Attorney Steve® Computer and Internet Law - 18 U.S. Code § 1030 - Fraud and related activity in connection with computers [Computer Fraud and Abuse Act]
18 U.S.C. 1030
Here is the text of the law.
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n)  of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B information from any department or agency of the United States; or (C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, access such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B)intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C)intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if— (A)such trafficking affects interstate or foreign commerce; or (B)such computer is used by or for the Government of the United States; 
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A)threat to cause damage to a protected computer;
(B)threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access;
or (C)demand or request for money or another thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion; shall be punished as provided in subsection (c) of this section.
CFAA Case Law
To maintain a civil action under the CFAA, the plaintiff must show that he or she "suffer[ed] damage or loss by reason of [the defendant's] violation" of the Act and that one of five enumerated circumstances is present. 18 U.S.C. § 1030(g). NovelPoster claims that the defendants violated two provisions of the CFAA, 18 U.S.C. § 1030(a)(2)(C) and 18 U.S.C. § 1030(a)(5)(C). Section 1030(a)(2)(C) makes liable anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). Section 1030(a)(5)(C) similarly creates a cause of action against anyone who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss." 18 U.S.C. § 1030(a)(5)(C). The circumstance relevant to NovelPoster's claims is whether the defendants' alleged CFAA violations caused "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i)(I). The upshot is that NovelPoster must show that the defendants' violation of each of the alleged CFAA provisions caused a loss of at least $5,000, and, further, that the defendants' violation of section 1030(a)(5)(C) caused both "damage and loss." 18 U.S.C. §§ 1030(a)(5)(C), 1030(c)(4)(A)(i)(I); see also, Network Cargo Sys. Int'l, Inc. v. Pappas, No. 13-cv-09171, 2014 U.S. Dist. LEXIS 58552, 2014 WL 1674650, at *2 (N.D. Ill. Apr. 25, 2014) (noting that a plaintiff bringing a claim under 18 U.S.C. 1030(a)(5)(C) must show both "damage" and "loss").
The CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). "Loss" is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11). Thus, while "damage" covers harm to data and information, "loss" refers to monetary harms sustained by the plaintiff. See Phillips v. Ex'r of Estate of Arnold, 13-cv-00444, 2013 U.S. Dist. LEXIS 116542, 2013 WL 4458790, at *4 (W.D. Wash. Aug. 16, 2013).