Employers Take Note: 11th Circuit Broadly Interprets “Loss” under CFAA
On January 25, 2017, in Brown Jordan Int’l, Inc. v. Carmicle (No. 16-11350), the U.S. Court of Appeals for the Eleventh Circuit held that expenses incurred by an employer while responding to the unauthorized access of company email accounts by a former employee, even absent an interruption of service, qualify as a “loss” under the federal Computer Fraud and Abuse Act (CFAA). In doing so, the Eleventh Circuit broadly interpreted the CFAA, which permits civil actions only under specific circumstances, including instances when an individual “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer” resulting in a “loss” during any 1-year period of at least $5,000.
Brown Jordan, an international furniture company (“Company”), filed its initial complaint in the Southern District of Florida asserting in part that its former employee violated the CFAA by repeatedly accessing Company email accounts without authorization, including accounts belonging to the Company’s CEO, CFO, and General Counsel. The Company further alleged that it spent nearly $24,000 on fees to outside consultants to investigate how the Defendant accessed employee email accounts and that this expense was a compensable “loss” under the CFAA.
For its part, the CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offenses, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
After an 11-day bench trial, the district court held that the Defendant’s unauthorized access of employee email accounts violated the CFAA and that the Company’s payments to outside investigators constituted a compensable “loss” under the statute. The district court awarded Brown Jordan over $76,000 in actual and punitive damages, in addition to attorneys’ fees and litigation costs.
In his appeal to the 11th Circuit, the Defendant argued that the Company could not establish a “loss” under the CFAA because there was no “interruption of service” resulting from his actions, he caused no damage to the Company’s computer system, and the Company paid no money to remedy such damage (and, therefore, that the fees to outside consultants were unnecessary). The appellate court disagreed. After noting that the interpretation of “loss” under the CFAA was an issue of first impression for the 11th Circuit, the Court drew from sister circuits’ reasoning before eventually holding that “loss” under the CFAA includes the cost of responding to the offense, regardless of whether there was an interruption of service.
As to the Defendant’s argument that the Company’s expenses were unnecessary and, therefore, not compensable, the Court found that it was reasonable for the Company to hire outside consultants to engage in an “extensive forensic and physical review” of the Company’s systems to determine the extent of the Defendant’s hacking activity. The Court again determined that such losses were incurred in the course of responding to the violation of the CFAA and, therefore, were compensable under the statute.
The 11th Circuit’s decision in Brown Jordan provides further support for a broader interpretation of “loss” in civil actions brought under the CFAA, thereby making it easier for employers to meet the damage threshold under the statute when seeking recovery from employees that violate it.