Wisconsin Lawyer: Not Authorized! Employees and Computer Fraud:

State Bar of Wisconsin

Sign In

Top Link Bar

    Wisconsin LawyerWisconsin Lawyer

News & Pubs Search

Advanced

    Not Authorized! Employees and Computer Fraud

    Computers have revolutionized the work world but also have made it much simpler for employees to leave the job with their former employers’ property.

    Barbara A. Neider & Joseph Diedrich

    Share This:
    drilling into filing cabinet

    Your client calls with bad news. His burgeoning company had just recorded its best quarter ever. It seemed as though the sky was the limit, and others had started to take notice – including competitors. In the flurry of publicity, the company’s biggest rival head-hunted the company’s star salesperson. Up-and-comers were waiting in the wings to take her place, so your client thought everything would be fine – that is, until someone realized that the ex-salesperson downloaded customer lists, client data, and other confidential information onto a flash drive and took it with her.

    Upon inspection of the ex-employee’s emails, the company’s IT department discovered that she was actually working for the competition two months before she resigned. And before she left, she permanently erased all contents of her company laptop, much of which was not stored elsewhere. Your client says the whole ordeal has already cost his company thousands of dollars to investigate and likely will cost much more in lost revenue.

    Computer Fraud and Abuse Act

    This scenario plays out all too often. One recent study found that more than half of all employees take with them proprietary data either knowingly or unwittingly when they leave a company.1 This really should not be surprising, though, given the ubiquity of computers, smartphones, and tablets in the workplace, as well as the ever-greater frequency of job changes in the professional market.

    A situation like the one described above may come within the reach of the federal Computer Fraud and Abuse Act (CFAA), a criminal and civil statute that provides remedies for victims of security breaches. Under the CFAA, employers, for instance, can seek damages from former employees who access company computers “without authorization” or who exceed authorized access.2 Depending on the facts, the CFAA may also apply to:

    • Current employees who access company computers “without authorization” or exceed authorized access;

    • Third parties, including competitors, who are associated with current or former employees and who access company computers “without authorization” or exceed authorized access;

    • Third parties, including contractors, who access company computers “without authorization” or exceed authorized access; and

    • Third parties, known or unknown, who access any computer “without authorization” or exceed authorized access – that is, outside hackers.

    Barbara A. NeiderBarbara A. Neider, U.W. 1980 magna cum laude, Order of the Coif, is a partner at Stafford Rosenbaum LLP, Madison, focusing on commercial litigation, appellate work, and legal ethics

    Joseph S. DiedrichJoseph S. Diedrich is a 3L student at the U.W. Law School, where he serves as an articles editor of the Wisconsin Law Review.

    This article provides an overview of the CFAA and offers advice for Wisconsin lawyers in navigating the complicated law. It begins with the background of the CFAA, which sheds some light on its purpose and its scope. Then, focusing on the operative statutory term “authorization,” it discusses various judicial interpretations of the CFAA, particularly those in the Seventh Circuit. This dovetails into a synopsis of practice issues accompanying the CFAA, both in general and specifically in regard to the employment context. Finally, this article takes a brief look at the future of the CFAA and then concludes with a reflection on the statute’s broad impact.

    CFAA Background

    Enacted in 1984 as a narrow criminal statute, the CFAA has since become “breathtakingly broad.”3 In its early days, the CFAA prohibited the unauthorized access of certain computers to obtain national security secrets or confidential financial information. While the CFAA’s legislative history suggests it was originally intended as an anti-hacking law,4 a series of amendments has extended the statute’s reach. Courts have applied the CFAA not only to redress outside hacking5 but also to remedy “inside jobs.”6

    In 1994, Congress added a civil-action provision, allowing any victim of computer misuse to bring a federal claim.7 Today, the CFAA exposes to criminal and civil liability any person who:

    • Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer;8

    • Knowingly, and with intent to defraud, accesses a protected computer without authorization or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value;9

    • Knowingly causes the transmission of a program, information, code, or command and as a result of such conduct, intentionally causes damage without authorization to a protected computer;10

    • Intentionally accesses a protected computer without authorization and as a result of such conduct, recklessly causes damage;11 or

    • Intentionally accesses a protected computer without authorization and as a result of such conduct, causes damage and loss.12

    In a civil case, a plaintiff must plead and prove one of the above, as well as a “loss” of at least $5,000 in a one-year period.13Loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”14 Note that 18 U.S.C. § 1030(a)(5)(C) (the source of the item in the final bullet on the list above) is unique in that it requires the existence of both loss and damage to constitute a violation.15 As defined in the statute, damage means “any impairment to the integrity or availability of data, a program, a system, or information.”16

    Protected computer means any computer that affects interstate commerce, which arguably includes any device connected to the Internet.17 The CFAA therefore likely applies to all modern desktops, laptops, tablets, smartphones, infotainment systems, and all similar devices.18

    Authorized or Not?

    The CFAA’s broad language has led to a split in the federal courts as to how the CFAA is to be interpreted and applied. Liability under the CFAA often hinges on whether a person acted “without authorization” or “exceed[ed] authorized access.”19 The statute defines exceeds authorized access to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter[.]”20 The CFAA, however, defines neither “access” nor “authorize.” Without explicit statutory guidance, the courts must decide what it means to act “without authorization.” This has led to an enormous volume of litigation and to multiple interpretations.

    The Seventh Circuit: The Agency Approach

    The Seventh Circuit Court of Appeals has adopted an agency-based approach in deciding whether an employee’s use of a computer was “authorized” within the meaning of the CFAA. In International Airport Centers v. Citrin,21 International Airport Centers (IAC) provided a laptop to its employee, Jacob Citrin, for work purposes. Citrin decided to quit working for IAC and go into business for himself, in breach of his employment contract. Before returning IAC’s laptop, Citrin used secure-erasure software to permanently delete company data and evidence of improper conduct he had engaged in before he quit.22 IAC sued Citrin, alleging claims under the CFAA.

    In an opinion by Judge Posner, the Seventh Circuit reasoned that when Citrin engaged in misconduct and decided to quit, he violated his duty of loyalty and severed his agency relationship with IAC.23 Because the agency relationship had been the basis of Citrin’s authority to access the laptop, Citrin’s access of the laptop after the termination of the agency relationship was “without authorization” under the CFAA.24

    After Citrin, the U.S. District Court for the Eastern District of Wisconsin decided Jarosch v. American Family Mutual Insurance Co., a case involving several long-time American Family insurance agents.25 For months, the agents engaged in discussions with Couri Insurance Associates, an American Family competitor. Couri ultimately convinced the agents to leave American Family and form independent agencies in partnership with Couri.

    Employers suing in the Seventh Circuit may have a better chance than employers in other jurisdictions of proving CFAA claims against disloyal former employees.

    At roughly the same time, the agents all terminated their contracts with American Family and established their own agencies. Before leaving, however, the agents began copying policyholder information from American Family’s electronic database to their new agencies’ respective databases. After the agents sued American Family for failing to fully compensate them, American Family asserted several counterclaims, including a claim under the CFAA.26

    The Jarosch court followed the Citrin precedent and applied agency principles. The court determined that by copying American Family data for the benefit of their new agencies, the agents breached their duty of loyalty to American Family and terminated their agency relationship with it. Accordingly, the agents’ authority to access American Family’s database was terminated, too.27 As in Citrin, the agents accessed American Family’s computers “without authorization” under the CFAA.28 American Family, however, did not prevail on its CFAA claims because it failed to prove a “loss.”29

    Citrin and Jarosch establish an employer-friendly interpretation of the CFAA in Wisconsin, at least compared to other jurisdictions, as discussed below. Employers suing in the Seventh Circuit may have a better chance than employers in other jurisdictions of proving CFAA claims against disloyal former employees. Keep in mind, however, that the Seventh Circuit’s agency analysis extends only to situations in which an agency relationship exists. If the defendant is an outside hacker, Citrin likely would not apply.

    How to Guard Against Potential Liability

    Create a Bring-Your-Own-Device Policy

    The Computer Fraud and Abuse Act’s (CFAA) civil remedy is often invoked by employers against ex-employees. Yet there may be at least one situation in which an employee or ex-employee could sue an employer under the CFAA. That situation involves the use of personal devices for work purposes, often under “bring your own device” (BYOD) regimes.

    Most BYOD policies provide that an employer has the ability to remotely remove – “wipe” – data from a personal dual-use device if it is lost or stolen or when an employee leaves a company. Typical wiping software sends a signal to a device that removes all data, including personal information – personal contacts, email, photos, music, and so on. Depending on the facts, an employee may be able to allege that the employer accessed his or her personal device “without authorization” or in a manner that exceeded authorized access under the CFAA. Some scholars, though, are skeptical that CFAA claims against employers would be successful in the BYOD context.65

    Employers can nevertheless guard against potential liability in two different yet complementary ways. First, a well-drafted BYOD policy should explain exactly what an employer will do if a personal dual-use device is lost or stolen and when an employee leaves the company. It should also cover any monitoring measures the employer will apply to the device. The policy should be recited in a free-standing document, signed by the employee, and renewed on a regular basis.66

    Second, employers should opt for wiping software that creates a “sandbox.” A sandbox is an isolated area on a personal dual-use device that contains exclusively company data. When a device is wiped, only the isolated area is deleted, and all the personal data stored on the device remains intact.

    Know What to Do If a Data Breach Occurs

    Wisconsin companies must also keep in mind their potential obligations in the event of a CFAA-violating data breach. Section 134.98(2) of the Wisconsin Statutes provides that when a company knows that personal information in its computer database has been obtained without authorization, the company must “make reasonable efforts to notify each subject of the personal information.” So, if a departing employee accesses client information without authorization under the CFAA, that action may trigger a duty to notify under Wisconsin law.

    “‘Personal information’ means an individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:

    1) The individual’s Social Security number.

    2) The individual’s driver’s license number or state identification number.

    3) The number of the individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account.

    4) The individual’s deoxyribonucleic acid (DNA) profile, as defined insection 939.74(2d)(a).

    5) The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.” Wis. Stat. § 134.98(1)(b).

    Other Circuits

    Other circuits have interpreted the CFAA differently. Some have adopted a “purpose-based” interpretation of the CFAA.30 Under this approach, courts consider a person’s purpose for accessing a computer or his or her use of the information obtained from it.31

    For example, in United States v. John, a bank employee was convicted under the CFAA after she accessed customer information on the bank’s computer system to facilitate a fraudulent charging scheme.32 The Fifth Circuit reasoned that, although the employee was authorized to access the bank’s computers for lawful purposes, she was not authorized to access them for unlawful purposes.33 By accessing the computers for the purpose of committing fraud, the employee exceeded authorized access.34

    Under a narrow approach adopted by the Second,35 Fourth,36 and Ninth37 Circuits, courts consider neither the purpose for which a person accesses a computer nor his or her ultimate use of information obtained from a computer. Instead, the focus is on whether the employee was authorized to access the computer when the access occurred.

    In WEC Carolina Energy Solutions LLC v. Miller, for instance, the defendant was given a laptop and cell phone by his employer, WEC Carolina Energy.38 He had access to confidential information on WEC Carolina Energy’s servers.39 In violation of a WEC Carolina Energy computer-use policy, the defendant downloaded that information and used it in a presentation on behalf of a competitor.40 The court reasoned that the defendant’s use of information obtained by accessing the computer did not matter for purposes of CFAA liability.41 Because the defendant had permission to access the information, he did not violate the CFAA.42

    CFAA Practice

    CFAA claims often arise under facts that also give rise to other claims. Indeed, at least in the Seventh Circuit, “most employee disloyalty cases can be pled as CFAA cases” – and vice versa – “because a disloyal employee has forfeited his right to access his employer’s computer.”43 Depending on the facts, other claims may include, for example, misappropriation of trade secrets,44 injury to business,45 property damage caused by crime,46 conversion, breach of fiduciary duty, breach of contract, and breach of the covenant of good faith and fair dealing. Wisconsin also has its own computer-crimes statute.47

    As a federal statute, the CFAA provides a basis for federal-question jurisdiction, thus allowing litigants access to the federal courts, if that is where they prefer to litigate.48Cases involving ex-employees often will not qualify for diversity jurisdiction, and the non-CFAA claims listed above are all based on state law. The CFAA, then, may provide a litigant’s only entrée into federal court.49

    Under the CFAA, a plaintiff may seek compensatory damages, injunctive relief, and “other equitable relief.”50 These remedies have the potential to exceed those provided by other claims. By way of example, Wisconsin’s computer-crimes statute provides for civil injunctive relief but not compensatory damages.51

    Employers should consider investing in computer systems that grant multiple levels of access based on employees’ respective authorization levels.

    The CFAA provides for recovery of compensatory damages “for any reasonable cost,” including “the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”52 Costs incurred to investigate and respond to potential damage are also typically recoverable.53

    Although “the CFAA allows recovery for losses sustained even if data or computers were not damaged,”54 district courts within the Seventh Circuit are split as to whether misappropriation of confidential information alone constitutes a “loss” under the CFAA.55

    The statute of limitation for CFAA civil claims is two years.56 Claims accrue on the “date of the act complained of or the date of the discovery of the damage.”57 Related state-law claims, such as those mentioned above, may have different limitation periods. For example, in Wisconsin, contract claims generally must be brought within six years58 and misappropriation-of-trade-secrets claims within three.59

    In the Employment Context

    In light of the CFAA (and computer-security issues more generally), employment contracts, computer-use policies, or both should clearly explain which parts of the employer’s computer system particular employees are authorized to access.60 These documents should also outline the uses for which access is prohibited: for personal benefit; for the benefit of a competitor or other third party; to gather confidential data; for nonbusiness purposes; for illegal purposes; and so forth. Well-written contracts and policies may strengthen a CFAA claim,61 especially to the extent they unambiguously define the scope of the agency relationship as it relates to computer access.

    Even with well-written contracts and policies, however, technology provides the best defense against unauthorized access. While expensive in the short term, employers should consider investing in computer systems that grant multiple levels of access based on employees’ respective authorization levels. Employees who do not need access to particular data to perform their jobs should not be able to access that data. In the long run, advanced security measures may save money by limiting unauthorized access in the first instance, making costly litigation unnecessary.

    Employers should have a procedure for handling employee departures. Whenever any employee leaves, the employer should promptly terminate remote access, ensure that all company-owned devices are returned, and expressly communicate to the employee that he or she is no longer authorized to access the employer’s computer system at any time, for any reason.

    Employers considering a new hire also must be aware of the CFAA. The last thing a company wants is for a new employee to be sued by a former employer alleging unauthorized computer access. Throughout the screening and interview process, employers should try to ensure – in the same way they guard against potential violations of noncompete, confidentiality, and nondisclosure agreements – that candidates carry no CFAA baggage.62

    To the extent a company operates outside Wisconsin, forum-selection clauses become that much more important in light of the circuit split regarding CFAA liability. From an employer’s standpoint, employment contracts should ensure that any litigation take place in an “agency” or “purpose-based” jurisdiction, preferably the Seventh Circuit.

    For employees, the most crucial thing is to be aware of what the CFAA prohibits, which in turn depends in part on what an employer authorizes. From the beginning of any employment relationship, employees should make sure they understand which data, software, and information they are authorized to access. And whenever there is any doubt, employees should consult with their supervisors regarding authorization.

    The Future

    Consistent with its history so far, the CFAA likely will change in the near future. The circuit split is ripe for U.S. Supreme Court review. Because the CFAA has the potential to affect such a large section of the population, there is a practical need for a uniform interpretation of “without authorization” and “exceeds authorized access.” In addition, at least one scholar believes that the entire CFAA could fall on constitutional void-for-vagueness grounds.63

    Furthermore, Congress likely will continue to tinker with the CFAA.
    A bipartisan proposal to amend the CFAA and ostensibly limit its scope was introduced in 2013 and again in 2015. Other amendments – some to curtail the CFAA, others to beef it up – have also been proposed.64

    Conclusion

    CFAA litigation shows no signs of slowing down. Computers continue to proliferate and commerce continues to become more interconnected. Data collection, storage, and security technologies constantly evolve. The Seventh Circuit’s interpretation of operative statutory terms has extended the CFAA’s reach to a variety of situations, especially in the employment context. With that in mind, Wisconsin employers and employees should be aware of their respective rights and obligations under the CFAA. And whether advising on an employment matter or contemplating action against hackers, Wisconsin lawyers must be familiar with the CFAA and its intersection with analogous state law.

    Endnotes

    1 See Danielle E. Sunberg, Note, Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA, 62 Am. U. L. Rev. 1417, 1418-19 (2013) (citing Brian Krebs, Data Theft Common by Departing Employees, Wash. Post, Feb. 26, 2009).

    2 See, e.g., Pacific Aerospace & Elecs. Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196 (E.D. Wash. 2003) (“Employers … are increasingly taking advantage of the CFAA’s civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.”).

    3 Orin S. Kerr, Cyberspace & the Law: Privacy, Property, and Crime in the Virtual Frontier: Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561-70, 76 (2010).

    4 See S. Rep. 99-432, at *1, *7-10 (1986); H.R. Rep. 98-894, at *20-21 (1984); David J. Schmitt, The Computer Fraud and Abuse Act Should Not Apply to the Misuse of Information Accessed with Permission, 47 Creighton L. Rev. 423, 432 (2014).

    5 United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012).

    6 1st Rate Mortg. Corp. v. Vision Mortg. Servs. Corp., No. 09-C-471, 2011 WL 666088, at *3 (E.D. Wis. Feb. 15, 2011) (unpublished).

    7 18 U.S.C. § 1030(g); Computer Abuse Amendments Act of 1994, Pub. L. No. 103-322, tit. XXIX, 108 Stat. 2097, 2098.

    8 18 U.S.C. § 1030(a)(2)(C).

    9 18 U.S.C. § 1030(a)(4).

    10 18 U.S.C. § 1030(a)(5)(A).

    11 18 U.S.C. § 1030(a)(5)(B).

    12 18 U.S.C. § 1030(a)(5)(C).

    13 18 U.S.C. §§ 1030(c)(4)(A)(i)(I), 1030(g). In other words, “[a] person suing under § 1030(g) must prove (1) damage or loss (2) by reason of (3) a violation of § 1030(a), and (4) conduct involving one of the factors set forth in § 1030(c)(4)(A)(i).” Jarosch v. American Family Mut. Ins. Co., 837 F. Supp. 2d 980, 1020 (E.D. Wis. 2011) (citing Landmark Credit Union v. Doberstein, 746 F. Supp. 2d 990, 993 (E.D. Wis. 2010)).

    14 18 U.S.C. § 1030(e)(11); see also 1st Rate Mortg. Corp., 2011 WL 666088, at *2 (quoting NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1063-64 (S.D. Iowa 2009)) (“Courts have interpreted ‘loss’ to include the cost of responding to a security breach, such as the cost of performing a computer system damage assessment, even if the losses are not derived from any change to the computers themselves or the information contained on the computer.”); Pascal Pour Elle Ltd. v. Jin, 75 F. Supp. 3d 782, 791 (N.D. Ill. 2014)
    (“[T]he ‘cost of responding to an offense’ includes the costs associated with conducting investigation and security assessments in response to a suspected violation of the CFAA.”).

    15 See Pascal Pour Elle, 75 F. Supp. 3d at 790 (dismissing, without prejudice, claim under 18 U.S.C. § 1030(a)(5)(C) in absence of facts alleging damage).

    16 18 U.S.C.§ 1030(e)(8). Note that “[m]ere accessing of data does not meet the definition of damage under the CFAA.” Pascal Pour Elle, 75 F. Supp. 3d at 791 (citing Farmers Ins. Exchange v. The Auto Club Grp., 823 F. Supp. 2d 847, 852-53 (N.D. Ill. 2011); Mintel Int’l Grp. Ltd. v. Neergheen, No. 08 C 3939, 2010 WL 145786, at *9 (N.D. Ill. Jan. 12, 2010)); see also Fidlar Techs. v. LPS Real Estate Data Sols. Inc., 810 F.3d 1075, 1084-85 (7th Cir. 2016). While “damage” encompasses “clearly destructive behavior such as using a virus or worm or deleting data,” Fidlar, 810 F.3d at 1084 (citing Int’l Airport Ctrs. L.L.C. v. Citrin, 440 F.3d 418, 419 (7th Cir. 2006)), “it may also include less obviously invasive conduct, such as flooding an email account,” id. (citing Pulte Homes Inc. v. Laborers’ Int’l Union, 648 F.3d 295, 301-02 (6th Cir. 2011)).

    17 See 18 U.S.C. § 1030(e)(2).

    18 Only typewriters, portable hand-held calculators, and other similar devices are expressly exempted from the definition of “computer.” See § 1030(e)(1).

    19 See 18 U.S.C. § 1030(a).

    20 18 U.S.C. § 1030(e)(6).

    21 440 F.3d at 420-21.

    22 Id. at 419-20.

    23 Id. at 420-21 (“Violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship.”); accord NCMIC Fin. Corp., 638 F. Supp. 2d at 1060-62 (employee’s authority to access employer’s computer terminated under agency law when employee “decided to compete against NCMIC and subsequently e-mailed NCMIC’s customer spreadsheet to his personal e-mail account”).

    24 Citrin, 440 F.3d at 420-21.

    25 Jarosch, 837 F. Supp. 2d at 985-87.

    26 Id.

    27 Id. at 1020-22.

    28 Id. at 1022-23.

    29 Id.; see supra notes 13-14 and accompanying text.

    30 See, e.g., United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).

    31 See John, 597 F.3d at 271.

    32 Id. at 269-70.

    33 Id. at 271.

    34 Id. at 271-72, 289.

    35 See United States v. Valle, 807 F.3d 508, 527–28 (2d Cir. 2015).

    36 See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).

    37 See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009).

    38 WEC Carolina Energy, 687 F.3d at 202.

    39 Id.

    40 Id.

    41 Id. at 204.

    42 Id. at 207.

    43 Dental Health Prods. Inc. v. Ringo, No. 08-C-1039, 2009 WL 1076883, at *3 (E.D. Wis. Apr. 20, 2009) (unpublished).

    44 Wis. Stat. § 134.90.

    45 Wis. Stat. § 134.01; Radue v. Dill, 74 Wis. 2d 239, 245, 246 N.W.2d 507 (1976).

    46 Wis. Stat. § 895.446.

    47 Wis. Stat. § 943.70.

    48 But cf. Landmark Credit Union v. Doberstein, 746 F. Supp. 2d 990, 995 (E.D. Wis. 2010) (in case removed from state court, finding CFAA claim “insubstantial” in comparison to state law claims and remanding for want of jurisdiction).

    49 See, e.g., Maxpower Corp. v. Abraham, 557 F. Supp. 2d 955, 956 (W.D. Wis. 2008) (noting that CFAA claim was the basis – the only basis – for federal jurisdiction among all claims in case involving alleged misappropriation of confidential information).

    50 18 U.S.C. § 1030(g). “Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.” Id.

    51 Wis. Stat. § 943.70(5). But see Maxpower Corp., 557 F. Supp. 2d at 963 (suggesting that monetary damages could be recovered under Wis. Stat. section 943.70).

    52 18 U.S.C. § 1030(e)(11).

    53 E.g., Dental Health Prods., 2009 WL 1076883, at *3 ($16,000 spent on computer expert to determine the extent of unauthorized access constituted a “loss” under CFAA). Contra Jarosch, 837 F. Supp. 2d at 1022-23.

    54 1st Rate Mortg. Corp., 2011 WL 666088, at *2.

    55 Compare Direct Supply Inc. v. Pedersen, No. 10-C-0278, 2011 WL 1131092, at *2 (E.D. Wis. Mar. 28, 2011) (citing cases limiting a plaintiff to recovery of loss associated with investigating and repairing damage to the plaintiff’s computer system) with C. H. Robinson Worldwide Inc. v. Command Transp. LLC, No. 05 C 3401, 2005 WL 3077998, at *2-3 (N.D. Ill. 2005) (plaintiff properly alleged “loss” based on allegations of loss in value of trade secrets and loss of competitive edge).

    56 18 U.S.C. § 1030(g).

    57 Id.

    58 Wis. Stat. § 893.43.

    59 Wis. Stat. § 893.51(2); see Fail-Safe LLC v. A.O. Smith Corp., 744 F. Supp. 2d 831, 851 (E.D. Wis. 2010).

    60 As required by HIPAA security law, many employers already have policies and safeguards in place related to computer access. Such policies and safeguards, including hardware- and software-based access restrictions, can also be used to address CFAA issues.

    61 See Hewlett-Packard Co. v. BYD:Sign Inc., 2007 WL 275476 *11-13 (E.D. Tex. 2007) (complaint stated CFAA claim in which defendants agreed not only to refrain from disclosing proprietary information but also to refrain from sending or accessing messages on HP’s computer systems for personal gain).

    62 See, e.g., Motorola Inc. v. Lemko Corp., 609 F. Supp. 2d 760, 762-64 (N.D. Ill. 2009) (former employer suing both former employee and his new employer under the CFAA).

    63 Kerr, supra note 3, at 1573-78.

    64 See James Juo, Split over the Use of the CFAA Against Disloyal Employees, 61-Feb. Fed. Law. 50, 52-54 (2014); Sunberg, supra note 1, at 1433-38; Cory Bennett, ‘Aaron’s Law’ Focuses Penalties on Malicious Hackers, The Hill, Apr. 21, 2015; David Bitkower, U.S. Deputy Assistant Att’y Gen., Keynote Address at the George Washington Law Review Symposium: Hacking into the Computer Fraud and Abuse Act (Nov. 6, 2015).

    65 See, e.g., Andrew Freedman, Managing Personal Device Use in the Workplace: How to Avoid Data Security Issues and to Dig Yourself Out of Your Failed BYOD Policy, 20 Suffolk J. Trial & App. Advoc. 284, 302-06 (2015).

    66 See Tom Kaneshige, What California’s BYOD Reimbursement Ruling Means to CIOs, CIO, Aug. 26, 2014.