Wednesday, July 31, 2013
Revisiting "Damage" and "Loss" Under the Computer Fraud and Abuse Act
For literary fiction, that might be fine. For federal statutes, it's a disaster.
As a result, courts and commentators long have struggled over what parties must prove to establish an actual civil claim under the CFAA. And a great deal of the confusion and disagreement concerns the twin concepts of damage and loss.
At first blush, the terms sound like synonyms. But they're not. For purposes of the CFAA, each term has a precise definition.
The basic confusion has arisen because to state a civil claim, a party must have suffered "damage or loss" by reason of a substantive offense. To compound problems, certain substantive CFAA provisions require a party independently to show "damage," which renders the either/or structure a bit confusing. And a textual reading of the CFAA seems to show that in all cases (really, in all cases that deal with unfair competition) a plaintiff must show compensable "loss."
In other words, it's a total nightmare.
Or is it?
In my opinion, the concepts of damage and loss are complimentary pieces that fit together. They're not substitutes. But to understand this, it's critical to keep in perspective the overall purpose and set-up of the CFAA.
What the CFAA Does (and Doesn't) Protect?
Attorneys too often view the CFAA as a federal trade secret substitute. In other words, attorneys who want the muscle of a federal court try to shoehorn a trade secrets (or duty of loyalty) case into a CFAA violation if they determine a computer somehow was involved in facilitating the underlying act (usually, the downloading of documents). As a result, a large majority of CFAA claims in the employment context never quite fit the elements of the statute.
The CFAA protects a party from damage to computer systems (including files and programs), outside hacking, and theft of computer data. That's it. It is not a broad federal statute that displaces a wide range of contract- and tort-based claims typically reserved for state courts. And because computers are omnipresent in the way parties deal with each other, a broad CFAA construct could have the effect of federalizing competition claims well outside the statute's intent. This is part of the ongoing dispute over the CFAA's reach, a subject on which I and countless others have written.
The Concept of "Damage"
The definition of "damage" under the CFAA is decently plain. Damage is simply the impairment to the availability or integrity of data. For example, if an outsider hacks into a network and causes the deletion of files from a server, this would constitute damage. If an insider copies confidential information that otherwise remains available, this would not constitute damage because the data is still available. I'll return to this, but the word "integrity" is the key to unlocking the confusion that has arisen over when certain conduct causes damage.
Here's an easy way to understand "damage" for CFAA purposes: it's the type of injury the statute was designed to cover. As I'll discuss, the relatively limited statutory definition becomes confusing when applied to data theft cases.
"Loss" is not the same as damage. Where damage defines the nature of the harm, "loss" covers what is compensable arising from that harm. Loss covers either: (1) costs in restoring a computer system, programs, or files; or (2) revenue lost due to an interruption in service.
A couple of examples may help clarify. If an outside hacker launches a denial-of-service attack on an e-commerce website, he can be liable for the revenue lost attributable to server downtime. Similarly, if an insider destroys the only copy of files on a shared server, she can be liable for the costs the company spends to hire a forensic technician to recover those files. These are the classic CFAA offenses.
Understanding the Types of CFAA Cases
The problem in fitting together the concepts of "damage" and "loss" arises from the predicate to Section 1030(g). This is the section of the CFAA that enables a private party to assert a civil claim.
The predicate starts off by stating unambiguously that a party "who suffers damage or loss" for an enumerated offense can maintain a civil cause of action. In reality, that language is either unnecessary or improperly worded. I maintain it's unnecessary.
The Destruction or Hacking Cases
Several provisions of the CFAA independently require a civil plaintiff to show "damage." I refer to these provisions, for simplicity sake, as the data destruction or hacking offenses. They are contained within Sections 1030(a)(5)(A)-(C). By and large, these sub-sections of the CFAA are easy to understand. They include the paradigms I described above: the outsider launching a denial-of-service attack and an insider destroying files.
In these fact patterns, which Section 1030(a)(5) clearly is designed to redress, a court first assesses whether the activity gives rise to "damage" - that is, data or system impairment - and then looks to whether the plaintiff can establish "loss." It makes little sense to view this as an either/or proposition because loss (response costs or lost revenue due to an interruption in service) flows naturally from damage. If a party can show damage, it will show loss (unless the amount is so trivial as to fall short of the CFAA's modest $5,000 jurisdictional minimum).
The Theft Cases
The other provisions of the CFAA that are frequently at issue in competition cases are Sections 1030(a)(2) and (a)(4). Those sub-sections have caused a great deal of dispute among federal courts because of the concept of "access" and whether "unauthorized access" includes misuse of data. Aside from that, both sub-sections generally provide a remedy if a party lacks proper access (however interpreted) and obtains information from a computer either with or without an intent to defraud.
The best way to look at these provisions of the CFAA is that they serve different ends than the destruction or hacking provisions of Section 1030(a)(5). In other words, Sections 1030(a)(2) and (4) provide a remedy for civil theft out of a computer. In the context of these claims, a party is not going to show "damage" to a computer because the very nature of the offense doesn't contemplate system downtime or lost files - unless we reinterpret "damage", which I argue below we must. Rather, the claim deals with the taking of information (trade secret or not). But, by virtue of the claim, the owner still has the same data (or else it simply would be a Section 1030(a)(5) claim).
From my perspective, a plain reading of the CFAA requires a plaintiff to show loss in virtually any CFAA case involving unfair competition. But since loss appears limited to damage assessment, recovery costs, and lost revenue due to a service interruption, assessing loss in a "theft" case is much more difficult to grasp. The computer isn't damaged; the data isn't gone; and the server hasn't crashed.
For this reason, courts seem to have stretched the meaning of "loss" to include the cost of retaining a forensic expert to track wrongdoing. And in the context of a CFAA theft case under 1030(a)(2) and (a)(4), this may be a "cost responding to an offense." But it's awfully difficult to fit that into the definition of "loss" unless we do more work to reconcile the CFAA as a whole. This issue receives little attention because there's so much noise surrounding the other elements of a theft case, in particular whether the term "unauthorized access" can apply to insiders who have credentials to use a computer system but act in ways contrary to their employers' interests.
Reconciling "Damage" and "Loss" Under the CFAA
As it stands, here's what seems clear. For a hacking or data destruction case under Section 1030(a)(5), a plaintiff must show damage and loss. This is based simply on a textual reading of the statute. Loss should flow naturally from damage. These are not difficult cases to understand, which is hardly a surprise given that they fall within the statute's prime focus.
A theft case is different. A plaintiff needs to show a loss, but it does not have to show damage. That much also seems clear from the plain language of the statute. Practically speaking, though, should it prove damage? I think so.
But to do this in a theft case arising under Section 1030(a)(2) or (4), a court would have to interpret "damage" as a compromise to the manner in which data was stored or protected. Arguably, this is consistent with the statutory definition, which references an impairment to the integrity of data.
Then, of course, the plaintiff still would need to show a loss. To me, it's difficult to argue loss without showing damage because (as I've noted) the concepts seem to be complements - not substitutes. Plaintiffs have figured this out by engaging forensic firms to track unauthorized access and stolen information out of a protected computer. I'm not totally convinced this is an expense that qualifies as a "loss," but if courts expand the definition of damage, then I guess "loss" would have to include investigation expenses. Regardless, it's not a totally unreasonable reading of the statute to include these expenses.
Ultimately, courts have little choice. They have to expand the definition of damage to give meaning to Section 1030(a)(2) and (4). Otherwise, if damage and loss are given a narrow reading, there's no claim under the CFAA for theft cases. It's easy to say now that the definitions simply don't match up, but it would be absurd to find there's no way to define damage for theft cases.
This expansive definition of damage may solve the riddle that confronts cases involving theft of data. More to the point, it demonstrates precisely why CFAA theft cases (as opposed to hacking or data destruction cases) should be limited to access by outsiders - those who truly don't have the credentials to access data in the first place. This is another way of saying the narrow view of what unauthorized access means is consistent with the purpose of the statute and in particular the concepts of damage and loss. Otherwise, the CFAA is little more than a substitute for state laws that already govern trade secrets theft and breach of the duty of loyalty. And given that the CFAA contains broad criminal sanctions, this is an interpretation courts should be very hesitant to adopt.