Tenth Circuit Broadens CFAA ‘Loss’ Beyond Technological Harm–Moxie v. Nielsen (Guest Blog Post)
by guest blogger Kieran McCarthy
After the Supreme Court’s first and only CFAA decision in Van Buren v. US in 2021, I wrote that the Court “could have done 10% more work here and provided clarity on very key questions….[but SCOTUS] declined the opportunity to do so. In the end, there are remarkably few clear, declarative sentences in this opinion that provide guidance for future cases.”
The Court intentionally left open many key questions. And so it should come as no surprise that there has been an emerging doctrinal divergence related to key concepts with the CFAA. Perhaps most notably, Courts have been applying the concept of “technological harm” in the CFAA differently in different circuits.
In Van Buren, Justice Barrett wrote:
…§1030(a)(2) also gives rise to civil liability, §1030(g), with the statute defining ‘damage’ and ‘loss’ to specify what a plaintiff in a civil suit can recover. ‘[D]amage,’ the statute provides, means ‘any impairment to the integrity or availability of data, a program, a system, or information.’ §1030(e)(8). The term ‘loss’ likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting ‘damage’ and ‘loss’ in this way makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.’ Royal Truck, 974 F. 3d, at 760. The term’s definitions are ill fitted, however, to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computers.
Van Buren v. United States, 141 S. Ct. 1648, 1659–60 (2021) (quoting 18 U.S.C. § 1030(e)(8), § 1030(e)(11)).
Multiple district courts, especially in SDNY and the Northern District of California, began to interpret Van Buren to demand that any CFAA “loss” be tethered to technological harm. Meanwhile, some other district courts read the statute to allow any claim to proceed that included an allegation that a plaintiff had investigated an offense and incurred $5,000 in so doing.
Where this comes up most consistently is in the context of an internal investigation related to alleged unauthorized access. Courts increasingly have disagreed about whether an internal investigation, untethered to “technological harm,” meets the standard for a qualifying loss under §1030(e)(11). While not quite rising to the level of a circuit split, lower courts in the 2d, 3d, and 9th Circuits have increasingly required specific pleading at the motion to dismiss stage to allege that the internal investigation posited as a “loss” was tethered to “harm to computer data, programs, systems, or information services.” In the 5th, 7th, and 11th circuits, courts were much less inclined to require that specific pleading.
—
On Jan. 21, 2026, the Tenth Circuit became the first circuit court to squarely reject the CFAA interpretation that investigations must be tethered to technological harm. It did so with Moxie Pest Control (Utah), LLC v. Nielsen, and it concluded that investigative costs qualify as a CFAA “loss” even when the plaintiff does not show or even allege “technological harm” like corrupted data or damage to systems.
According to the Tenth Circuit, under § 1030(e)(11)’s plain text, any reasonable cost of responding to an offense qualifies.
—
This was the general divide that had emerged around the country pre-Moxie.
The first camp suggests that costs must be tethered to clear evidence of technological harm to qualify as a loss.
The courts in this camp do not reject investigative costs as a category. But conclusory pleadings related to investigations in the absence of technological harm often get dismissed. These courts have demanded specifics about what was done, why the investigation was necessary, how it ties to the intrusion, and evidence that the “loss” was tethered to “harm to computer data, programs, systems, or information services.”
Many recent decisions have been pushing in that direction:
- CoStar Group, Inc. v. Leon Capital Group, LLC (D.D.C. 2022) dismissed where the claimed loss was time and money spent “identifying, investigating, and attempting to block and otherwise respond,” but the allegations did not adequately plead cognizable CFAA loss.
- The Phoenix Co., Inc. v. Castro-Badillo (D.P.R. Aug. 9, 2024) dismissed where the plaintiff relied on “investigation” but did not plead what investigative measures were taken and what damage, if any, was actually caused.
- Sylabs Inc. v. Rose (N.D. Cal. Sep. 26, 2024) dismissed where “loss” was pegged to forensic analysis but the allegations were essentially conclusory and failed Rule 12(b)(6) specificity expectations.
- William Gottlieb Mgmt. Co., LLC v. Carlin (S.D.N.Y. Mar. 26, 2024) dismissed where the “investigation” just confirmed what the plaintiff already knew and did not involve analyzing effects on computer systems.
- X Corp. v. Center for Countering Digital Hate (N.D. Cal. 2024) dismissed X Corp.’s CFAA claim at the motion-to-dismiss stage because the court found that X failed to allege technological harm necessary under § 1030’s loss definition, and that internal costs and reputational advertising revenue losses tied to CCDH’s reports and investigations did not allege harm to computer data, systems, or programs as contemplated by the statute. Also, the broader complaint was treated as a SLAPP aimed at punishing criticism rather than bona fide CFAA conduct.
If you read those cases as a group, you find situations where courts are skeptical of internal investigations because they seem pretextual. According to these cases, an alleged investigation is not a blank check to proceed with a CFAA claim. Courts want to see that the investigation was a response to an access violation causing technological harm and not just a litigation prep exercise.
The second camp is more of a magic words approach. If there’s alleged unauthorized access, and you say there was an investigation that cost $5k, the case moves to discovery.
This was pretty much the consensus around the country pre-Van Buren. But lower courts were fairly evenly divided about that concept of loss post-Van Buren.
The Tenth Circuit in Moxie is now a clean appellate-level entry for this camp.
According to Moxie, the CFAA’s definition of “loss” explicitly includes response and damage-assessment costs. So district courts should not treat Van Buren as silently rewriting the civil-remedies threshold into limiting investigations to those tethered to technological harm.
Moxie is now the most prominent post-Van Buren statement on this question, and because it is a circuit court opinion, and not a one-off district court order, it will carry significant weight, and may permanently tip the scales in favor of this camp.
—
The facts of Moxie are as follows:
The plaintiffs were a group of affiliated pest-control companies that alleged employees of their competitor, Aptive Environmental, bribed current and former Moxie representatives to turn over confidential, password-protected sales data (including leaderboards) stored in Moxie’s system, which Aptive then allegedly used to recruit door-to-door sales representatives. Moxie sued Aptive and several individuals under the Computer Fraud and Abuse Act (CFAA), RICO, the Defend Trade Secrets Act (DTSA), and Utah’s Uniform Trade Secrets Act (UTSA).
The district court dismissed Moxie’s CFAA claim for failure to plead a qualifying “loss” post-Van Buren, denied motions to compel broad damages discovery, and granted summary judgment on the other claims for lack of causation. On appeal, the Tenth Circuit reversed the dismissal of the CFAA claim, holding that Moxie’s allegations of over $5,000 in investigative costs incurred in response to unauthorized access plausibly satisfied the CFAA’s “loss” definition even absent technological harm, affirmed the discovery ruling, affirmed summary judgment on RICO, and reversed in part the DTSA/UTSA rulings on remedies and remanded for further proceedings.
—
For practitioners in this space, it isn’t hard to see how Moxie could be problematic.
There is a chicken-or-the-egg conundrum with the statutory language cited by the Tenth Circuit. While § 1030(e)(11)’s definition of loss includes any reasonable cost of responding to an offense, the statute itself does not offer any guidance on what the *offense* must be that provokes the investigation. By the Tenth Circuit’s definition, it doesn’t matter. Any conduct associated with unwanted access will do. And so, activity that does not cause technological harm can give rise to a CFAA claim if a plaintiff investigates it and incurs $5,000 in expenses.
The problem is twofold: (1) It lets plaintiffs convert a whole range of non-technological harms into federal computer crimes, thus seemingly contradicting the guidance of the Supreme Court and the statute itself, which requires harm to computer data, programs, systems, or information services; and (2) The $5,000 threshold becomes nigh-meaningless. Any plaintiff with a lawyer and an incident-response vendor can hit $5,000 by lunchtime. Indeed, a recent case found that a pro se plaintiff spending 25 hours of his own time was sufficient to establish a “loss” under the CFAA. Karcz v. Mezouak, 2026 WL 622679 (D.N.J. March 5, 2026).
In other words, conduct that would not give rise to a CFAA violation because the alleged harm is not technological in nature under the Supreme Court’s definition of a “loss” can easily become a CFAA “loss” as long as a plaintiff alleges that they investigated it.
That’s a deeply circular definition of “loss”. But Moxie didn’t grapple with that deeper circularity head-on.
Making benign integrations and free speech criminal
Let me lay out a couple of different fact patterns where this often plays out.
Even though the defendants here are highly unsympathetic, that’s not always the case. The alleged conduct was plainly wrongful. It involved alleged bribery, misuse of credentials, and copying confidential information from a protected account. But the CFAA should be reserved for technological harms, not merely unauthorized taking of information. That distinction matters. The opinion blurs the line between digital trespass and ordinary misuse of access, even though the real injury alleged was the taking of valuable business information, not damage to the integrity or functioning of the computer system itself. If the system still worked as designed, was not impaired, and suffered no meaningful technological disruption, then this looks much more like a trade secrets or unfair competition case, not a CFAA claim.
That overexpansion matters beyond these bad facts. Once courts allow the CFAA to reach conduct that does not cause technological harm, the statute becomes a much more flexible weapon for private plaintiffs and platforms seeking to recharacterize disfavored access as computer intrusion. There are countless software integrations whose primary business purpose is to integrate some sort of useful activity within another company’s platform. Lots of companies build these useful layers into and on top of other companies’ software. Most of the time, the purpose of these integrations is to provide something of value to end users, but of course, large platforms are often reluctant to cooperate with third parties.
Created by ChatGPT Dec. 2025
The panel says, almost in passing, that “we need not decide whether the conduct Moxie alleged violates the CFAA. It does,” because Nielsen used a pilfered password, and then goes on to hold that investigative costs alone can satisfy CFAA loss without any technological impairment. The problem is not that the defendants should win. They should not. The problem is that the opinion does nothing to distinguish credential theft from the far more ordinary reality of delegated access and platform integrations, where a user intentionally lets a third-party tool access an account through stored credentials, session continuity, or other account-linked mechanisms. In a world full of CRM plug-ins, analytics layers, scheduling tools, and middleware, courts should be careful not to let “access by someone other than the nominal account holder” plus “investigation” equal a federal crime. The “loss” element needs to be a meaningful filter. If it isn’t, lots of benign conduct becomes illegal.
If investigative expenses are enough, regardless of whether tethered to a technological harm, then a platform that objects to a researcher, watchdog, journalist, or advocacy group can more readily plead its way past dismissal by alleging unauthorized access plus the cost of figuring out what happened. Moxie sits uneasily beside X Corp. v. Center for Countering Digital Hate, where Judge Breyer recognized the basic danger directly, writing that the case was “about punishing the Defendants for their speech” and that X sued “in order to punish CCDH” for publications criticizing the platform.
To be clear, Moxie did not involve public-interest criticism. It involved commercial espionage. But doctrine built in hard cases does not stay in hard cases. Once courts make it easier to plead CFAA claims based on contested access and post hoc investigation costs, that logic can be repurposed by platforms seeking to suppress unfavorable reporting, auditing, or accountability research. The right lesson from Moxie should have been narrow, but instead it was unequivocal and unqualified.
Don’t get it twisted: If self-motivated, sponsored investigations untethered to technological harm qualify as losses under the CFAA, then any integration disfavored by a platform can be made illegal, regardless of how valuable or pro-social it may be. And any “access” that’s disfavored by a platform can be made illegal, too. Regardless of how benign or pro-social it may be.
That’s the legal landscape that Moxie creates.
In the coming months, the Ninth Circuit is likely to revisit this issue with Perplexity AI’s appeal of the preliminary injunction issued by the Northern District of California in its case against Amazon. When that case is decided, we can expect to get a clearer picture of whether there will be a consensus on this issue or a true circuit split.