What is a reasonable cost that should count as loss under the Computer Fraud and Abuse Act?

1st Rate Mortg. Corp. v. Vision Mortgage Services Corp., 2011 WL 666088 (E.D.Wis. Feb. 14, 2011)

The Computer Fraud and Abuse Act (CFAA) is a popular weapon that employers use against former employees who steal information on the job. But since the employees just use their credentials to get information off the server, there really is no security breach that occurs in those inside jobs.

So you might tend to agree that the employer overreacts when, after discovering the nefarious acts of its employees, it conducts a thorough and expensive security analysis of its whole system. Just delete the offending employees’ accounts and move on, right?

And this overreaction shouldn’t give the employer something to sue over that it would not have had if it reacted reasonably to the threat, don’t you think? After all, plaintiffs have a duty to mitigate their damages.

The defendants (accused former employee information thieves) in a recent federal case in Wisconsin argued along these lines in their summary judgment brief. But the court did not buy it at the summary judgment stage – whether a CFAA plaintiff’s reaction to alleged theft is “reasonable” should be answered by the jury.

The CFAA allows a plaintiff to recover its “loss.” And courts have interpreted the term “loss” to include the cost of responding to a security breach. But the statute says that loss includes the “reasonable cost to any victim.”

In this case, defendants argued that the employer’s overreaction in doing a system-wide analysis caused the employer to incur an unreasonable (and therefore uncompensable) cost. The court held, however, that “[w]hat matters is whether the employer’s reaction was reasonable, not whether it was strictly necessary to continuing in business.” A jury may well conclude the reaction and its related costs were appropriate.

3 thoughts on “What is a reasonable cost that should count as loss under the Computer Fraud and Abuse Act?

  1. Party Bus DC

    Here is Similar Story

    The Computer Fraud and Abuse Act ("CFAA", 18 U.S.C. § 1030) has long caused knotty interpretive problems for the courts. This blog has frequently reported on a growing split between the federal courts over whether an employee who was authorized to use a company computer can be sued under CFAA if he accesses the computer to serve interests adverse to the company. The First and Seventh Circuits say "yes," while the Ninth Circuit and numerous district courts say "no."

  2. Patent Litigation

    Here is a similar story

    JAPANESE CONGLOMERATE Sony is facing accusations of breaching the US Computer Fraud and Abuse Act for removing the OtherOS feature from Playstation 3s it had sold that saw Linux able to run on the console.

    The Japanese technology and media giant has been fighting a class action lawsuit filed by 20 plaintiffs while simultaneously going after alleged PS3 hackers. While Sony has so far succeeded in getting a judge to accept that it can sue one George Holz for computer fraud and abuse, because he allegedly distributed advice on how to hack the PS3, the Japanese mega-corporation itself has been unsuccessful in getting all of the plaintiffs' allegations against it dismissed in the same jurisdiction.

  3. scientes

    RE: Patent Litigation

    Actually, the SONY ENTERTAINMENT INC. of California is suing George Holz, not the multinational which developed, manufactured and sold the PS3, SONY of Japan. This was brought up in Holz's legislation, along with the fact that they are suing him in California court and he lives in Massachusetts.

Comments are closed.