US Supreme Court Appears to Limit Civil Liability under the CFAA
The federal Computer Fraud and Abuse Act, 18 U.S.C. 1030 (“CFAA”), essentially an anti-hacking statute, is primarily a criminal law. However, under certain circumstances, the CFAA affords a private civil right of action. Pursuant to Section 1030(g) of the CFAA, “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The statute goes on to limit the right of a private person or company to bring a civil action only where the violation: (1) modifies or impairs medical examination, diagnosis, treatment or care of a person or persons; (2) causes physical injury to any person; (3) causes a threat to public health or safety; or (4) causes “loss” to one or more persons during any one-year period aggregating at least $5,000 in value. Most CFAA civil lawsuits are brought pursuant to the last option, namely causing loss to one or more persons during any one-year period aggregating at least $5,000 in value.
The CFAA defines “damage” to mean “Any impairment to the integrity or availability of data, a program, a system, or information”. The CFAA defines “loss” to mean, “Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Although the definition of “loss” appears to be somewhat broad, the United States Supreme Court, in Van Buren v. United States, 141 S.Ct. 1648, 1659-60 (2021), advised lower courts to narrowly interpret the terms “damage” and “loss” in the CFAA civil context. The Court explained that the statutory terms “loss” and “damage” “focus on technological harms – such as the corruption of files – of the type unauthorized users cause to computer systems and data”. Id. at 1660.
As a result, it appears that a mere intrusion, or even copying of data, may be insufficient to impose civil liability under the CFAA. In fact, based upon Van Buren, many courts have dismissed CFAA claims where the Plaintiff does not plausibly allege that the defendant(s) caused harm to the plaintiff’s data or computer system. hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1195 n. 12 (9th Cir. 2022) (Holding that Van Buren requires “technological harm” to bring a viable civil action under the CFAA); Gap Properties, LLC v. Cairo, No. 19-20117, 2022 WL 17250572, at *5-7 (D.N.J. Nov. 28, 2022) (Holding that “hiring of outside consultants to hack into the computers” to obtain information did not constitute “improper access” because it does not constitute damage or loss pursuant to Van Buren); Acrison, Inc. v. Rainone, No. 22-1176, 2022 WL 16695116, at *7-8 (D.N.J. Nov. 3, 2022) (Holding that pursuant to Van Buren, merely accessing, copying or downloading data is insufficient to show “loss” or “damage” under CFAA); Ryanair DAC v. Booking Holdings Inc., No. 20-1191, 2022 WL 13946243, at *7 (D. Del. Oct. 24, 2022) (Pursuant to Van Buren, the terms “loss” and “damage” in the CFAA focus on technological harms – such as the corruption of files ….”); Pipeline Productions, Inc. v. S&A Pizza, Inc., No. 4:20-00130, 2021 WL 4811206, at *6-7 (W.D. Mo. Oct. 14, 2021); Deck v. Courtney, No. 1:21-v-01078, 2021 WL 3474043, at *2 (S.D. Ind. Aug. 6, 2021); Better Holdco, Inc. v. Beeline Loans, Inc., No. 20-CV-8686, 2021 WL 3173736 (S.D.N.Y. Jul. 26, 2021).
As a result, it appears that a plaintiff must plead and prove that any “loss” is tied to “technological harm” or, in other words, damage or impairment of a protected computer. As a result, a plaintiff may not be able to bring an action and recover damages where the plaintiff merely incurred costs to investigate and mitigate an intrusion but there was no harm to a computer system or its data.