An Illinois federal court recently found in the favor of the defendant on a plaintiff’s Computer Fraud and Abuse Act claim because the plaintiff allegedly failed to satisfy the statute’s $5,000 damages threshold.

The plaintiff, a computer consulting servicing company which spent time restoring its client’s computer network (a Chicago law firm) after it was allegedly hacked by the plaintiff’s former employee,  sued the former employee for violation of CFAA, among other claims.

CFAA’s damages requirement.  The CFAA requires that a plaintiff prove the damage or loss resulted in losses to one or more persons during any one year period aggregating at least $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i).  Summary judgment was entered against the plaintiff in the case for failure to show sufficient damages.  Technology Sourcing, Inc. v. Griffin, Case No. 10 C 4959 (N.D. Ill., 4/30/13).

Lawsuit filed against an alleged hacker.  TSI filed the lawsuit seeking to recover the value of the time it claimed it spent in restoring service to its client’s computer network which crashed after being hacked. TSI’s client was not a party to the lawsuit and apparently incurred no significant expense as a result of the hacking.  

Responsibility for the computer network crashing.  On June 10, 2010, TSI fired Griffin, its primary technician.  Seven weeks later, one of TSI’s clients reported that its server and network were inoperative. In the course of investigating the disruption and restoring the client’s computer service at no cost to the client, TSI learned that the shutdown likely was caused by an unauthorized user twice attempting to log into the client’s server. The unauthorized user’s printer name belonged to Griffin. Suspecting that he was the hacker, the plaintiff sued him in federal court in Chicago. 

Summary judgment denied to the plaintiff and granted to the defendant.  After discovery was completed, both parties moved for summary judgment.  The court held that partial summary judgment for the defendant was appropriate with respect to the plaintiff’s CFAA count because TSI presented no “evidence that data was destroyed, erased, manipulated, [or] sent to a third party.”  Further, the plaintiff’s president’s deposition testimony, and his belated affidavit which was inconsistent in part with his testimony, did not satisfy the court that the $5,000 damages threshold was met.  The remaining claims — state law pendent jurisdiction causes of action — were dismissed without prejudice, as a matter of the court’s discretion, to be pursued in state court if TSI chose to do so. 

Takeaways from this decision.  Unlike TSI’s lawsuit, in the typical CFAA case, the plaintiff’s computer, not a third party computer, is alleged unlawfully accessed.  Also unlike TSI’s lawsuit, the usual contention is either that data from the plaintiff’s computer was used without permission by the person(s) who wrongfully accessed the computer or that the data was provided to someone else who used it without permission.  The Technology Sourcing, Inc. opinion further indicates how difficult it is to state a justiciable CFAA claim when the only alleged damages are unbilled time incurred by a service technician spent in restoring a computer network which crashed due to alleged hacking.