Damage under CFAA must involve some diminution of the system to be actionable

Garelli Wong & Assoc. v. Nichols, No. 07-6227, 2008 WL 161790 (N.D. Ill. January 16, 2008)

A recent decision from the U.S. District Court for the Northern District of Illinois presents a pretty typical fact pattern (employee leaves with sensitive data to work for a competitor), but also gives some useful guidance on the scope of the Computer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (CFAA).

Plaintiff Garelli Wong and Associates provides temporary placement for accounting professionals. When defendant Nichols worked for Garelli, he signed an NDA and learned a lot about the company’s clients, employees and strategy.

So when Garelli learned that Nichols allegedly copied a bunch of information before jumping ship, it sued. In addition to breach of contract, Garelli claimed Nichols violated the CFAA.

Nichols moved to dismiss the CFAA claim pursuant to Fed. R. Civ. P. 12(b)(6). The court granted the motion. It held that the CFAA requires a plaintiff to plead both damage and loss, and that Garelli failed to sufficiently plead both.

The CFAA defines “damage” as “impairment to the integrity or availability of data, a program, a system, or information.” Citing approvingly to the unpublished case of ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005), which held that the word “integrity” required “some diminution in the completeness or useability of data or information on a computer system,” the court sided with Nichols. He had contended that CFAA liability does not arise merely by copying data. A violation of the CFAA requires more — some adverse effect on the system.

Garelli’s loss allegation essentially got Twomblied. The court found that Garelli’s allegations of loss — essentially a formulaic recitation of the CFAA’s $5,000 threshold language — did not provide the grounds of the entitlement to relief with more than labels and conclusions.