Wednesday, November 2, 2011

Defining "Damages" and "Loss" Under the CFAA

The Computer Fraud and Abuse Act is my least favorite statute. This is partly a result of the way it has been set up - a series of amendments that allow for civil actions, within a criminal statute.

The other fundamental problem with the CFAA is that key terms are either confusing, vague or undefined.

Regardless of which statutory provision is invoked in a CFAA claim, a plaintiff must prove either "loss" or "damages" to obtain compensatory damages (if it sounds redundant, it kind of is). Though the terms sound synonymous, they're not. Here's a brief summary of the difference.

To prove "damages," a plaintiff must show "impairment to the integrity or availability of data." Courts generally hold that this means destruction or deletion of files or hard drives. It does not mean the copying of electronic information from a computer system.

"Loss" is the subject of conflicting court rulings, but generally means costs of responding to an offense, damages from an interruption in service, or costs of conducting a damage assessment.

Disputes often arise whether retention of a forensic expert to examine an ex-employee's computer fit within the idea of "conducting a damage assessment." The general rule is they do not, because such costs are more akin to assisting in the overall litigation.

Also, the loss of business resulting from misuse of confidential information is not properly a "loss" under the CFAA, but is better addressed within the construct of contract damages or trade secret law.

No comments:

Post a Comment