fenwick & west
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §
1030, was enacted in 1984 as a criminal statute, but was
subsequently amended in the 1990s to allow for private
causes of action for damage to a “protected computer.”
As confidential information today is largely stored
electronically, companies have increasingly turned to
the CFAA in litigating the misappropriation of proprietary
information.
For a variety of reasons, a CFAA claim may be a desirable
supplement or even alternative to a trade secret action.
Trade secret actions arise under state law, so absent
diversity, a plaintiff is confined to state court. The CFAA,
however, confers federal subject matter jurisdiction,
enabling the suit to proceed in federal court. And, the
complained-of conduct may not qualify for a trade secret
action, which typically requires that misappropriated
information be confidential and well-guarded. The CFAA,
in contrast, merely specifies the taking of “information,”
an easier hurdle to clear for a plaintiff that may not be
able to show strict confidentiality. However, while the
CFAA has historically been a fruitful course for many
trade secret plaintiffs, courts are increasingly limiting its
application in trade secret cases.
Loss Requirement
Section 1030(g) of the CFAA provides that a civil action
may be brought only if the conduct involves one of the
following factors:
(I) loss during any 1-year period aggregating at least $
5,000 in value;
(II) actual or potential modification or impairment of
medical examination, diagnosis, treatment, or care;
(III) physical injury to any person;
(IV) a threat to public health or safety; or
(V) damage affecting a computer used by or for an
entity of the U.S. Government in furtherance of the
administration of justice, national defense, or national
security.
Trade secret plaintiffs typically attempt to satisfy (I), with
“loss” defined elsewhere in the CFAA as “any reasonable
cost to any victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring
the data, program, system, or information to its condition
prior to the offense, and any revenue lost, cost incurred,
or other consequential damages incurred because of
interruption of service.”
But does loss stemming from trade secret
misappropriation meet this jurisdictional requirement?
Courts differ on this point, but seem to be trending in a
direction that limits private CFAA actions. Some courts
will accept a conclusory allegation that there was a loss
of at least $5,000. See Sam’s Wines & Liquors, Inc.
v. Hartig, 2008 U.S. Dist. LEXIS 76451 (N.D. Ill. Sept.
24, 2008). Some find that an allegation of the loss of
confidential information satisfies the loss requirement.
Resource Ctr. for Indep. Living, Inc. v. Ability Resources,
Inc., 534 F. Supp. 2d 1204 (D. Kans. 2008). Most,
however, are now holding that “loss” cannot consist only
of lost trade secrets or related lost revenue, but must
comprise costs that flow directly from the computer-
access event, such as costs caused by interruption of
service. See ResDev v. Lot Builders, 2005 U.S. Dist. LEXIS
19099 (M.D. Fla. Aug. 10, 2005); Nexans. v. Sark-USA,
Inc., 319 F. Supp. 2d 468, 477 (S.D.N.Y. 2004).
Because many trade secret plaintiffs do incur computer-
related costs (such as hiring a forensic expert to ascertain
the extent of illicit access and whether any data was
deleted), the stricter reading of “loss” should not
preclude CFAA actions by most aggrieved trade secret
holders. However, plaintiffs must be careful to plead
computer-related costs in the jurisdictional amount so
as not to be vulnerable to dismissal on this threshold
requirement.
Available CFAA Claims
Assuming a plaintiff can show loss, it must then allege a
CFAA violation. Trade secret plaintiffs will assert a CFAA
claim by alleging the defendant did one or more of the
following:
1. intentionally accessed a computer without
authorization or exceeded authorized access,
and thereby obtained information from a
protected computer (1030(a)(2)(C));
Shrinking Prospects for Private Trade Secret
Actions Under the CFAA
by ilana s. rubel
Shrinking Prospects for Private Trade Secret
Actions Under the CFAA
by ilana s. rubel
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § prior to the offense, and any revenue lost, cost incurred,
1030, was enacted in 1984 as a criminal statute, but was or other consequential damages incurred because of
subsequently amended in the 1990s to allow for private interruption of service.”
causes of action for damage to a “protected computer.”
As confidential information today is largely stored But does loss stemming from trade secret
electronically, companies have increasingly turned to misappropriation meet this jurisdictional requirement?
the CFAA in litigating the misappropriation of proprietary Courts differ on this point, but seem to be trending in a
information. direction that limits private CFAA actions. Some courts
will accept a conclusory allegation that there was a loss
For a variety of reasons, a CFAA claim may be a desirable of at least $5,000. See Sam’s Wines & Liquors, Inc.
supplement or even alternative to a trade secret action. v. Hartig, 2008 U.S. Dist. LEXIS 76451 (N.D. Ill. Sept.
Trade secret actions arise under state law, so absent 24, 2008). Some find that an allegation of the loss of
diversity, a plaintiff is confined to state court. The CFAA, confidential information satisfies the loss requirement.
however, confers federal subject matter jurisdiction, Resource Ctr. for Indep. Living, Inc. v. Ability Resources,
enabling the suit to proceed in federal court. And, the Inc., 534 F. Supp. 2d 1204 (D. Kans. 2008). Most,
complained-of conduct may not qualify for a trade secret however, are now holding that “loss” cannot consist only
action, which typically requires that misappropriated of lost trade secrets or related lost revenue, but must
information be confidential and well-guarded. The CFAA, comprise costs that flow directly from the computer-
in contrast, merely specifies the taking of “information,” access event, such as costs caused by interruption of
an easier hurdle to clear for a plaintiff that may not be service. See ResDev v. Lot Builders, 2005 U.S. Dist. LEXIS
able to show strict confidentiality. However, while the 19099 (M.D. Fla. Aug. 10, 2005); Nexans. v. Sark-USA,
CFAA has historically been a fruitful course for many Inc., 319 F. Supp. 2d 468, 477 (S.D.N.Y. 2004).
trade secret plaintiffs, courts are increasingly limiting its
application in trade secret cases. Because many trade secret plaintiffs do incur computer-
related costs (such as hiring a forensic expert to ascertain
Loss Requirement the extent of illicit access and whether any data was
deleted), the stricter reading of “loss” should not
Section 1030(g) of the CFAA provides that a civil action preclude CFAA actions by most aggrieved trade secret
may be brought only if the conduct involves one of the holders. However, plaintiffs must be careful to plead
following factors: computer-related costs in the jurisdictional amount so
as not to be vulnerable to dismissal on this threshold
(I) loss during any 1-year period aggregating at least $ requirement.
5,000 in value;
(II) actual or potential modification or impairment of Available CFAA Claims
medical examination, diagnosis, treatment, or care;
(III) physical injury to any person; Assuming a plaintiff can show loss, it must then allege a
(IV) a threat to public health or safety; or CFAA violation. Trade secret plaintiffs will assert a CFAA
(V) damage affecting a computer used by or for an claim by alleging the defendant did one or more of the
entity of the U.S. Government in furtherance of the following:
administration of justice, national defense, or national
security. 1. intentionally accessed a computer without
authorization or exceeded authorized access,
Trade secret plaintiffs typically attempt to satisfy (I), with and thereby obtained information from a
“loss” defined elsewhere in the CFAA as “any reasonable protected computer (1030(a)(2)(C));
cost to any victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring
the data, program, system, or information to its condition
fenwick & west
Document hosted at
http://www.jdsupra.com/post/documentViewer.aspx?fid=ccb9c0ff-afb7-4fe3-a79c-f294706277b4
