Shooting the Messenger: Remediation of Disclosed Vulnerabilities as CFAA “Loss”
The Computer Fraud and Abuse Act (CFAA) provides a civil cause of action for computer hacking victims that have suffered certain types of harm. Of these harms, the one most commonly invoked by plaintiffs is having suffered $5,000 or more of cognizable “loss” as defined by the statute. In its first-ever CFAA case, 2021’s Van Buren v. United States, the Supreme Court included intriguing language that “loss” in civil cases should be limited to “technological harms” constituting “the typical consequences of hacking.” To date, lower courts have only followed the Court’s interpretation if their circuit already interpreted “loss” narrowly pre-Van Buren and have continued to approach “loss” broadly otherwise.
Van Buren did not fully dissipate the legal risks the CFAA has long posed to a particular community: people who engage in good-faith cybersecurity research. Discovering and reporting security vulnerabilities in software and hardware risks legal action from vendors displeased with unflattering revelations about their products’ flaws. Research activities have even led to criminal investigations at times. Although Van Buren narrowed the CFAA’s scope and prompted reforms in federal criminal charging policy, researchers continue to face some legal exposure. The CFAA still lets litigious vendors “shoot the messenger” by suing over security research that did them no harm. Spending just $5,000 addressing a vulnerability is sufficient to allow the vendor to sue the researcher who reported it, because such remediation costs qualify as “loss” even in courts that read that term narrowly.
To mitigate the CFAA’s legal risk to researchers, a common proposal is a statutory safe harbor for security research. Such proposals walk a fine line between being unduly byzantine for good-faith actors to follow and lax enough to invite abuse by malicious actors. Instead of the safe harbor approach, this article recommends a simpler way to reduce litigation over harmless research: follow the money.
The Article proposes (1) amending the CFAA’s “loss” definition to prevent vulnerability remediation costs alone from satisfying the $5,000 standing threshold absent any other alleged loss, and (2) adding a fee-shifting provision that can be invoked where plaintiffs’ losses do not meet that threshold. Tightening up the “loss” calculus would disqualify retaliatory litigation against beneficial (or at least benign) security research while preserving victims’ ability to seek redress where well-intended research activities do cause harm. Fee-shifting would deter weak CFAA claims and give the recipients of legal threats some leverage to fight back. Coupled with the Van Buren decision, these changes would reach beyond the context of vendor versus researcher: they would help rein in the CFAA’s rampant misuse over behavior far afield from the law’s core anti-hacking purpose.
Jenny Jun is a PhD Candidate in the Department of Political Science at Columbia University and Nonresident Fellow at the Atlantic Council’s Cyber Statecraft Initiative. Her current research explores the dynamics of coercion in cyberspace. Her broader interests include cyber conflict, North Korea, and security issues in East Asia. Jenny is a co-author of the 2015 Center for Strategic and International Studies (CSIS) report North Korea’s Cyber Operations: Strategy and Responses, published by Rowman & Littlefield. She has presented her work on North Korea’s cyber operations at various panels and has provided multiple government briefings and media interviews on the topic. She received her MA and BS each from the Security Studies Program (SSP) and the School of Foreign Service (SFS) at Georgetown University.