The Eleventh Circuit ruled last week in a wrongful discharge turned Computer Fraud and Abuse Act (“CFAA”) case, spinning the employee’s case against his employer on its head. The facts of Brown Jordan International, Inc. v. Carmicle stemmed from the employment of Christopher Carmicle by Brown Jordan, a furniture manufacturer. Carmicle was an executive at Brown Jordan, but his relationship with the company deteriorated with the hiring of a new CEO, Gene Moriarty. Moriarty had doubts about Carmicle based on excessive entertainment expenses, and Carmicle, in turn, had doubts about Moriarty’s trust in him.
In the year prior to Carmicle’s termination, Brown Jordan switched to a new email service. This switch (and the corresponding provision of a generic password—Password1—to all employees) was what Carmicle used to investigate his suspicions of Moriarty and others. Over the course of several months, Carmicle repeatedly hacked into the accounts of Brown Jordan employees, including his superiors, and took hundreds of screenshots on his personal iPad.
Carmicle eventually wrote a letter to the company’s Board of Directors, accusing Moriarty and others of illegal activities. The Board of Directors hired an independent investigator, who learned of the unauthorized email access. The investigator reported Carmicle’s hacking and his misuse of $100,000 in company funds to the Board, who terminated his employment for cause. After learning of Carmicle’s hacking, Brown Jordan hired consultants both to understand how he accessed the email accounts and to conduct a surveillance sweep.
Brown Jordan complained that Carmicle violated the CFAA as well as the Stored Communications Act, and Carmicle brought actions for wrongful discharge and breach of contract. On appeal, the CFAA’s “loss” requirement was at issue. There is a violation of the CFAA for “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” U.S.C. § 1030(a)(2)(C). Civil actions may be brought only if one of several requirements is met, one of which is that the plaintiff incurs a minimum “loss” of $5,000 because of the defendant’s violation of the CFAA.
The CFAA defines “loss” as:
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offenses, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
18 U.S.C. § 1030(e)(11).
Although some district courts have interpreted “loss” as requiring an interruption of service, both the Fourth and Sixth Circuits have held that loss includes the cost of responding to the offense, regardless of whether there was an interruption of service. Applying a plain language approach, and noting that “loss” is defined in the disjunctive, the Eleventh Circuit held that there can be two types of loss. While the first type requires an interruption of service, the second type does not. Brown Jordan’s use of the consultants to investigate the unauthorized access after the fact is sufficient to constitute “loss” under CFAA.
The Eleventh Circuit’s interpretation of “loss” signals further expansion of the CFAA. The “interruption of service” interpretation advocated by Carmicle would have limited civil actions (under that subsection) to cases of direct damage to the plaintiff’s computers and network, and the cost to restore such damage. The Eleventh Circuit’s interpretation, however, does not require that the plaintiff is even aware of the offense at or around the time it occurs. Merely learning of an unauthorized access, and attempting to understand how it affects the company months down the road is sufficient. This interpretation effectively arms employers, and others, to combat unauthorized computer access, even where they may not have known it occurred.