Tort – Computer Fraud – E-Mail Access – Damages

Although plaintiff incurred expenses to develop a new domain name, Web site and e-mail account after her former husband and business partner allegedly accessed her e-mail account during their divorce proceedings, plaintiff has not alleged the requisite threshold jurisdictional “loss” ($5,000) to sue under the Computer Fraud & Abuse Act, says an Alexandria U.S. District Court; but plaintiff may pursue actual damages under the Stored Communications Act.

With respect to the CFAA, 18 U.S.C. § 1030(e)(11), the 4th Circuit recently said in A.V. ex rel. Vanderhye v. iParadigms LLC, 562 F.3d 630 (4th Cir. 2009), that this broadly worded provision plainly contemplates costs incurred as part of the response to a CFAA violation, including the investigation of an offense.

Plaintiffs in this case must show that the losses they claim were the reasonably foreseeable result of the alleged CFAA violations, and that any costs incurred as a result of the measures undertaken to restore and resecure the e-mail system were reasonably necessary in the circumstances.

Plaintiffs allege they have suffered three types of “loss” as a result of defendant’s alleged CFAA violations: 1) fees paid to a Web designer and internet service provider to register, configure and design new Web sites and e-mail accounts ($4,500); 2) over 50 hours of “lost” billable time spent investigating and responding to the offense, billed at over $500 per hour ($27,500); and 3) lost revenue from failing to win a contract for the “India Project” (“millions of dollars).

The invoice for Web site design services is offered without an affidavit or certification by the designer, who has avoided service of a subpoena. The invoice is unreliable and inadmissible. Only the total amount billed, $4,500, is corroborated by a check from plaintiff, but no reasonable jury could conclude merely from that payment that the expenses was causally related to any CFAA violation. Even accepting the invoice at face value, the only items that are plausibly causally related to the alleged CFAA violations are Web site purchase assistance, e-mail address setup and support, domain name auction support and search engine criteria, for a total of $1,260. Adding to that the asserted expense of one year of Network Solutions services, plaintiffs still show only $2,283 in costs reasonably necessary to “respond to the offense” under the CFAA.

Even assuming plaintiff spent the asserted 50 hours to investigate the alleged violations, the description of the tasks performed during these 50 hours is so vague that no reasonable jury could conclude the expended time was reasonably necessary to restore or resecure the system.
Finally, plaintiff and her business allege they were not awarded a consulting contract with the government of India they believed they would win because plaintiff’s ex-husband sent an e-mail message to business partners containing copies of civil complaints filed in Florida concerning an ongoing fight over the business plaintiff and her former husband and business partner had operated together. The undisputed facts show the company’s failure to win the India Project award was not caused by defendant’s alleged CFAA violations. Even if adequately proved and causally linked, lost revenue claims such as those alleged here qualify as losses under the CFAA only when they result from an interruption of service, and no such interruption exists here.

However, plaintiffs’ have adequately shown there is a triable issue of fact as to the $2,283 in consequential economic damages resulting from defendant’s alleged unauthorized access to plaintiff’s e-mail account. Because these are “actual damages” under the Stored Communications Act, 18 U.S.C. § 2701 et seq., the court denies defendant summary judgment on this count.

Global Policy Partners LLC v. Yessin (Ellis, J.) No. 1:09cv859, Feb. 18, 2010; USDC at Alexandria, Va. VLW 010-3-080, 21 pp.