Data often is the lifeblood of a business. When a database is breached in one way or another, the results can be devastating—especially if the data falls into the hands of a competitor.

Many companies suffering this kind of loss turn to litigation. Perhaps in an effort to obtain federal court jurisdiction, they may assert claims under the Computer Fraud and Abuse Act (the CFAA), 18 U.S.C. §1030, which prohibits improperly accessing a protected computer. There is, however, a growing consensus in the U.S. Court of Appeals for the Second Circuit that recovery of certain forms of damages under the CFAA simply is not permitted—making it difficult to bring causes of action under the CFAA that are able to withstand motions to dismiss.

The CFAA

As Judge Shirley Werner Kornreich of the Supreme Court, New York County, discussed last month in Spec Simple v. Designer Pages Online, 2017 N.Y. Slip Op. 27159 (Sup. Ct. N.Y. Co. May 10, 2017), “[t]he CFAA criminalizes, inter alia, 'intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer,' 18 U.S.C. §1030(a)(2)(c), and 'intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss,' id. §1030(a)(5)(c).” In other words, the CFAA “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” The CFAA also provides a civil cause of action to “[a]ny person who suffers damage or loss by reason of a violation of this section.” Id. citing Sewell v. Bernardin, 795 F.3d 337, 340 (2d Cir. 2015), quoting §1030(g).