A 'Loss' Under the CFAA Does Not Require Interruption of Service

This article focuses on what federal appellate courts agree upon with regard to the text of the CFAA. In late January 2017, the U.S. Court of Appeals for the Eleventh Circuit, in what it labeled an issue of first impression, held that resources expended to investigate the aftermath of unauthorized employee access can constitute a “loss” even without any interruption in computer service resulting from the unauthorized access. See Brown Jordan Int'l v. Carmicle — F.3d —-, 2017 WL 359651 (11th Cir. Jan. 25, 2017). The court adopted the reasoning first laid out in two other federal appellate court opinions issued under similar circumstances in 2009 and 2014, respectively.

As discussed below, the Eleventh Circuit premised its conclusions largely on principles of statutory interpretation and certain elements of the legislative history, which is often a canon of interpretation used with respect to the CFAA, although it leads to conflicting ends in certain circumstances.

Facts and Procedural History

In 2002, Christopher Carmicle began working for Brown Jordan International, the parent company of a number of entities that sell furniture. After Carmicle ascended to a management position at one of Brown Jordan's subsidiaries three years later, he executed an executive employment agreement as required by Brown Jordan CEO Gene Moriarty.

Around 2011, the relationship between Carmicle and Moriarty soured after evidence surfaced that Carmicle had allegedly been incurring excessive expenses and had put his wife on the company payroll. Nonetheless, Carmicle stayed on with the company in the ensuing years due to Brown Jordan's belief in the strategic and financial advantages of having him remain with the company during a period when it was trying to offer itself for sale or arrange for a management buyout.

In the summer of 2013, Brown Jordan transitioned to a new email service. While completing the transition, the company issued all employees a generic password. At the same time, Carmicle had become suspicious that a subordinate had circumvented the chain of command, so to speak, and was communicating directly with Moriarty, and that both were lying to Carmicle about a personnel issue. This prompted Carmicle to use the generic password to access their accounts and read their emails. This was the tip of the iceberg. Carmicle then repeatedly used the generic password to access accounts of other employees. He also learned about the details of Brown Jordan's potential management buyout and that the company was scrutinizing his expenses. He took screenshots with his iPad to document these developments.

A year later, Carmicle wrote to Brown Jordan's board of directors accusing Moriarty and others of a surfeit of fraudulent and illegal activities, including allegations of actions detrimental to the company shareholders during the time a sale or buyout had been contemplated. Brown Jordan hired two separate consultants to investigate these claims. Ultimately, Carmicle's charges were deemed to be baseless.

A month later, Brown Jordan filed a complaint averring that, inter alia, Carmicle violated the CFAA because his unauthorized access to fellow employee emails caused the company to pay outside consultants to assess how Carmicle had accessed the emails, and to sweep its office to ensure no surveillance devices had been clandestinely set up. Carmicle countered that Brown Jordan had suffered no loss as defined in the CFAA because his email access did not cause any damage to the company computers, nor an interruption in service, and also because the fees paid to the consultants were unnecessary or unrelated.

The district court first dismissed Carmicle's motions to dismiss and for partial summary judgment on the CFAA claim, and later concluded that Carmicle's email access violated the CFAA.

Legal Analysis and Conclusions

The Eleventh Circuit affirmed. Unsurprisingly, the opinion centered on what constituted a loss under 18 U.S.C. § 1030(e)(11), which the court characterized as an issue of first impression in that circuit. “Loss” as defined in the CFAA means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offenses, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service” Id. (emphasis added).

In interpreting this provision, the court emphasized repeatedly that it is written in the disjunctive. Therefore, even though obviously the second type of loss pertaining to an interruption of service is inapplicable, the first type of loss pertaining to “reasonable costs incurred in connection with … responding to a violation [or] assessing the damage done” stands as a loss category independent from any interruption of service.

When applying this framework, the court held that both types of loss alleged by Brown Jordan were compensable under the CFAA as costs of “responding to an offense.” Hiring the consultants to evaluate the machinations behind Carmicle's access to his co-workers' emails was necessary because the company rightfully refused to credit Carmicle's assertion that he had only accessed such emails via the generic password. Accordingly, the costs associated with discovering the extent of the unauthorized accessed were warranted. Likewise, the costs disbursed to hire consultants to perform a forensic review of the Brown Jordan facilities for surveillance and to otherwise determine the extent of Carmicle's hacking activities was a compensable loss under the CFAA.

The Carmicle opinion repeatedly cited what appears to be the two other federal appellate opinions that have construed the scope of 18 U.S.C. § 1030(e)(11). In Yoder & Frey Auctioneers v. EquipmentFacts, 774 F.3d 1065 (6th Cir. 2014), the U.S. Court of Appeals for the Sixth Circuit concluded that unauthorized access to the plaintiff's online auction system by a former contractor, which crowded out legitimate bids for the same amount as winning bids, constituted damage sufficient to create liability under the CFAA. The court then held that investigating the digital invasion of the auction and conducting a damage assessment did cause a “loss.” Likewise, in A.V. ex rel. Vanderhye v. iParadigms, 562 F.3d 630 (4th Cir. 2009), the Fourth Circuit held that employee man-hours spent investigating a glitch in the employer's digital anti-plagiarism system as a result of an unauthorized intrusion could constitute a compensable loss under the CFAA.

Conclusion

These three opinions illustrate that, at least with respect to determining the scope of a “loss” under the CFAA, there is some consensus at the federal appeals level about how to proceed with one element of a claim arising thereunder.

*****
Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).

These days, staying in the same job throughout a career is rare. When the employee-employer relationship ends, sometimes the parting is amicable. Less often, issues arise, and either party can become disgruntled. There are even examples of former employees accessing the employer's computer after access or use has been revoked.

In response to such employee behavior, employers can and have brought claims against previous or soon-to-be previous employees under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which was originally enacted in 1984 to address “computer crime.” This phrase was then principally understood as referring to the “hacking” or trespassing into computer systems.

The success of CFAA claims can sometimes ride on interpretations of the meaning of “authorization” in the statute, and more specifically, whether “authorization” connotes restrictions only on the access to information, and not restrictions on its use. See 18 U.S.C. §1030(a)(2). A circuit split presently exists over this question and there is no indication that the U.S. Supreme Court is poised to weigh in. The U.S. Court of Appeals for the Second Circuit's decision in United States v. Valle , 807 F.3d 508 (2d Cir. 2015), sided with the view that the CFAA restricts only access to information. However, this decision dealt with the criminal provisions of the CFAA and relied on the rule of lenity as applied to statutory construction in the context of criminal allegations.

This article focuses on what federal appellate courts agree upon with regard to the text of the CFAA. In late January 2017, the U.S. Court of Appeals for the Eleventh Circuit, in what it labeled an issue of first impression, held that resources expended to investigate the aftermath of unauthorized employee access can constitute a “loss” even without any interruption in computer service resulting from the unauthorized access. See Brown Jordan Int'l v. Carmicle — F.3d —-, 2017 WL 359651 (11th Cir. Jan. 25, 2017). The court adopted the reasoning first laid out in two other federal appellate court opinions issued under similar circumstances in 2009 and 2014, respectively.

As discussed below, the Eleventh Circuit premised its conclusions largely on principles of statutory interpretation and certain elements of the legislative history, which is often a canon of interpretation used with respect to the CFAA, although it leads to conflicting ends in certain circumstances.

Facts and Procedural History

In 2002, Christopher Carmicle began working for Brown Jordan International, the parent company of a number of entities that sell furniture. After Carmicle ascended to a management position at one of Brown Jordan's subsidiaries three years later, he executed an executive employment agreement as required by Brown Jordan CEO Gene Moriarty.

Around 2011, the relationship between Carmicle and Moriarty soured after evidence surfaced that Carmicle had allegedly been incurring excessive expenses and had put his wife on the company payroll. Nonetheless, Carmicle stayed on with the company in the ensuing years due to Brown Jordan's belief in the strategic and financial advantages of having him remain with the company during a period when it was trying to offer itself for sale or arrange for a management buyout.

In the summer of 2013, Brown Jordan transitioned to a new email service. While completing the transition, the company issued all employees a generic password. At the same time, Carmicle had become suspicious that a subordinate had circumvented the chain of command, so to speak, and was communicating directly with Moriarty, and that both were lying to Carmicle about a personnel issue. This prompted Carmicle to use the generic password to access their accounts and read their emails. This was the tip of the iceberg. Carmicle then repeatedly used the generic password to access accounts of other employees. He also learned about the details of Brown Jordan's potential management buyout and that the company was scrutinizing his expenses. He took screenshots with his iPad to document these developments.

A year later, Carmicle wrote to Brown Jordan's board of directors accusing Moriarty and others of a surfeit of fraudulent and illegal activities, including allegations of actions detrimental to the company shareholders during the time a sale or buyout had been contemplated. Brown Jordan hired two separate consultants to investigate these claims. Ultimately, Carmicle's charges were deemed to be baseless.

A month later, Brown Jordan filed a complaint averring that, inter alia, Carmicle violated the CFAA because his unauthorized access to fellow employee emails caused the company to pay outside consultants to assess how Carmicle had accessed the emails, and to sweep its office to ensure no surveillance devices had been clandestinely set up. Carmicle countered that Brown Jordan had suffered no loss as defined in the CFAA because his email access did not cause any damage to the company computers, nor an interruption in service, and also because the fees paid to the consultants were unnecessary or unrelated.

The district court first dismissed Carmicle's motions to dismiss and for partial summary judgment on the CFAA claim, and later concluded that Carmicle's email access violated the CFAA.

Legal Analysis and Conclusions

The Eleventh Circuit affirmed. Unsurprisingly, the opinion centered on what constituted a loss under 18 U.S.C. § 1030(e)(11), which the court characterized as an issue of first impression in that circuit. “Loss” as defined in the CFAA means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offenses, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service” Id. (emphasis added).

In interpreting this provision, the court emphasized repeatedly that it is written in the disjunctive. Therefore, even though obviously the second type of loss pertaining to an interruption of service is inapplicable, the first type of loss pertaining to “reasonable costs incurred in connection with … responding to a violation [or] assessing the damage done” stands as a loss category independent from any interruption of service.

When applying this framework, the court held that both types of loss alleged by Brown Jordan were compensable under the CFAA as costs of “responding to an offense.” Hiring the consultants to evaluate the machinations behind Carmicle's access to his co-workers' emails was necessary because the company rightfully refused to credit Carmicle's assertion that he had only accessed such emails via the generic password. Accordingly, the costs associated with discovering the extent of the unauthorized accessed were warranted. Likewise, the costs disbursed to hire consultants to perform a forensic review of the Brown Jordan facilities for surveillance and to otherwise determine the extent of Carmicle's hacking activities was a compensable loss under the CFAA.

The Carmicle opinion repeatedly cited what appears to be the two other federal appellate opinions that have construed the scope of 18 U.S.C. § 1030(e)(11). In Yoder & Frey Auctioneers v. EquipmentFacts , 774 F.3d 1065 (6th Cir. 2014), the U.S. Court of Appeals for the Sixth Circuit concluded that unauthorized access to the plaintiff's online auction system by a former contractor, which crowded out legitimate bids for the same amount as winning bids, constituted damage sufficient to create liability under the CFAA. The court then held that investigating the digital invasion of the auction and conducting a damage assessment did cause a “loss.” Likewise, in A.V. ex rel. Vanderhye v. iParadigms, 562 F.3d 630 (4th Cir. 2009), the Fourth Circuit held that employee man-hours spent investigating a glitch in the employer's digital anti-plagiarism system as a result of an unauthorized intrusion could constitute a compensable loss under the CFAA.

Conclusion

These three opinions illustrate that, at least with respect to determining the scope of a “loss” under the CFAA, there is some consensus at the federal appeals level about how to proceed with one element of a claim arising thereunder.

*****
Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).