On January 25, a panel of the U.S. Court of Appeals for the 11th Circuit broadly construed the meaning of “loss” under the Computer Fraud and Abuse Act (“CFAA”). In the case before the Court, the Defendant, an executive at the company, was accused of exploiting a generic password to secretly access numerous employees’ email accounts and read the employees’ emails without official authorization “solely on suspicion of dishonesty concerning the content of communications between others, without any reason to suspect wrongful or illegal conduct prior to doing so.”
Under the CFAA, it is unlawful to intentionally access a computer without authorization, or exceed authorized access, and obtain information from any protected computer. The CFAA allows victims to pursue a private cause of action if the unauthorized access causes a minimum “loss” of $5,000. Loss is defined by the CFAA as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, restoration, lost revenues, or any other consequential damages incurred because of interruption in service.
The Defendant argued that because his alleged improper access into employees’ emails did not cause an interruption in service, the Plaintiff could not recover the cost of hiring forensic experts to examine the method the Defendant used. The 11th Circuit, agreeing with the 4th and the 6th Circuits, held that a loss includes the cost of responding to the improper access, irrespective of whether there was an interruption in service.
According to Vernon Litigation Group attorney Jeffrey Haut, “business leaders often concentrate too narrowly on protecting and detecting outsider threats that they fail to recognize poor internal cybersecurity protocols, such as failing to require unique user ID’s and passwords, that can lead to exploitation by insiders.” While nobody can prevent cyberattacks, businesses and individuals can start to mitigate cyber risk by utilizing the 2014 NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover. Small businesses can also take advantage of NIST’s recent publication, “Small Business Information Security: the Fundamentals,” which guides stakeholders through basic cyber risk assessment and provides concrete steps businesses can take to enhance information security practices.
ABOUT VERNON LITIGATION GROUP
Vernon Litigation Group is based in Naples, Florida, with additional offices in Orlando, Florida, and Atlanta, Georgia. Vernon Litigation Group assists in the recovery of client losses relating to cybersecurity and data privacy and handles cyber litigation cases including identity theft, negligence, financial fraud, misappropriation of identity, unauthorized transactions by employees, and civil penalties involving Florida’s Data Breach Notification law.
For more information, contact:
Vernon Litigation Group
Phone: (239) 319-4434