For computer offenses of “causing damage” to a computer, Second Circuit allows venue in the location of any computer that was prevented from accessing files that were unlawfully deleted from the remote server of a software vendor.

In United States v. Calonge, No. 21-3089 (2d Cir. July 14, 2023) (Parker, Lynch, Lohier), the Circuit affirmed convictions under the Computer Fraud and Abuse Act (“CFAA”) in the Southern District of New York for transmitting a program code or command and intentionally “caus[ing] damage” to a computer and accessing a computer without authorization and recklessly “caus[ing] damage,” in violation of 18 U.S.C. §§1030(a)(5)(A) and (B).  The defendant’s conduct of deleting files from a software vendor used by her employer was committed in Florida. Venue in New York had been based on the loss of access to those files by the computers at the New York headquarters of her employer.  Calonge argued that no New York computer was “damaged” and that venue could only lie in Florida, where the conduct was committed, or in Virginia or California, where the deleted data resided on the vendor’s servers. The Second Circuit disagreed, and held that the statutory definition of “damage,” which covers “any impairment to the integrity or availability of data, a program, a system or information,” 18 U.S.C. §1030(e)(8), includes “preventing a computer from accessing data that it regularly accesses.” The Court held that “damaging” the computer was an essential conduct element of the crimes charged, so that venue is proper in any district where the damage occurred.