I’ve Been Hacked. Have I Been Damaged?

Pleading computer fraud damages

Written by Keenan W. Ng

Plaintiffs seem to have difficulty pleading damages related to computer fraud violations, including the Computer Fraud and Abuse Act (18 U.S.C. §1030), the Stored Communications Act (18 U.S.C. § 2701), the Electronic Communications Privacy Act (18 U.S.C. § 2501), and the California Computer Data Access and Fraud Act (Cal. Penal Code § 502). While litigants simply seem confused as to what they are allowed to ask for, pleading damages is a fairly straightforward process as most courts interpret the requisite sections by their plain meaning.

Computer Fraud and Abuse Act

The CFAA does not allow for traditional compensatory damages. Rather, the statute allows for the recovery of loss and damage as defined by the statute.

Loss means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” (Emphasis added) 18 U.S.C. § 1030 (e)(11).

Loss breaks down into two elements: (1) the cost of responding to an offense; and (2) lost revenue or consequential damages arising as a result of an interruption of service. Importantly, the conjunctive word, “and,” is generally interpreted to mean “or” as opposed to requiring both elements to show loss. This is an important distinction because it provides litigants two paths to meeting the $5,000 threshold to bring a civil claim.

Damage means “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030 (e)(8). Unlike loss, the CFAA does not require a quantitative threshold of damage to bring a CFAA claim. Any impairment to integrity or availability of data – such as any deletion of data or a lockout/denial or service – is sufficient to show damage.

Stored Communications Act

The SCA allows the plaintiff to recover the sum of any actual damages suffered and any profits made by the violator as a result of the violation, and that in no case shall the recovery be for less than $1000.18 U.S.C. § 2707 (c). Note that the statute allows for a plaintiff to essentially double recover: the can claim “the sum of” their actual damages in addition to the any profits made by the violator. More importantly, even if the damages and/or profit are $0, a plaintiff can still recover statutory damages of $1000 per occurrence.

Moreover, if the violation is willful or intentional, the plaintiff can seek punitive damages. 18 U.S.C. § 2707 (c). The court may also impose reasonable attorneys fees. 18 U.S.C. § 2707 (b)(3), (c).

Electronic Communications Privacy Act

Similar to the SCA, the ECPA provides that the plaintiff to recover the sum of any actual damages suffered and any profits made by the violator as a result of the violation. 18 U.S.C. § 2520 (c)(2)(A). Alternatively, the court may impose statutory damages of the greater of $100 a day for each day of the violation, or $10,000. 18 U.S.C. § 2520 (c)(2)(B).

California Computer Data Access and Fraud Act

Finally, under the CDAFA, a plaintiff may recover compensatory damages, which is defined as “any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by” an access that violates the CDAFA. Cal. Penal Code § 502 (e).

Similar to the CFAA definition of loss, the CDAFA allows for the recovery of any costs the victims incurred in determining whether or not their computers or data were harmed as a result of the intrusion. Costs to hire consultants and/or experts, as well as paying your staff to investigate any violation qualify for compensation under the CDAFA. Unlike the CFAA, the CDAFA does not require any sort of monetary threshold to qualify for CDAFA protection.


Pleading computer fraud damages is not as daunting as some litigants might make it out to be. By sticking to the plain language of the statutes and being fairly specific when pleading what your damages are, you should have no problems at the pleading stage.

Leave a Reply

Your email address will not be published. Required fields are marked *