CFAA’S $5,000 Threshold

NEXANS WIRES, a manufacturer of advanced copper and optical fiber wire and cables, sued its direct competitor, Sarkuysan, in federal court in the Southern District of New York alleging that it had “induced” two individuals to engage in economic espionage by stealing computer data belonging to Nexans Wires. Nexans Wires S.A. v. Sark-USA Inc., 319 F. Supp. 2d 468, 469 (S.D.N.Y. 2004). This stolen data contained Nexans Wires’ confidential and proprietary pricing schedules and manufacturing information. Id. The complaint alleged that a portion of this stolen computer data was e-mailed to Sarkuysan through a private Yahoo! Inc. account and another portion of this data was downloaded to a backup tape and deleted from Nexans Wires’ database. Id. at 470.

Nexans Wires’ complaint alleged, in addition to state law claims, various violations of the federal Computer Fraud and Abuse Act (CFAA), a federal criminal statute which allows for civil remedies. 18 U.S.C. 1030. The CFAA permits a company that “suffers damage or loss by reason of a violation of this…[statute to] maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. 1030(g).

There is no requirement that the data be a trade secret or copyrighted information, only that it be valuable “relative to one’s needs and objectives.” United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997). Moreover, the “protected computer” covered by the CFAA” broadly includes all computers that are “used in interstate or foreign commerce or communication.” 18 U.S.C. 1030(e)(2)(B). The CFAA, among its purposes, “is intended to punish those who illegally use computers for commercial advantage.” Shurgard Storage Centers Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121, 1129 (W.D. Wash. 2000).

The Nexans Wires complaint alleged a classic litany of CFAA violations: theft of computer data (18 U.S.C. 1030(a)(2)(C), 1030(a)(4)) and damage to Nexans Wires’ computer data based on the data deletion (18 U.S.C. 1030(5)(A)(i)(ii) and (iii)). Despite the fact that the allegations fit neatly into five causes of action under the CFAA, U.S. District Judge Miriam Cedarbaum granted summary judgment to the defendant on all of the CFAA claims because Nexans Wires could not establish the jurisdictional statutory threshold that it had suffered $5,000 in “loss.”

Civil claim under CFAA must prove a $5,000 loss

As a condition to bringing a claim, a plaintiff must prove “loss…during any 1-year period…aggregating at least $5,000 in value.” 18 U.S.C. 1030(a)(B)(i). In addition to the $5,000 “loss” threshold, the jurisdictional requirement for bringing a civil claim under the CFAA can be established when other statutory requirements are met such as “physical injury to any person” or “a threat to public health or safety,” but these elements rarely, if ever, are a factor for a company seeking redress against a competitor or ex-employee who has stolen or destroyed its valuable computer data. See 18 U.S.C. 1030(a)(B)(ii), (iii), (iv) and (v).

This statutory “loss” requirement is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. 1030 (e)(11).

Failure to allege this element in the complaint will result in the complaint being dismissed (Motorola Credit Corp. v. Uzan, 2002 WL 31319932, at *3 (S.D.N.Y 2002)), and failure of proof on this critical jurisdictional element is “fatal to” a CFAA cause of action (Pearl Investments LLC v. Standard I/O Inc., 257 F. Supp. 2d 326, 349 (D. Maine 2003)). This sine qua non to pursue redress under the CFAA is not well understood and can pose a trap for the unwary. This article will explore the scope of this requirement and how it can be met.

Nexans Wires claimed that it met the $5,000 loss requirement based on three prongs of the statutory definition of “loss”: first, “the cost of responding to the offense”; second, “conducting a damage assessment”; and third, through a loss of “revenue.” To show that it had a “loss” of more than $5,000 in responding to the offense and that it had conducted the damage assessment, Nexans Wires submitted the affidavits of two of its executives who had made two trips from their corporate headquarters in Germany to New York, where the computer data was located. These trips were made after they had been informed of the resignation of each of the employees who were believed to be responsible for the theft of the data.

The two trips amounted to a total cost of $8,007.14. In the course of their visit, the Nexans Wires executives did not examine any of the computers from which the information was allegedly stolen, but simply met with those responsible for overseeing the computers. The meetings included one “at Le Cirque restaurant…where they ‘discussed what proprietary and confidential information was believed to have been stolen,’ ” and potential future steps “to prevent such computer-based theft.” Nexans Wires, 319 F. Supp. 2d at 473.

Cedarbaum found that this proof was insufficient to establish the statutory loss requirement and that the two trips of the Nexans Wires executives were not “in any way related to a computer.” Id. at 476. There was no evidence that “during these meetings computers were being investigated or repaired,” that the executives “were working with a computer technician or consultant,” “that preventive measures were added to the computers or that the system was augmented to tighten security,” or that “they paid technicians to conduct a computer investigation or make repairs to” the computer. Id. The court concluded that “[n]othing in either case law or legislative history suggests that something as far removed from a computer as the travel expenses of senior executives constitutes ‘loss.’ ” Id. at 477.

The court similarly rejected Nexans Wires’ claim “that the revenue they lost as a result of defendants’ use of their information to unfairly compete for business constitutes ‘loss.’ ” Id. The court held that “from the plain language of the statute,” the only revenue that qualifies as a “loss” is “revenue lost ‘because of [an] interruption of service.’ ” Id. at 477. Thus, if Nexans Wires “had lost revenue because [its computers] were down, that would seem to be the type of lost revenue contemplated by the statute.” Id.

Nexans Wires could have avoided the dismissal of its complaint if it had simply hired a forensic investigator to focus on the computer issues. In EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577, 584, n.17 (1st Cir. 2001), the 1st U.S. Circuit Court of Appeals found that the plaintiffs had established “loss,” even though there was no damage to their computer network, because they had “paid $20,944.92 to assess whether their website had been compromised.” (This case was decided before Congress amended the CFAA in 2001 in the USA Patriot Act to define “loss” expressly as including costs of responding to an offense and assessing the damage.) As one court later observed, “the Explorica decision demonstrates the ease with which a plaintiff may be able to satisfy…the $5,000 damages element.” Pacific Aerospace & Electronics Inc. v. Taylor, 295 F. Supp. 2d 1188, 1197 (E.D. Wash. 2003)

The computer-damage assessment also does not have to be limited to hiring third-party independent contractors. In United States v. Middleton, 231 F.3d 1207, 1213-14 (9th Cir. 2000), the 9th Circuit held that it was proper for the government in a criminal prosecution under the CFAA to meet the requisite $5,000 “by multiplying the number of hours that each employee [of the corporate victim] spent in fixing the computer problems by their respective hourly rates (calculated using their annual salaries).” As the court stated, “[t]here is no reason to believe that Congress intended…[this] element…to depend on a victim’s choice whether to use hourly employees, outside contractors, or salaried employees to repair the same level of harm to a protected computer.” Id. at 1214.

Use of forensic investigators can meet $5,000 threshold

In short, the lesson from Nexans Wires is that the time to start thinking about meeting the $5,000 jurisdictional element of the CFAA is when the violation is first discovered. The irony is that Nexans Wires could have used the money it spent to lose the motion practice on this issue-likely amounting to more than $5,000-not to mention the cost of dining at Le Cirque, for a complete forensic review of the computer at issue. While hiring a computer forensic investigator is a simple matter, it should not be viewed as a ploy to construct a case under the CFAA. There are a number of sound reasons to use forensic investigators when illegal computer intrusions are suspected.

First, the theft of data might be more significant than it appears from a review of what can readily be viewed on the computer or the network. A forensic examination has the potential of revealing the theft of other data where the means of the theft were deleted by the perpetrator and uncovering how the stolen data left the network.

Second, a forensic computer examiner uses special software to preserve dates inherent in certain programs that can precisely time when the thefts occurred and when data left the network. This evidence can be permanently lost if an untrained technician simply opens programs in search of evidence.

Third, when court testimony or affidavits are required, it is always preferable to present a trained expert as opposed to an arguably biased and computer-illiterate businessperson, who as in Nexans Wires, conducted an investigation over dinner conversation in a fancy French restaurant.