf of another, the defendant became concerned that a technical glitch allowed the intrusion to occur and investigated the matter thoroughly, only to discovery that the plaintiff student had simply used another student's Turnitin user name and password found on the internet. Although the plaintiff student in issue conceded that his use was unauthorized for CFAA purposes, inasmuch as the conduct violated the Turnitin terms of service, he argued that the defendant's time spent investigating the incident did not qualify as a CFAA loss. The district court agreed, dismissing the counterclaim, but the Fourth Circuit reversed, holding that that the definition of"loss" under the CFAA was "broadly worded" and "plainly contemplates ... costs incurred as part of the response to a CFAA violation, including the investigation of an offense." Id. at 645-46. In remanding, the court "expressed] no opinion as to whether... the alleged consequential damages were reasonable, sufficiently proven, or directly causally linked to [the] alleged CFFA violation." Id. at 646.


After iParadigms, the district court in Yessin, 686 F. Supp. 2d 642, further elaborated on the requirements for qualified CFAA losses. The plaintiff in Yessin sought three types of damages for defendant's unauthorized access of plaintiffs email accounts and website: (i) expenses for establishing new email addresses and a new website, (ii) lost "billable time" spent investigating and responding to the offense rather than conducting business, and (iii) lost revenue from failing to win a business opportunity. Id. at 648. Yessin held that "lost revenue damages may qualify as losses under the CFAA when they result from time spent responding to an offense," but further lost revenue or consequential damages—such as the losses associated with a missed business opportunity—are only recoverable if they were "incurred because of interruption of service." Id. at 654 (citing § 1030(e)(11);iParadigms,562 F.3d at 646Nexans Wires S.A. v. Sark-USA, Inc., 166F. App'x 559, 562(2d Cir. 2006) ("[T]he plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an `interruption in service.'")). Thus, Yessin held that only the first two types of losses identified by the plaintiff in that case—namely (i) expenses for the new email addresses and website, and (ii) the time spent responding to the offense—were eligible to be considered as losses for CFAA purposes."

ANALYSIS:  "Here, unlike in Yessin, the costs reported by Animators create a triable issue of fact as to well over $5,000 in qualified CFAA losses. Just as in iParadigms, where the CFAA claimant believed that its system had been compromised and went to great lengths to investigate the intrusion, so, too, did Animators come to suspect that its confidential information had been accessed without authorization by former employees and accordingly, took action to investigate and respond to the incident.[14] To determine whether unauthorized access infact occurred and the extent of such access, Animators had the laptop analyzed by IDS. Although defendants contend that such an extensive analysis was neither reasonably foreseeable nor necessary, a reasonable jury might well disagree and conclude otherwise. "

HOLDING:  Motion for Summary Judgment Dismissed
Post a Comment