I’ve Been Hacked. Have I Been Damaged?

Keenan W. Ng, Ad Astra Law Group, LLP

lock-openedPleading computer fraud damages

Computer fraud has been a hot topic in the news with seemingly new lawsuits everyday. Nevertheless, plaintiffs seem to have difficulty pleading damages. Although there is some nuance, pleading damages is a fairly straightforward process as most courts interpret the statutes by their plain meaning.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) does not allow for traditional compensatory damages. Rather, the statute allows for the recovery of loss and damage as defined by the statute.

Loss breaks down into two elements: (1) the cost of responding to an offense; and (2) lost revenue or consequential damages arising as a result of an interruption of service. Importantly, the conjunctive word, “and,” is generally interpreted to mean “or” as opposed to requiring both elements to show loss. This is an important distinction because it provides litigants two paths to meeting the $5,000 threshold to bring a civil claim.

Damage means “any impairment to the integrity or availability of data, a program, a system, or information.” Any impairment to integrity or availability of data – such as any deletion of data or a lockout/denial or service – is sufficient to show damage.

Stored Communications Act

The Stored Communications Act (SCA) allows the plaintiff to recover the sum of any actual damages suffered and any profits made by the violator as a result of the violation, and that in no case shall the recovery be for less than $1,000. Note that the statute allows for a plaintiff to essentially double recover: plaintiffs can claim “the sum of” their actual damages in addition to any profits made by the violator.  More importantly, even if the damages and/or profit are $0, a plaintiff can still recover statutory damages of $1,000 per occurrence.

Electronic Communications Privacy Act

Similar to the SCA, the Electronic Communications Privacy Act (ECPA) provides that the plaintiff can recover the sum of any actual damages suffered and any profits made by the violator as a result of the violation. Alternatively, the court may impose statutory damages of the greater of $100 a day for each day of the violation, or $10,000.

California Computer Data Access and Fraud Act

Similar to the CFAA definition of loss, the California Computer Data Access and Fraud Act (CDAFA) allows for the recovery of any costs the victims incurred in determining whether or not their computers or data were harmed as a result of the intrusion. Costs to hire consultants and/or experts, as well as paying your staff to investigate any violation qualify for compensation under the CDAFA.


Pleading computer fraud damages is not as daunting as some litigants might make it out to be. By sticking to the plain language of the statutes and being fairly specific when pleading what your damages are, you should have no problems at the pleading stage.

Ng Keenan - HeadshotAbout the author:

Keenan W. Ng is an Associate at Ad Astra Law Group, LLP. He specializes in representing businesses and individuals in business and employment disputes, including computer fraud, data security and privacy matters, trade secrets misappropriations, and business torts. He can be reached at kng@astralegal.com.

Follow Ad Astra Law Group on Twitter: @astralegalsf​