Asserting Damages for Data Piracy Under the CFAA

Data often is the lifeblood of a business. When a database is breached in one way or another, the results can be devastating—especially if the data falls into the hands of a competitor.

Many companies suffering this kind of loss turn to litigation. Perhaps in an effort to obtain federal court jurisdiction, they may assert claims under the Computer Fraud and Abuse Act (the CFAA), 18 U.S.C. §1030, which prohibits improperly accessing a protected computer. There is, however, a growing consensus in the U.S. Court of Appeals for the Second Circuit that recovery of certain forms of damages under the CFAA simply is not permitted—making it difficult to bring causes of action under the CFAA that are able to withstand motions to dismiss.

The CFAA

As Judge Shirley Werner Kornreich of the Supreme Court, New York County, discussed last month in Spec Simple v. Designer Pages Online, 2017 N.Y. Slip Op. 27159 (Sup. Ct. N.Y. Co. May 10, 2017), “[t]he CFAA criminalizes, inter alia, ‘intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer,’ 18 U.S.C. §1030(a)(2)(c), and ‘intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss,’ id. §1030(a)(5)(c).” In other words, the CFAA “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” The CFAA also provides a civil cause of action to “[a]ny person who suffers damage or loss by reason of a violation of this section.” Id. citing Sewell v. Bernardin, 795 F.3d 337, 340 (2d Cir. 2015), quoting §1030(g).

The CFAA defines loss in §1030(e)(11) to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” The term “damage” is defined in §1030(e)(8) as “any impairment to the integrity or availability of data, a program, a system, or information.”

Generally speaking, to state a claim under the CFAA, a plaintiff also must show a “loss” aggregating at least $5,000 in value during any one-year period to one or more individuals. Section 1030(e)(8)(A). As can be expected from a statute designed to address quickly evolving technology challenges, there are many disagreements as to which damages and losses are cognizable under the CFAA and thereby go toward the aggregate requirement.

Unfair Competition Damages

Consider the decision in Spec Simple, referred to above.

The plaintiff in the case operated an Internet-accessible website and password-protected databases for use by subscribers from the architectural, interior design, engineering, facility management, and furniture professions who paid monthly usage and maintenance fees. As a condition of using the secured portions of the plaintiff’s website, its databases, or services, every subscriber’s individual employee users were given unique passwords and instructed not to share the password or give unauthorized parties access to the plaintiff’s site.

The plaintiff alleged that an architectural firm, while it was one of the plaintiff’s clients, illicitly provided the plaintiff’s proprietary information to a company that competed with the plaintiff to facilitate unfair competition. The proprietary information had been contained in the secured database that only could be accessed with the user’s unique password, the plaintiff alleged. The plaintiff alleged that the competitor downloaded large portions of the plaintiff’s proprietary information for its own benefit and used it to “lure away” its clients.

The plaintiff sued the architectural firm and the competitor, asserting a number of causes of action, including under the CFAA. With respect to its CFAA claim, the plaintiff argued that the defendants’ actions had caused unfair competition losses due to the competitor’s “poaching customers after upgrading its product with the benefit of plaintiff’s misappropriated trade secrets.”

The court found that those alleged losses were not recoverable under the CFAA as a matter of law.

In its decision, the court explained that a plaintiff cannot recover “lost revenue” under the CFAA unless that lost revenue derived from an “interruption of service.” Put differently, the court said, the damages recoverable on a CFAA claim—absent an allegation of interruption of service, which the plaintiff in this case had not alleged—were limited to recovery for harm to the computer system that had been accessed without authorization.

Damages for unfair competition injuries, such as those pleaded by the plaintiff, were “not recoverable under the CFAA,” the court ruled. A plaintiff could not recover revenue lost as a result of defendants’ ability to unfairly compete for business due to misappropriated proprietary information, it concluded.

Retail Losses, Response Costs

The decision last year by the U.S. District Court for the Southern District of New York in Reis v. Lennar, No. 15 Civ. 7905 (GBD) (S.D.N.Y. July 5, 2016), also is instructive on the issue of damages under the CFAA.

In this case, the plaintiffs said that they had compiled a proprietary database and that they sold this data to real estate professionals in the form of subscription plans or individual reports that quantified and assessed the risks of default and loss associated with mortgages, properties, portfolios, and real-estate-backed-securities. The plaintiffs alleged that they protected their database with a firewall that required secure passwords tailored to the level of access a subscriber had purchased. A subscriber’s employees received their own login credentials—a unique username and password—to access the database.

The plaintiffs alleged data piracy by the defendants stemming from an alleged unauthorized use of the plaintiffs’ proprietary database by defendants’ employee to download approximately $1.6 million worth of real estate market analysis reports. The plaintiffs contended that the employee had used database credentials issued by his previous employer to log in and download reports for the benefit of the defendants’ business.

The losses the plaintiffs alleged were the lost retail value of the reports and losses related to the development of proprietary investigatory software and its deployment to identify database piracy.

The defendants’ moved to dismiss the plaintiffs’ complaint. They argued, among other things, that the plaintiffs had not adequately alleged loss cognizable under the CFAA.

The district court agreed with the defendants and granted their motion to dismiss the plaintiffs’ claims under the CFAA and also for secondary federal copyright infringement. The district court then declined to exercise supplemental jurisdiction over the plaintiffs’ remaining state law claims.

In its decision, the district court found that the first type of loss alleged by the plaintiffs—their “lost retail value” of about $1.6 million from downloaded reports—was “not a loss covered by the CFAA.”

As the district court explained, “loss” for purposes of the CFAA was “interpreted narrowly” and included “only costs actually related to computers.” It did not apply to injury arising from “misappropriated information,” but only for damage to a computing system.

Similarly, the district court rejected the plaintiffs’ contention that their damages included the cost to create software to investigate unauthorized access to the database. The district court explained that although the CFAA defined loss as “[a]ny reasonable cost” such as the “cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense,” the plaintiffs’ allegations that they had engaged in “an investigation into the intrusion and a damages assessment” were inadequate for two reasons.

First, the district court said, the plaintiffs failed to allege that they sought to “restor[e] the data, program, system or information to its condition prior to the offense[,]” as required in the Second Circuit. See, e.g., Fink v. Time Warner Cable, 810 F. Supp. 2d 633, 641 (S.D.N.Y. 2011). The district court noted that the plaintiffs had merely alleged that the purpose of the investigations was to “identify piracy” by “identify[ing] suspicious patterns of usage” and “determin[ing] whether the usage [was] licensed or not.” The district court said that although physical damage to a computer was not necessary to allege damage or loss, the plaintiffs had not alleged that the investigation had been for the purpose of looking into any damage to data, programs, or server system, other than the “conclusory statement” that they had “expend[ed] time, money, and resources (aggregating at least $5,000 in value) to conduct an investigation into the intrusion and a damages assessment.”

Second, the district court continued, the case law in the Second Circuit required a cost constituting a loss to be directed in some way “at the effects of the prior intrusion, not at those of some potential future offense.” See, e.g., Int’l Chauffeured Serv. v. Fast Operating, No. 11 Civ. 2662 (S.D.N.Y. April 16, 2012) (citing Univ. Sports Publ’ns Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 388 (S.D.N.Y. 2010) (internal citation omitted)). The district court pointed out that the plaintiffs alleged that the “proprietary investigatory software” had been developed before the allegedly unauthorized usage that formed the basis of their complaint against the defendants. The CFAA permitted recovery only for expenses incurred “to identify and address damage caused by the security breach that had already taken place,” not prophylactic costs, the district court concluded.

Permitted Damages

Another recent decision by the Southern District, in Obeid v. La Mack, No. 14CV6498-LTS-MHD (S.D.N.Y. March 31, 2017), although not involving a database, illustrates specific kinds of damages that may be claimed under the CFAA.

The defendants in this case asserted counterclaims against the plaintiff, including for violation of the CFAA. They contended, among other things, that the plaintiff had used spyware to download privileged-and-confidential password-protected email correspondence between individual defendants and their counsel that the plaintiff did not have authorization to access for any purpose.

The plaintiff moved to dismiss, arguing that the individual defendants had not alleged any compensable injury within the scope of the CFAA. The district court disagreed.

The district court pointed out that the individual defendants had alleged that they had incurred costs to re-secure servers and “otherwise repair the damage” that the plaintiff allegedly had caused. The district court then ruled that because the costs allegedly borne by the individual defendants were associated with “responding to the unauthorized access to the computers,” the defendants’ counterclaims pleaded damages sufficient to withstand a motion to dismiss.

Conclusion

The CFAA can be an important tool to remedy damages resulting from the unauthorized access of a company’s database or other proprietary online information. The trend to use it to recover in a multitude of scenarios that perhaps were not envisioned by its drafters makes it an awkward if not unusable tool, under certain factual circumstances. The recent cases demonstrate the importance when relying on the CFAA to consider not just whether the acts of liability fit the statute’s purpose, but also whether the claimant’s damages or losses can meet CFAA requirements. Luckily, the CFAA is not the only tool in the litigator’s tool belt and other federal and state causes of action should be considered.

Reprinted with permission from the June 20, 2017 issue of the New York Law Journal. © ALM Media Properties, LLC.  Further duplication without permission is prohibited.  All rights reserved.