To bring a civil action based on the federal Computer Fraud and Abuse Act (“CFAA”) a plaintiff must show that the alleged violation “caused . . . loss . . . aggregating at least $5,000 in value.” 18 U.S. C. Section 1030(c)(4)(A)(i). “Loss” is defined by the CFAA as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system , or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S. C. Section 1030(e)(11). The recent Virginia District Court opinion set forth below dismissed CFAA claims on the ground that plaintiffs could not meet the $5,000 “loss” threshold. This case is highly instructive on how a plaintiff must prove “loss” to bring a viable CFAA claim.
2010 WL 675241 (E.D.Va.))
United States District Court,
GLOBAL POLICY PARTNERS, LLC, et al., Plaintiffs,
Brent YESSIN, Defendant.
2010 WL 675241 (E.D.Va.)
Feb. 18, 2010.
T.S. ELLIS, III, District Judge.
*1 At issue on summary judgment in this case alleging unauthorized access to e-mail accounts are the following questions:
(i) whether the summary judgment record reflects that plaintiffs can meet the jurisdictional $5,000 “loss” requirement of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and
(ii) whether the summary judgment record reflects that plaintiffs can prove “actual damages” as required to recover actual and statutory damages under the Stored Communications Act, 18 U.S.C. § 2701 et seq. (“SCA”).
Mr. Yessin requests full summary judgment on the two CFAA counts and partial summary judgment on the two SCA counts. For the reasons that follow, the motion is granted with respect to the CFAA counts and denied with respect to the SCA counts.
The facts material to defendant’s motion are largely undisputed. Mr. Yessin was a founding manager of Global Policy Partners, LLC (“GPP”), a limited liability corporation organized under Florida law that is in the business of lobbying and government relations. He remained a manager until at least August 18, 2009. One of his business partners in GPP was also his partner in marriage–Katherine Friess Yessin (“Ms.Friess”), who, along with GPP, is a plaintiff in this case. Mr. Yessin and Ms. Friess are in the process of terminating both their marriage and their business relationships. In 2007, at a time the parties’ marriage and business relationships were still intact, Mr. Yessin directed Jon Hageman, an information technology consultant, to reserve and acquire the domain name “gppwashington.com.” Mr. Hageman did so, registering the domain name with GoDaddy.com, a domain name registrar and web site host. Although Mr. Hageman initially registered the domain name in his own name, he thereafter transferred the domain name registration to Mr. Yessin. Mr. Hageman also set up e-mail accounts through GoDaddy.com, including Ms. Friess’s “Katherine@gppwashington.com” e-mail address.
Mr. Yessin and Ms. Friess were separated in May 2009. During May and June 2009, Mr. Yessin, by his own admission, repeatedly accessed Ms. Friess’s e-mail accounts without her knowledge through a password that was apparently–and perhaps inadvertently–stored on his computer. In doing so, Mr. Yessin read Ms. Friess’s e-mail communications with attorneys concerning a potential divorce action and settlement strategy. Mr. Yessin shared some of those communications with his own divorce lawyer.
In June 2009, Ms. Friess became suspicious that Mr. Yessin was accessing her “Katherine@gppwashington.com” e-mail account without her permission. Accordingly, on or about June 25, 2009, Ms. Friess asked Mr. Hageman to change the password to the “Katherine@gppwashington.com” e-mail account, and Mr. Hageman did so. Thereafter, Mr. Yessin contacted Mr. Hageman and asked to be given Ms. Friess’s e-mail account password, or alternatively, to have Ms. Friess’s e-mails forwarded to Mr. Yessin. Mr. Hageman declined both requests. When Mr. Yessin persisted, Mr. Hageman reiterated his refusal and referred Mr. Yessin to Mr. Hageman’s attorney and alerted Ms. Friess to Mr. Yessin’s request. Additionally, on or about July 9, 2009, Mr. Hageman informed Ms. Friess that the domain name “gppwashington.com” was owned by Mr. Yessin, and that Mr. Yessin could therefore redirect the domain name away from GoDaddy’s web and e-mail server. Mr. Hageman further informed Ms. Friess that unless renewed, the domain name would soon expire, and that Ms. Friess could renew the domain name even though it was registered in Mr. Yessin’s name.
*2 In the end, Ms. Friess chose not to do so, electing instead to use the services of Shawn Hilbig, a web designer, to purchase a new domain name– globalpolicypartnersllc.com–and to establish a new GPP website complete with new e-mail addresses. It appears that Mr. Hilbig sent Ms. Friess an invoice billing her for the following services:
Service Amount Billed
“New Website purchase assistance” $90
“Email Address setup and support” $900
“Domain Auction support” $ 180
“Search Engine criteria” $90
“Business Requirements/Content & Images for site” $1,800
“Creating, updating, and uploading content” $900
“Modifying Images and Creating Slideshow” $90
“Support Calls (Q and A)” $450
Ex. 9 at 1. [FN1] In connection with establishing the new web site, plaintiffs also appear to have incurred (i) $500 “to register to purchase” the globalpolicypartnersllc.com domain name from Network Solutions, Inc., (ii) $926 “in establishing” that domain name with Network Solutions, Inc., and (iii) $499 “in establishing” the domain name of globalpolicypartners.com with Network Solutions, Inc. Opp. at 6; see Opp. Exs. 12-14. Ms. Friess instructed Mr. Hageman to shut down the web site located at gppwashington.com on or about July 27, 2009.
FN1. Importantly, Mr. Hilbig did not provide an affidavit or otherwise certify or authenticate this invoice. Mr. Yessin’s counsel further notes that he “has made repeated attempts to serve Mr. Hilbig with a subpoena, but to no avail, as Mr. Hilbig continues to avoid service.” Rep. Br. at 6. The total amount that Ms. Friess paid Mr. Hilbig–$4,500–is corroborated by Opp. Ex. 10, the check from Ms. Friess, but there is no evidence to explain or corroborate the invoice’s line items. Plaintiffs state only that “Mr. Hilbig’s invoice speaks for itself” Opp. at 6.
Earlier in the summer of 2009, GPP submitted or was in the process of submitting six “confidential business proposals for the government of India.” Ex. 8 at 47-49. It is undisputed that although Ms. Friess had made Mr. Yessin aware of these so-called “India Project” proposals, she did not share with him the specific details of the proposals. On July 10, 2009, in response to a “cease and desist” e-mail message from plaintiffs’ counsel, Mr. Yessin threatened to disclose to the government of India plaintiffs’ allegations that he was accessing their e-mail, stating that the Indian government would find it “unnerving” that GPP “thought so little of their own security capabilities as to make these rash allegations.” Opp. Ex. 18 at 3. The following day, in reply to an e-mail from plaintiffs’ counsel threatening a lawsuit under the CFAA and SCA, Mr. Yessin further stated that, barring a resolution of the matter, he would “feel obligated” to inform the Indian government that GPP “cannot safeguard the confidential material” being transmitted via its e-mail accounts and that it is not “qualified to do such sensitive work.” Id. at 1.
Thereafter, on September 8, 2009, Mr. Yessin sent an e-mail message to Lalit and Rohini Mattu, two partners in the India Project, to which he attached the complaints in two civil actions he filed in Florida against Ms. Friess and Mr. Weiss to establish his ownership of GPP. There is no allegation that Mr. Yessin provided the Mattus with confidential documents or other materials that he obtained by accessing Ms. Friess’s e-mail accounts. Plaintiffs have not heard from the Indian government on the status of the India Project proposals. Plaintiffs contend therefore that the government of India did not select or accept GPP’s proposals.
*3 In this action, filed on July 31, 2009, plaintiffs contend that Mr. Yessin is liable under the CFAA and the SCA for accessing Ms. Friess’s e-mail account without authorization. On December 15, 2009, Mr. Yessin filed his motion for summary judgment, in which he contends (i) that both CFAA counts should be dismissed because plaintiffs have not met the $5,000 “loss” threshold required to maintain a CFAA action, (ii) that the second CFAA count should be dismissed because plaintiffs have failed to show that he acted with the requisite “intent to defraud,” and (iii) that plaintiffs are not entitled to actual or statutory damages on their SCA claims because they have not shown actual damages, which he claims is a prerequisite to recovering statutory damages. The motion was fully briefed and argued, and is now ripe for disposition.
The summary judgment standard is too well-settled to require elaboration here. In essence, summary judgment is appropriate under Rule 56, Fed.R.Civ.P., only where, on the basis of undisputed material facts, the moving party is entitled to judgment as a matter of law. Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986). Importantly, to defeat summary judgment the non-moving party may not rest upon a “mere scintilla” of evidence, but must set forth specific facts showing a genuine issue for trial. Id. at 324; Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 252 (1986). Thus, the party with the burden of proof on an issue cannot survive summary judgment on that issue unless he or she adduces evidence that would be sufficient, if believed, to carry the burden of proof on that issue at trial. See Celotex, 477 U.S. at 322.
To maintain a civil action under the CFAA, plaintiffs must show that the alleged violation “caused … loss … aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i). [FN2] On summary judgment, a CFAA plaintiff must therefore show that there are triable issues as to (i) whether a CFAA-qualifying “loss” aggregating at least $5,000 occurred, and (ii) whether this loss was “caused” by a CFAA violation.
FN2. Claims alleging (i) impairment of a medical diagnosis, (ii) physical injury to a person, (iii) a threat to public health or safety, or (iv) damage affecting a computer used by the United States Government in furtherance of the administration of justice, national defense, or national security are exempted from the $5,000 requirement. See 18 U.S.C. § 1030(c)(4)(A)(i), (g). None of these exemptions apply here.
The CFAA specifies that a qualifying “loss” under the statute
means any reasonable cost to any victim, including [i] the cost of responding to an offense, [ii] conducting a damage assessment, and [iii] restoring the data, program, system, or information to its condition prior to the offense, and [iv] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service[.]
18 U.S.C. § 1030(e)(11). Plaintiffs’ alleged damages must fall within this definition in order to qualify as a “loss” under the CFAA and therefore satisfy the $5,000 jurisdictional minimum.
With respect to § 1030(e)(11), the Fourth Circuit has recently held that “[t]his broadly worded provision plainly contemplates … costs incurred as part of the response to a CFAA violation, including the investigation of an offense.” A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir.2009). At issue on appeal in iParadigms was an allegation under the CFAA that the counterclaim defendant, A.V., had accessed iParadigms’s website without authorization by using a password assigned to certain authorized users. iParadigms offered evidence that it assigned several employees to investigate the breach and to “determine what happened.” Id. at 645. The district court granted summary judgment for A.V. on the ground that the expenditures incurred in assigning employees to investigate the intrusion were not “economic damages” cognizable under the CFAA. The Fourth Circuit reversed, defining loss to include economic damages resulting from the ” ‘cost of responding to an offense.’ ” Id. at 646 (quoting § 1030(e)(l 1) (defining “loss”)). Accordingly, the court of appeals reversed the district court’s grant of summary judgment.
*4 It is, of course, necessary, but not sufficient, for a CFAA plaintiff to show that qualifying costs were incurred; additionally, a CFAA plaintiff must also show, as iParadigm teaches, that the costs are “reasonable” and that they were “caused” by a CFAA violation. See id. Although the Fourth Circuit in iParadigms did not elucidate the causal requirement, [FN3] the Supreme Court has construed federal statutes containing similar requirements to incorporate traditional principles of tort causation, and such a reading is consistent with iParadigms. [FN4] It follows, therefore, that plaintiffs in this case must show that the losses they claim were the reasonably foreseeable result of the alleged CFAA violations, and that any costs incurred as a result of measures undertaken to restore and resecure the e-mail system were reasonably necessary in the circumstances. See United States v. Middleton, 231 F.3d 1207, 1213 (9th Cir.2000) (holding that jury instructions in CFAA criminal prosecution “correctly stated the applicable law” in requiring (i) that losses were “natural and foreseeable result” of any damage, and (ii) that losses included only cost of “what measures were reasonably necessary” to restore and resecure system). Accordingly, on summary judgment, plaintiffs here must show there is a triable issue of fact as to whether (i) alleged losses were reasonably foreseeable at the time of the alleged CFAA violations, and (ii) alleged losses resulting from measures undertaken in response to the alleged violations were reasonably necessary at the time.
FN3. See iParadigms, 562 F.3d at 646 (reserving judgment on whether alleged losses were “reasonable, sufficiently proven, [and] directly causally linked”).
FN4. See Jerome B. Grubart, Inc. v. Great Lakes Dredge & Dock Co., 513 U.S. 527, 541 (1995) (interpreting “caused by” language of Extension of Admiralty Jurisdiction Act, 46 U.S.C.App. § 740 to require causation in fact and proximate causation); Holmes v. Securities Investor Protection Corp., 503 U.S. 258, 268 (1992) (interpreting “injured … by reason of a violation” language of Racketeering Influenced Corrupt Organizations Act, 18 U.S.C. § 1964(c), to require causation in fact and proximate causation); Assoc. Gen. Contractors of Cal., Inc. v. Cal. State Council of Carpenters, 459 U.S. 519, 532 (1983) (requiring causation in fact and proximate causation to satisfy “injured … by reason of” antitrust violation jurisdictional requirement of Clayton Act, 15 U.S.C. § 15).
Plaintiffs allege that they have suffered three types of “loss” as a result of Mr. Yessin’s alleged CFAA violations: (i) costs incurred in the form of fees paid to the web designer Mr. Hilbig ($4,500) and to Internet service providers ($1,925) in order to register, configure, and design new web sites and e-mail accounts; (ii) over 50 hours of “lost” billable time by Ms. Friess that she spent investigating and responding to the offense, billed at a rate of $500 per hour ($27,500); and (iii) lost revenue from failing to win the India Project (“millions of dollars”). [FN5] Each of these alleged losses is addressed in turn.
FN5. Ms. Friess also claims that she is entitled to damages for the alleged impairment of her confidential communications with her attorney, but she does not claim that this alleged injury constitutes a CFAA-qualifying loss. Indeed, this injury, if proven, would not fall within even the broadest reading of iParadigms and § 1030(e)(11). See Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 562-63 (2d Cir.2006) (holding that lost revenue resulting from misappropriation of confidential data is not a CFAA-qualifying “loss”).
A. Costs Incurred in Creating New Web Sites and E-Mail Accounts
First, plaintiffs contend that the expenses incurred in the course of establishing, configuring, and designing a new web site and e-mail addresses are “costs of responding to and addressing an offense and costs of restoring the system to its condition prior to the offense” and that they therefore satisfy the CFAA’s definition of “loss.” Opp. at 23. To be sure, these expenses, if properly proved and causally related to the alleged CFAA violations, are CFAA-qualifying losses. See iParadigms, 562 F.3d at 646. Yet, in this instance, plaintiffs fail to meet these requirements with respect to most of these expenditures because (i) they have failed to provide evidence that may properly be considered on summary judgment, and (ii) even assuming this evidence can be considered, plaintiffs nonetheless have made no showing that certain of these expenditures were a reasonably necessary response to the alleged CFAA violations, as required to prove a causal link.
*5 It is clear that evidence not in a form admissible at trial may nonetheless be considered on summary judgment. See Celotex, 477 U.S. at 324. [FN6] Nonetheless, it is also clear that to be considered on summary judgment, evidence must be in one of the forms specified by Rule 56(e). [FN7] See id. In this respect, the Fourth Circuit has held that “[t]o be admissible at the summary judgment stage, ‘documents must be authenticated by and attached to an affidavit that meets” Rule 56(e)’s requirements.’ ” Orsi v. Kirkwood, 999 F.2d 86, 92 (4th Cir.1993) (quoting 10A Charles Alan Wright et al., Federal Practice and Procedure § 2722). Yet, in this case, the document on which plaintiffs primarily rely to prove the nature of the expenses incurred–Mr. Hilbig’s invoice–does not meet these requirements. The invoice is offered to prove that plaintiffs incurred expenses in the amounts and for the purposes described therein, and yet there is no affidavit or certification by Mr. Hilbig to this effect. Indeed, plaintiffs do not offer an affidavit from Mr. Hilbig at all. Moreover, Mr. Yessin’s counsel noted that plaintiffs failed to identify Mr. Hilbig in their Rule 26(a) disclosures, plaintiffs initially declined to disclose Mr. Hilbig’s whereabouts, and that Mr. Yessin’s counsel “has made repeated attempts to serve Mr. Hilbig with a subpoena, but to no avail, as Mr. Hilbig continues to avoid service.” Rep. Br. at 6. It is clear, therefore, that Mr. Hilbig’s invoice is unreliable, unauthenticated, uncertified, and inadmissible. Accordingly, it cannot be considered on a motion for summary judgment. See Orsi, 999 F.2d at 92. [FN8] Only the total amount billed, $4,500, is corroborated by the check from Ms. Friess to Mr. Hilbig. But no reasonable jury could conclude merely from the fact that this payment occurred that the expense was causally related to any CFAA violation.
FN6. Of course, affidavits must, as always, be based upon personal knowledge. See Rule 56(c), Fed.R.Civ.P.
FN7. Specifically, Rule 56(e) specifies that affidavits, depositions, and answers to interrogatories may be considered on summary judgment. As Celotex and Orsi v. Kirkwood, 999 F.2d 86, 92 (4th Cir.1993), make clear, this list is exclusive.
FN8. Contrary to the suggestion of Mr. Yessin’s counsel, that evidence is hearsay inadmissible at trial is, without more, insufficient to warrant exclusion from consideration on summary judgment. See Celotex, 477 U.S. at 324. Instead, Mr. Hilbig’s invoice cannot be considered on summary judgment because it is not accompanied by an affidavit and therefore does not conform with the requirements of Rule 56. See id; Orsi, 999 F.2d at 92.
Moreover, even if one accepts the content of Mr. Hilbig’s invoice on its face and assumes that a causal link exists between the alleged CFAA violations and the costs necessary to set up a new web site and e-mail addresses at a new domain name, [FN9] the invoice, by itself, does not provide a sufficient basis for a reasonable trier of fact to conclude that various of the stated charges were reasonably necessary to respond to the alleged violations. For example, by far Mr. Hilbig’s largest line item is $1,800 for “Business Requirements/Content & Images for site.” Ex. 9 at 1. The new GPP website did not require new content and images–Ms. Friess simply could have transferred the content and images from the old site, which had not yet been taken down. [FN10] Mr. Hilbig further billed $900 for “Creating, updating, and uploading content,” a task that, in addition to being seemingly redundant with the “Content & Images” line item, would have been largely unnecessary had plaintiffs simply chosen to use the content and images that already existed on the old site. Mr. Hilbig also bills $450 for 4.5 hours of “Support Calls (Q and A),” without any elaboration about the nature of the calls and whether they concerned establishing the new domain and e-mail accounts, or whether they instead involved the content, images, and other “business requirements.” At most, the only invoice items that are plausibly causally related to the alleged CFAA violations are the first four listed, for (i) website purchase assistance ($90), (ii) e-mail address setup and support ($900), (iii) domain name auction support ($180), and (iv) search engine criteria ($90). Together, these four items total $1,260.
FN9. It is worth noting that it is far from clear that any of the charges incurred in setting up a web site and e-mail accounts at a new domain name are causally related to any CFAA violations. Indeed, the evidence appears to suggest that Ms. Friess’s decision to establish a web site on a new domain and through a different web hosting service provider was not caused by Mr. Yessin’s alleged CFAA violations but rather because of his threats to shut down the GPPwashington.com domain, and those threats were not themselves CFAA violations. Indeed, Ms. Friess’s first responsive act–changing her password–was the only act necessary to ensure that Mr. Yessin would not be able to access her e-mail account, and the record suggests that Ms. Friess probably knew as much. Thus, it would not have appeared to be reasonably necessary to incur any of the expenses necessary to migrate to a new domain name and to set up a new web site and e-mail addresses. Nonetheless, the summary judgment record is sufficiently disputed to create a triable issue of fact as to whether migrating from the gppwashington.com site to a new site and domain name was reasonably necessary to respond to, and therefore causally related to, the alleged CFAA violations.
FN10. It is not at all clear, and plaintiffs do not endeavor to explain, what else “Business Requirements” may have entailed.
*6 Plaintiffs provide three printouts that state additional expenses in connection with the migration to the new domain in an effort to clear the CFAA’s $5,000 “loss” hurdle. The first, Opposition Exhibit 12, is a grainy facsimile of a printout from a website called “Namejet.” [FN11] While the figure in the “Winning Bid” column is not legible, plaintiffs state that it says $499 and that this expense was required to secure the globalpolicypartners.com domain name, which was used to replace the gppwashington.com domain. Assuming the authenticity and reliability of this document–because Mr. Yessin does not dispute them–there is a triable issue of fact concerning whether this expense is causally related to the alleged CFAA violations because a reasonable jury could conclude that migrating to a new domain name was reasonably necessary in order to resecure the system following Mr. Yessin’s alleged violations. The second and third printouts are e-mail messages from “firstname.lastname@example.org” confirming purchases of $926.40 and $499.95–$1127.85 of which is for five years of web server hosting services and $298.50 of which is for one year of “MessageGuard” services, which plaintiffs suggest is an e-mail encryption service. Opp. Ex. 13 at 1-2. For the same reason that there is a triable issue of fact with respect to whether the domain name auction expenses were reasonably necessary restorative measures, there is a triable issue with respect to these expenses as well. Nonetheless, these expenses clearly overstate any CFAA-qualifying loss because they include five years of web hosting service that replaced continued service to the gppwashington.com domain. Accordingly, the proper calculation of loss would include these expenses, less any amount saved by canceling support for gppwashington.com. Plaintiffs have failed to produce any evidence of the amount saved through cancellation of the gppwashington.com domain, and, indeed, it may be that the expenses “cancel out” in their entirety. Nonetheless, construing the record in the light most favorably to plaintiffs, it is assumed for purposes of ruling on Mr. Yessin’s motion that there is a triable issue of fact that one year of the Network Solutions services constitutes a CFAA-qualifying loss. Accordingly, for summary judgment purposes, it is appropriate to consider that plaintiffs have adequately shown $524.07 in losses in connection with the payments to Network Solutions. [FN12]
FN11. Mr. Yessin does not object to the admissibility of Opposition Exhibits 12, 13, and 14.
FN12. This total is arrived at by adding the full expense of the MessageGuard service ($298.50) to one-fifth of the five years of web hosting costs ($225.57).
In summary, construing the record evidence in the light most favorable to plaintiffs, there exists a triable issue of fact as to whether plaintiffs incurred $2,283.07 in costs reasonably necessary to “respond to the offense” under the CFAA, and these costs, if proven, are CFAA-qualifying losses.
B. Lost Revenue From Time Spent Responding to the Alleged Offenses
Plaintiffs allege that they
lost $27,500 in loss [sic] income/revenue by spending more than 50 hours of Ms. [Yessin’s] time, for which she billed $500 an hour, investigating Defendant’s unauthorized access, changing her password and email domain name, changing her email accounts, encrypting emails, securing the website and transferring the website and emails, [and] obtaining a new information and technology specialist.
*7 Opp. at 9-10. Distilled to its essence, plaintiffs’ contention is that they lost $27,500 because Ms. Friess was occupied with investigating or responding to the alleged CFAA violations instead of working on GPP matters and this lost time qualifies as a “loss” within the meaning of § 1030(e)(ll).
As a general matter, lost revenue damages may qualify as losses under the CFAA when they result from time spent responding to an offense. In iParadigms, the Fourth Circuit quoted with approval a district court’s holding that the value of ” ‘many hours of valuable time away from day-to-day responsibilities’ ” are the type of damages that fall within the § 1030(e)(11) definition of “loss.” 562 F.3d at 646 (quoting SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 980-81 (N.D.Cal.2008). Indeed, time spent “responding to an offense” appears plainly to fall within the CFAA’s understanding of “loss.” Thus, if plaintiffs adequately prove that Ms. Friess spent time away from her GPP responsibilities and that this lost time was reasonably foreseeable and reasonably necessary in the circumstances, then it is a CFAA-qualifying loss. Yet, because plaintiffs do not adduce evidence to prove (i) that this loss occurred and (ii) that its occurrence was a reasonably necessary consequence of the alleged CFAA violations, these alleged losses do not count toward the $5,000 CFAA threshold.
First, Ms. Friess’s assertion that she spent 50 hours investigating and responding to Mr. Yessin’s alleged CFAA violations is unsupported and indeed contradicted by other evidence. Ms. Friess testified in her deposition that she did not record or document that time in any way. Opp. Ex. 1 at 148. Instead, she stated that she reached the calculation by “look[ing] back” at the time that she had “spent with the IT guy, with Network Solutions, and [she] calculated it based on the time [she] knew [she] spent.” Opp. Ex. 1 at 148-49. She was unable to describe the specific tasks accomplished during those 50 hours except to state that “[s]etting up the new Web site and e-mail system was probably 80 percent, of the time, 85.” Opp. Ex. 1 at 149. The remaining 15 to 20 percent, she stated, was spent “investigating the intrusions.” Opp. Ex. 1 at 150. In this time, Ms. Friess claims, “I talked to GoDaddy [the gppwashington.com web hosting service provider], or tried to talk to GoDaddy, talked to our IT guy.” Id. She did not actually perform any analysis or investigation of any computer systems, nor did she instruct anyone else to do so. Opp. Ex. 1 at 151-53. Ms. Friess’s claim therefore appears to be that she spent 50 hours speaking with the two information technology specialists, Mr. Hilbig and Mr. Hageman, and speaking with or attempting to speak with someone who works at GoDaddy. Ms. Friess only identifies three of these telephone calls: one with Mr. Hageman on or about June 24, 2009, to change her e-mail account password, one on July 9, 2009, to discuss Mr. Yessin’s control of the gppwashington.com server and his failed attempt to obtain Ms. Friess’s password from Mr. Hageman, and one on or about July 27, 2009, to instruct Mr. Hageman to shut down the gppwashington.com domain. Indeed, Mr. Hageman only recalls having had at most these three brief telephone calls with Ms. Friess. Ex. 6 at 81-84. Moreover, Mr. Hilbig’s invoice only bills 4.5 hours for telephone calls, and thus this evidence contradicts Ms. Friess’s claim. Thus, there is simply no evidence–apart from her own vague, conclusory testimony that is contradicted by Mr. Hageman’s testimony and by Mr. Hilbig’s invoice–that Ms. Friess actually spent 50 hours investigating and responding to Mr, Yessin’s alleged CFAA violations. [FN13] Accordingly, no reasonable jury could conclude that this alleged lost time was a CFAA-qualifying loss.
FN13. Alternatively, this time is not a qualifying “cost of responding to an offense” because (i) there is no evidence that Ms. Friess would otherwise have been working on GPP matters and (ii) there is insufficient evidence that Ms. Friess’s lost time was worth $500 per hour. Ms. Friess candidly admitted in her deposition testimony that GPP ordinarily billed clients on a flat retainer basis, rather than by the hour. Ex. 6 at 141. Thus, even though Ms. Friess seeks to recover $500 per hour for her time, there was no one-to-one correspondence between her time and the amount of revenue she would normally generate. Additionally, Ms. Friess acknowledged that GPP only had one paying client during the summer of 2009, the International Council of Shopping Centers, and that client ended its contract with GPP in July 2009 for reasons unrelated to Mr. Yessin’s alleged CFAA violations. Ex. 6 at 138. On this record, a reasonable factfinder could not conclude that Ms. Friess’s alleged lost time was a “cost of responding to the offense” under the CFAA.
*8 Additionally, assuming, arguendo, that this lost time is sufficiently proven, the description of the tasks performed during these fifty hours is so vague that no reasonable jury could conclude that the expended time was reasonably necessary to restore or resecure the system. Indeed, Ms. Friess claims that she essentially spent the entire 50 hours asking questions of and giving directions to her two information technology consultants. By her own admission, she did not herself perform any analysis or investigation, nor did she direct her consultants to do so. Thus, 50 hours to perform these vaguely defined supervisory tasks is plainly excessive under the circumstances and no reasonable factfinder could conclude that this expenditure of time was reasonably necessary to respond to the alleged CFAA violations. Because plaintiffs have not adequately shown that they actually incurred any loss as a result of time spent responding to the alleged violations, and because the amount of time allegedly spent was clearly unreasonable and not causally related to any alleged CFAA violations, plaintiffs have not shown a triable issue of fact as to whether the alleged “lost time” is a loss under the CFAA. [FN14]
FN14. On very similar facts, a district court in New York granted summary judgment for defendants in B. U.S.A. Corp. v. Ecogloves, Inc., 2009 WL 3076042, at *8-*9 (S.D.N.Y. Sept. 28, 2009). There, the plaintiffs’ information technology consultant stated, in an affidavit, that he spent twelve hours investigating and remedying an alleged CFAA violation, and that he billed this time as part of the $16,000 annual fee that he charged plaintiffs. The district court rejected this alleged loss because, under an annual billing structure, “the amount attributable to any given item cannot really be calculated or is effectively zero.” Id. at *8. Moreover, a declaration asserting that plaintiffs’ employees “expended hundreds of hours” responding to an alleged offense did not create a triable issue as to the existence of qualifying losses because the claim was otherwise unsupported and it contradicted earlier deposition testimony. Id. at * 8-*9.
C. Lost Revenue from the India Project
Finally, plaintiffs claim that they lost “millions of dollars” in revenue because GPP was not awarded a consulting contract with the government of India that they believed that they would win. They allege that they were not awarded the India Project because Mr. Yessin sent an e-mail message to the Mattus, GPP’s business partners, containing copies of civil complaints filed in Florida court concerning an ongoing fight over control of GPP. This lost revenue claim does not qualify as a CFAA loss for two reasons. First, the undisputed facts show that GPP’s failure to win the India Project award was not caused by Mr. Yessin’s alleged CFAA violations. Second, even if adequately proven and causally linked, lost revenue claims such as those alleged here qualify as losses under the CFAA only when they result from an interruption of service, and no such interruption is alleged here.
There is no causal connection between the alleged CFAA violations and GPP’s failure to win the India Project contract. Plaintiffs allege that GPP did not win the India Project because in September 2009, Mr. Yessin sent an e-mail to the Mattus, GPP’s project partner, informing them of the ongoing dispute over control of GPP. But there is not even a scintilla of evidence to suggest (i) that this e-mail message was causally related to the alleged CFAA violations, or (ii) that is transmission caused GPP not to win the contract. Ms. Friess acknowledged in her deposition testimony that she had discussed the India Project with Mr. Yessin, and she sent him e-mails listing the project principals and containing draft teaming agreements with project partners. Ex. 8 at 308, 314; Ex. 13; Ex. 15. Thus, Mr. Yessin did not learn about the project’s existence, nor did he learn the identities of the principals, through any alleged CFAA violations. His e-mail to the Mattus, which plaintiffs contend caused GPP to “lose” the India Project contract, did not contain any confidential material or other information that he could have acquired through unauthorized access to Ms. Friess’s e-mail system. The e-mail message therefore had nothing whatever to do with the alleged CFAA violations. Moreover, plaintiffs have not adduced any evidence to suggest that the Indian government even received Mr. Yessin’s e-mail message, let alone that the message had anything to do with the apparent decision of the Indian government not to award the contract to GPP. Thus, no reasonable jury could find that any CFAA violations caused this alleged loss.
*9 Additionally, the CFAA does not recognize lost revenue damages as “loss” unless it was “incurred because of interruption of service .” § 1030(e)(11); see Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 562 (2d Cir.2006) (“[T]he plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption in service.’ “). Plaintiffs’ misread iParadigms to hold that interruption in service is not required to prove lost revenue. The loss alleged in iParadigms involved the “cost of responding to an offense,” which implicates a separate provision of § 1030(e)(11) that does not require interruption of service. Where, as here, the revenue is alleged to have been lost as a consequence of misappropriation of information obtained through a CFAA violation, it is clear that an interruption of service is required. See Nexans Wires, 166 F. App’x at 562-63 (holding that loss of $10 million in revenue resulting from misappropriation of confidential data was not a CFAA-qualifying loss because it did not result from interruption in service). Because no interruption of service is alleged here, it is clear that plaintiffs’ claim for lost revenue from the India Project is not a loss under the CFAA.
It is therefore clear that no reasonable trier of fact could find that plaintiffs have met the CFAA’s $5,000 jurisdictional “loss” threshold. At most, they have adduced evidence that supports a claim of $2,283.07 in qualifying losses. Accordingly, their two CFAA claims, Counts 1 and 2, must be dismissed pursuant to § 1030(c)(4)(A)(I). Mr. Yessin’s additional argument that Count 2 must be dismissed because plaintiffs have failed to prove that he intended to defraud them is therefore neither reached nor decided.
Mr. Yessin also seeks partial summary judgment on the two counts arising under the SCA. Specifically, he argues that plaintiffs cannot prove actual damages and thus may not recover actual or statutory damages. The SCA authorizes as damages
the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $ 1,000.
18 U.S.C. § 2707(c). The Fourth Circuit, relying on the Supreme Court’s construction of a virtually identical Privacy Act provision in Doe v. Chao, 540 U.S. 614, 621 (2004), recently explained that proving actual damages or violator profits is a “prerequisite to recovering statutory damages” under the SCA. Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199, 205 (4th Cir.2009). Thus, if plaintiffs cannot prove actual damages or profits by the violator, then they cannot recover statutory damages on their SCA claims.
The analysis requires a definition of “actual damages.” In its Doe v. Chao opinion, the Fourth Circuit held that the “actual damages” requirement is “more rigorous” than requiring an “injury in fact” or an “adverse effect”; indeed, the court of appeals found that requiring “actual damages” serves a “gatekeeping function of avoiding tremendous overcompensation of plaintiffs whose damages evidence fails to establish any meaningful injury at all.” Doe v. Chao, 306 F.3d 170, 181 n. 6 (4th Cir.2002), aff’d, 540 U.S. 614 (2004). Thus, while there is no identifiable fixed point at which nominal damages become actual damages, plaintiffs must show that they have suffered some concrete, compensable harm as a result of Mr. Yessin’s alleged SCA violations. Importantly, in construing the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (“FCRA”), the Fourth Circuit has repeatedly held that “actual damages” as understood by the FCRA “may include economic damages.” Robinson v. Equifax Info. Servs., LLC, 560 F.3d 235, 239 (4th Cir.2009) (citing Shane v. Equifax Info. Servs., LLC, 510 F.3d 495, 500 (4th Cir.2007). Moreover, consequential economic damages qualify as actual damages under the FCRA. Id. at 241 (upholding damages judgment for missed work time spent investigating and responding to FCRA violations). There is no reason in principle or in the statutory language that the definition of “actual damages” under the FCRA should be different from that under the SCA. Cf. Van Alstyne, 560 F.3d at 205 (construing SCA “actual damages” provision identically to Privacy Act “actual damages” provision).
*10 As discussed supra, plaintiffs have adequately shown that there is a triable issue as to $2,283.07 in consequential economic damages resulting from Mr. Yessin’s allegedly unauthorized access to Ms. Friess’s e-mail account. Because these are “actual damages” under the SCA, summary judgment with respect to whether plaintiffs are entitled to recover actual and statutory damages is not appropriate.
In summary, Mr. Yessin is entitled to summary judgment on Counts 1 and 2 because plaintiffs have not adduced evidence from which a reasonable jury could conclude that they have suffered jurisidictional CFAA-qualifying losses of $5,000 or more. Yet, defendant’s motion is properly denied with respect to Counts 6 and 7 because the summary judgment record warrants the conclusion that plaintiffs may recover actual or statutory damages under the SCA.
An appropriate Order will issue.