On May 10, 2017, Justice Kornreich of the New York County Commercial Division issued a decision in Spec Simple, Inc. v. Designer Pages Online LLC, 2017 NY Slip Op. 27159, holding that unfair competition damages are not recoverable under the federal Computer Fraud and Abuse Act (“CFAA”).
In Spec Simple, the plaintiff alleged that a competitor logged on to its database and used information found there to compete against it. The court dismissed the plaintiff’s CFAA claim against the defendant, explaining:
Under the facts alleged in the AC, the truth of which must be assumed for the purposes of this motion to dismiss, it is reasonable to infer that defendants’ alleged unauthorized access was made with the requisite scienter. A plausible inference of ill intent may be drawn from a customer’s single login being used to conduct 1,000 searches on a single day from computers around the world. That these searches were made by a competitor in breach of FXFOWLE’s contract with plaintiff permits an additional inference that such access was for the purpose of unfair competition.
This is not a case where an authorized user merely improperly accessed plaintiff’s information. Rather, the wrong here was that an authorized user (FXFOWLE) allegedly gave an unauthorized user (DPO) credentials so DPO, a competitor of which FXFOWLE is a part owner, could access plaintiff’s information to enable DPO’s alleged theft of plaintiff’s proprietary database structure. DPO could not have reasonably believed that it had the right (or plaintiff’s consent) to access plaintiff’s database. Even if all it did was innocuously peruse, but not copy or utilize anything, DPO has no legitimate basis to contend that it had plaintiff’s consent to do so. The surreptitious manner in which it allegedly accessed the database belies such an inference. Nor is this a situation of a faithless employee who simply exceeded the scope of his permitted access.
That being said, as noted earlier, this is an area of law in which there is much disagreement. This court need not reach the unsettled issues raised by the parties because plaintiff has failed to plead damages recoverable within the meaning of the statute. Causing a “loss” in excess of $5,000 is the requisite third element of a CFAA claim. The losses set forth in the AC — unfair competition losses due to DPO’s poaching customers after upgrading its product with the benefit of plaintiff’s misappropriated trade secrets — are not recoverable under the CFAA.
Loss is defined in § 1030(e)(11) to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” “Damages” is defined in § 1030(e)(8) as “any impairment to the integrity or availability of data, a program, a system, or information.” Based on these definitions, courts in the Second Circuit have consistently held that the damages recoverable on a CFAA claim are (absent an allegation of interruption of service, which is not alleged) limited to recovery for harm to the computer system that was accessed without authorization. Damages for unfair competition injuries, such as those pleaded by plaintiff in this case, are not recoverable under the CFAA.
(Internal quotations and citations omitted) (emphasis added).