Federal Judge Dismisses CFAA and Illinois Trade Secret Act Claims for Failure to Sufficiently Allege Damage and Adequate Data Protection

On April 11, 2019, a judge in the Northern District of Illinois granted a Motion to Dismiss alleged violations of the federal Computer Fraud and Abuse Act (CFAA) and the Illinois Trade Secrets Act in a case between two websites that both provide coupon codes to the general public, receiving a retailer commission in return. The judge held that Plaintiff CouponCabin, Inc. failed to adequately allege damage and loss as required by the CFAA, and failed to allege that it took proper precautions to keep its coupon codes secret, as required by the Illinois Trade Secrets Act. In doing so, the Court relied on the plain language of the statutes, reminding Plaintiffs that they must definitively assert each part of these two statutes to survive a motion to dismiss.

The Computer Fraud and Abuse Act prohibits individuals from “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, [to] thereby obtain[ ]...information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). CouponCabin, Inc. v PriceTrace, LLC., 2019 WL 1572448, at *2 (N.D. Ill. April 11, 2019). In order to prevail on the merits, a plaintiff must show either loss or damage resulting from such a violation. Id. In this case, the Court found that CouponCabin adequately alleged that PriceTrace intentionally accessed CouponCabin’s website without authorization, took its coupon codes, and published them on its own website for gain, in violation of the Act. But, the Court concluded that CouponCabin failed to plead that this resulted in any loss or harm to its business. Since CouponCabin made “no allegations or argument about what actions it took in response to PriceTrace’s unauthorized access, or whether the costs of those actions exceeded $5,000,” its claim could not go forward. Id. The Court reminded Plaintiffs that “mere accessing of data does not meet the definition of damage under [the statute].” Id. (citations omitted).

The Court also dismissed CouponCabin’s Illinois Trade Secret Act claim for failing to show that it kept its coupon codes adequately secret. As we have explored before, theft of trade secrets claims requires that a plaintiff take “reasonable steps” to keep its information confidential. In this case, CouponCabin argued that the codes that PriceTrace stole from its website “could only be obtained through improper activities.” Id. at *3. However, the Court concluded that CouponCabin failed to allege any type of data encryption, embedding, or other protections on its website that secures the information. In fact, the complaint stated that the website and the coupon codes were “generally accessible” to the public. Id. The Court found that without further indication of how the codes were protected from theft, CouponCabin did not have a sufficient Illinois Trade Secret Act claim. Two other claims of common law tortious conduct survived the motion to dismiss.

TIP: The mere fact that another entity accessed or even improperly used a company’s data is not sufficient to establish a claim under the Computer Fraud and Abuse Act or trade secret laws.