Lost sales were not “loss” under the Computer Fraud and Abuse Act

CustomGuide v. CareerBuilder, LLC, 2011 WL 3809768 (N.D.Ill. August 24, 2011)

Plaintiff and defendant had discussed a licensing arrangement whereby defendant would provide certain of plaintiff’s materials online. The parties never entered into that agreement. But plaintiff claimed that defendant went ahead and accessed the materials stored on plaintiff’s computer system, and thereby caused plaintiff to miss out on certain sales in the business to business marketplace for the materials.

So plaintiff sued, alleging a variety of claims, including a claim under the Computer Fraud and Abuse Act. Defendant moved to dismiss. The court granted the motion.

The CFAA defines a “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).

The court looked to the case of Cassetica Software v. Computer Sciences Corp., 2009 WL 1703015, (N.D.Ill. June 18, 2009) which explained that “[w]ith respect to ‘loss’ under the CFAA, other courts have uniformly found that economic costs unrelated to computer systems do not fall within the statutory definition of the term.” Rather, the purported loss “must relate to the investigation or repair of a computer system following a violation that caused impairment or unavailability of data.” For these reasons, the court in Cassetica Software held that lost revenues that were not related to the impairment of a computer system were not recoverable under the CFAA.

In this case, the court found that plaintiff did not allege any facts connecting its purported “loss” to an interruption of service of its computer systems. Instead, the complaint described an economic loss of revenues related plaintiff’s making business to business sales. Because such economic losses do not fall within the definition of “loss” under the CFAA, the court tossed the CFAA claim.

Computer Fraud and Abuse Act case against hard drive destroying director goes forward

Deloitte & Touche LLP v. Carlson, 2011 WL 2923865 (N.D. Ill. July 18, 2011)

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the “without authorization” element to be adequately pled.

CFAA violation where employee’s access to work computer violated fiduciary duty to employer

Plaintiff former employer sued defendant former employee for violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, alleging that defendant, while still in the employ of plaintiff, accessed confidential business information and destroyed other important data. Defendant moved to dismiss the CFAA claim. The court denied the motion.

Defendant had argued that the complaint failed to establish that access to the work computer was had without authorization. He assserted that plaintiff did not allege that at any time while defendant was employed by plaintiff his access to his work-issued computer was restricted, or that plaintiff ever told him that he was no longer permitted to access the computer.

But the plaintiff had alleged that defendant’s access violated the fiduciary duty defendant owed. The court held that under Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006), allegations of a breach of duty are enough to properly allege that defendant lost his authorization to access his company computer.

Compare this holding (and Citrin) with the Ninth Circuit’s holding in LVRC Holdings v. Brekka.

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.

1 2 3 4 5 6 7