Moxie Pest Control v. Nielsen — Tenth Circuit Broadens CFAA “Loss” Beyond Technological Harm

Background

Moxie Pest Control is a door-to-door pest-control company that stores its sales performance data — including employee leaderboards and commission figures — in a password-protected system. According to Moxie, employees at rival company Aptive Environmental bribed Moxie representatives to hand over login credentials, then used the extracted data to identify and poach Moxie’s top sales staff.

When Moxie discovered the breach, it launched an internal investigation that cost more than $5,000. It then sued under the Computer Fraud and Abuse Act (CFAA), which requires plaintiffs to show they suffered “loss” of at least that threshold amount. The district court dismissed the claim, finding that Moxie’s investigative costs did not qualify as “loss” because there was no underlying damage to computers or data — just confidential business information that was read and copied.

The Court’s Holding

The Tenth Circuit reversed. The CFAA defines “loss” to include “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.” The court read that definition according to its plain text: the phrase “any reasonable cost” is broad, and the items that follow (“conducting a damage assessment,” etc.) are illustrative examples, not an exhaustive list tied to technological harm.

Because Moxie spent money investigating who accessed its systems and how, those costs were a “reasonable cost” of responding to the unauthorized-access offense — full stop. The court declined to graft a “technological harm nexus” requirement onto the statute, noting that no such requirement appears in the text.

Key Takeaways

• In the Tenth Circuit, a plaintiff can now satisfy the CFAA’s $5,000 loss threshold through investigative costs alone, even if no data was corrupted, deleted, or technically damaged.
• The ruling opens the door to CFAA claims in credential-theft and employee-data-theft cases that previously looked more like state-law trade secret or unfair competition claims.
• Routine investigation expenses — IT forensics, outside counsel review, HR interviews — can all count toward the threshold, making $5,000 easy to reach in almost any serious incident.
• The decision creates a circuit split risk: courts in other circuits have required some nexus to technological harm, so venue may matter more in these cases going forward.

Why It Matters

The CFAA was originally enacted to combat hacking, but over time it has expanded through litigation into a general-purpose tool against computer-related misconduct. This ruling pushes further in that direction: by severing “loss” from any requirement of damage to the computer system itself, the Tenth Circuit makes the CFAA available any time an employee or competitor uses stolen credentials to read confidential data — even if the data remains intact and the system was never harmed.

For businesses, that’s a double-edged development. Companies that suffer credential theft now have a federal cause of action without needing to prove their servers were damaged. But the same logic could, as critics note, be used to bring CFAA claims against security researchers, API scrapers, or employees who exceed their authorized access in ways that cause nothing more than investigative inconvenience. Practitioners in the Tenth Circuit should recalibrate their intake analysis for data-misappropriation cases accordingly.