After last year's important Ninth Circuit decision from U.S. v. Nosal, I discussed my take on the ongoing debate within our federal courts over how to interpret the Computer Fraud and Abuse Act - and in particular, whether the statute addresses claims related to employee misuse of business information obtained from a computer to which they properly had access.
The debate has only intensified with the Fourth Circuit following the Ninth, and a spate of seemingly endless district court cases and commentary on the subject.
Perhaps most surprising is that the Second Circuit - which encompasses New York - has not had the chance to decide whether to follow the narrow view of Nosal or adopt the broad view from earlier cases decided in the First, Fifth, Seventh, and Eleventh Circuits. New York is home to a great deal of competition litigation, particularly in the financial services sector. And district courts within the Second Circuit have come out both ways on how to interpret the CFAA.
The fashionable trend among courts, New York included, is to follow Nosal. As JBCHoldings NY, LLC v. Pakter, 2013 U.S. Dist. LEXIS 39157 (S.D.N.Y. Mar. 20, 2013), shows, courts seem more persuaded by the narrow view (the right view, in my opinion) of the CFAA's reach.
It's not worth rehashing all the arguments that have been blogged ad nauseum, both pro and con on the narrow view. Pakter runs through them all in a thoughtful, thorough analysis.
There's one argument, however, I don't find convincing.
Pakter, and other courts, have looked at the definition of "loss" under the CFAA and found that it strongly suggests the statute is not intended to guard against misuse of proprietary information. They reason that "loss" is defined rather narrowly and is intended to compensate for damage assessment, data recovery, or damages due to an interruption in service. Courts have not extend this definition to include lost profits or other business damages typically associated with trade secret theft.
But for a party bringing a civil claim under the CFAA, it has to show either "loss" or "damage." And while "loss" is fairly limited, the term "damage" isn't. It includes impairment to the integrity or availability of data or information. So whatever the myriad reasons are for taking a narrow view of the CFAA, the rather limited definition of "loss" shouldn't be one of them.