4th Circuit Holds That Investigatory And Remedial Expenses May Be Recovered As "Economic Damages" In CFAA Unauthorized Access Cases
The CFAA, originally enacted as a criminal anti-hacking statute, proscribes various acts, one of which is "intentionally access[ing] a protected computer without authorization" where the unauthorized access causes damage. In order to establish a violation of that rule, however, the CFAA requires a certain type of harm. The access has to cause either a modification of medical records, physical injury to a person, a threat to public safety or health, or damage a government computer system. Failing that, the access has to cause "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value." In a civil action for unauthorized access, moreover, the CFAA imposes this limit: when damages are sought only for a violation of the unauthorized access rule, damages "are limited to economic damages."
In today's case the claimant didn't have economic damages (e.g., lost or misappropriated trade secrets; damaged hardware or software). Rather, the claimant had out of pocket losses (consequential damages) incurred in responding to the unauthorized access, namely investigatory and remedial costs. The district court concluded that consequential damages don't count as "economic damages," and therefore the court rejected the CFAA claim on summary judgment.
The Fourth Circuit reversed on the ground that the district court construed "economic damages" too narrowly. The Fourth Circuit held that "economic damages" encompasses expenses incurred as part of the response to a CFAA violation, to investigate the offense and to remediate the intrusion. These types of expenses may include fees charged or labor costs incurred by computer forensics and IT personnel.