The Computer Fraud and Abuse Act

Not a Low Hanging Fruit to Litigate

 

            Because disgruntled employees who leave to go into competition frequently email confidential information to a competitor as part of their exits, employers have sought relief under the Computer Fraud and Abuse Act (CFAA).  A recent case involving Del Monte and Chiquita, has provided some guidance for parties considering pursuing a claim under the CFAA.

           

Overview of the Computer Fraud and Abuse Act

 

            CFAA was designed to punish individuals who destroy data.  Congress was concerned with attacks by virus and worm writers, which come mainly from the outside, and attacks by disgruntled employees.  Although the statute is a criminal statute, it also provides a private right of action.  Any person who suffers damage or loss by reason of a violation of the CFAA may maintain a civil action against the violator to obtain compensatory damages and injunctive relief.

 

            The CFAA defines damage as impairment to the integrity or availability of data, a program, a system or information.  Loss is defined as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program system or information to its condition prior to the offense, any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.  A plaintiff that has not suffered any damage may still prevail on a CFAA claim by showing that it has suffered a loss. 

           

Recent Decision

 

In the recent case involving Del Monte and Chiquita, a former employee of Del Monte accessed Del Monte's business information after her authority to view the documents had expired and emailed the information to herself and to a third party.  Del Monte sued the former employee for violations of the CFAA, among other charges.  Del Monte alleged that it was damaged by the improper downloading and dissemination of its files.  In addition, Del Monte claimed it suffered a loss of $5,000 which it paid to an information technology consultant to conduct a damage assessment of the former employee's computer.  Del Monte did not ask its consultant to assess whether the former employee's hard drive was still functional nor did the consultant perform any tests aimed at determining whether the integrity of Del Monte's data or networks was impaired.  The consultant was solely asked to search the computer for certain keywords involving a competitor and then report back to Del Monte with his findings.  The consultant admitted that, at the time he was engaged, he did not believe he would be testing for impairments to the integrity or availability of data on Del Monte's systems or hard drives.

 

The district court held that Del Monte failed to meet its burden under the CFAA and awarded summary judgment in favor of the former employee on that claim.

 

Improperly Downloading and Emailing Files Does Not Constitute a Damage Under the CFAA

 

The Northern District of Illinois found that Del Monte had not suffered any damage which would allow it to prevail under the CFAA because there was no evidence of destruction or impairment of data.  The court held, that "copying electronic files from a computer database-even when the ex-employee emails those files to a competitor-is not enough to satisfy the damage requirement of the CFAA; there must be destruction or impairment of the underlying data."  In a separate opinion, the Northern District of Illinois made it clear that "the [CFAA] was not meant to cover the disloyal employee who walks off with confidential information."

 

The Cost of a Damage Assessment as a Loss Under the CFAA

 

Del Monte alleged that it suffered a loss recognized by the CFAA because it paid for a damage assessment of the former employee's computer.  The CFAA's definition of loss includes the cost of a damage assessment.  The Northern District of Illinois, however, held that simply alleging a damage assessment took place will not be enough to satisfy the statute.  Just because Del Monte alleges it paid for a 'damage assessment' does not make it so.  A damage assessment must include actions taken to determine whether there was any impairment to the integrity or availability of data on the plaintiff's systems or hard drives.  The plaintiff must prove that the damage assessment performed sought to discover damages as defined by the statute.

 

The court determined that Del Monte had hired its consultant in order to prepare for and assist in the litigation.  The court found no evidence that Del Monte's consultant was hired due to a concern about damage or impairment to Del Monte's data or networks.  The court noted that although Del Monte's concern over the theft of the data was a legitimate business concern, an assessment performed to determine whether data was copied does not constitute a loss under the CFAA.

 

Summary

 

Based on the reasoning in the Del Monte decision, a party who uses a damage assessment to support a claim under the CFAA must demonstrate that the assessment was performed in order to determine whether the party's data, programs or systems were impaired or damaged.  This may be accomplished through the use of an engagement letter or written instructions specifying that the consultant is being hired to perform a damage assessment on the computer or network.  The writing should also make it clear that the party is seeking to determine whether its programs, systems, or data have been impaired or damaged in any way.  Furthermore, the party filing the claim should keep all documentation of the tests actually performed on the computer or network.  In addition, it would be helpful to set forth the party's reason for believing that the computer might have been impaired.  The above mentioned case suggests that the court is not likely to be sympathetic to a precautionary testing based solely on an employee's disloyalty.  Thus, a party should be able to articulate some basis for a concern that its data or systems might have been damages or impaired.

 

            If you have more questions about Computer Fraud and Abuse Act, you can contact Jennifer Johnson, associate in Ice Miller's Business Litigation Practice Group.

 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice.  The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.