1st Rate Mortg. Corp. v. Vision Mortgage Services Corp., 2011 WL 666088 (E.D.Wis. Feb. 14, 2011)
The Computer Fraud and Abuse Act (CFAA) is a popular weapon that employers use against former employees who steal information on the job. But since the employees just use their credentials to get information off the server, there really is no security breach that occurs in those inside jobs.
So you might tend to agree that the employer overreacts when, after discovering the nefarious acts of its employees, it conducts a thorough and expensive security analysis of its whole system. Just delete the offending employees’ accounts and move on, right?
And this overreaction shouldn’t give the employer something to sue over that it would not have had if it reacted reasonably to the threat, don’t you think? After all, plaintiffs have a duty to mitigate their damages.
The defendants (accused former employee information thieves) in a recent federal case in Wisconsin argued along these lines in their summary judgment brief. But the court did not buy it at the summary judgment stage – whether a CFAA plaintiff’s reaction to alleged theft is “reasonable” should be answered by the jury.
The CFAA allows a plaintiff to recover its “loss.” And courts have interpreted the term “loss” to include the cost of responding to a security breach. But the statute says that loss includes the “reasonable cost to any victim.”
In this case, defendants argued that the employer’s overreaction in doing a system-wide analysis caused the employer to incur an unreasonable (and therefore uncompensable) cost. The court held, however, that “[w]hat matters is whether the employer’s reaction was reasonable, not whether it was strictly necessary to continuing in business.” A jury may well conclude the reaction and its related costs were appropriate.