This comment explores whether a civil plaintiff needs to claim actual damage to a protected computer to recover against a defendant under the CFAA. Several courts have noted that there is little case law regarding damages, and the case law that exists does not help define the reach of damages. Currently, courts are split as to whether a computer system needs to have actual physical damage in order for recovery under the CFAA. Additionally, courts have not adequately addressed how to assess damages, including whether damages may be aggregated across multiple computer systems. The Third, Fifth, and Ninth Circuit Courts of Appeals have held that plaintiffs do not need to show damage to a protected computer in order to recover under the CFAA. However, the Seventh Circuit has stated that a litigant can only state a cause of action if there has been measurable damage to a protected computer. This is a significant issue because, under the CFAA, specific criteria are used to show what constitutes a “protected computer.” If the act requires a showing of actual damages to a protected computer, then civil litigants will be seriously limited in their ability to bring a cause of action. Issues also arise when multiple computers across a network are affected and damage to each individual computer does not reach the statutory minimum proscribed in the CFAA. Litigants should be able to aggregate damages across multiple protected computers within an affected network. This comment will argue that showing actual damages to a protected computer should not be required for a civil litigant to state a claim under the CFAA. Additionally, this comment will argue that damages should be aggregated across multiple protected computers to reach the jurisdictional damage amount. Furthermore, this comment will discuss how the courts have not sufficiently analyzed the CFAA.
Matthew Andris, The Computer Fraud and Abuse Act: Reassessing the Damage Requirement, 27 J. Marshall J. Computer & Info. L. 279 (2009)