A plaintiff’s claim that he would need to retain a forensic computer expert to examine a third party’s computer to detect and delete the data taken from his thumb drive was considered to be too speculative to qualify as a “loss” under the Computer Fraud and Abuse Act (“CFAA”).
This was the Ninth Circuit Court of Appeals’ ruling in Doyle v. Chase, 2011 WL 2006527 (9th Cir. May 24, 2011). A copy of the opinion is available HERE. This was an appeal of Doyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010), a copy of which is available HERE. The Ninth Circuit’s opinion, which is designated “unpublished” is only 2 pages but, according to Professor Susan Brenner’s CYB3RCRIM3 blog, there is quite a story behind this case: The Computer Fraud and Abuse Act and the Thumb Drive. The salacious facts, regardless of how entertaining, are beyond the scope of this post as I am trying really hard to cut back on my longwindedness at the urging of the pro-bloggers who say 500 words or less, whether it makes sense or not!
The Ninth Circuit’s opinion (Doyle v. Chase) affirmed the district court’s granting of a motion for summary judgment on Doyle’s Computer Fraud and Abuse Act claim for wrongfully accessing his thumb drive and keeping the data therefrom. The District Court (Doyle v. Taylor) granted the MSJ on the ground that Doyle failed to satisify the minimum $5,000 loss generally required in order to bring a civil claim under the CFAA. The Ninth Circuit’s recitation of Doyle’s argument was that he satisfied the CFAA loss requirement “because of his need for a forensic computer expert to detect and delete all of the documents that were copied from the thumb drive to Chase’s computers.”
A review of the District Court opinion reveals that Doyle’s only evidence of loss was from a computer forensics expert “detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other computers.” The District Court found this was insufficient for two reasons: (1) the “loss” and “damages” definitions of the CFAA are focused on costs and remedial efforts associated with the computer that was accessed–not other computers; and (2) the expert did not adequately describe how many computers he would have to examine, the work he would do in the examination, how many files were involved, and how many hours would be expended, etc. Because at the time the MSJ had been filed the discovery deadline had already passed as well as the deadline for disclosing supporting expert witnesses, the court did not permit consideration of a more detailed declaration.
The Ninth Circuit did not delve into the issues of examinations of other computers beyond the one accessed or whether a future loss qualifies. Its approval was succinctly stated: “The district court concluded that even accepting Doyle’s theory of loss, his assessment of loss is entirely speculative. We agree.”
A few weeks ago I blogged about the case Animators at Law, Inc. v. Capital Legal Solutions, LLC in a blog titled Barter Services and Attorney Fees May Qualify As “Loss” Under Computer Fraud and Abuse Act which taught that, among other things, the loss requirement of the CFAA does not require there be an actual cash payment, but that obtaining services under a barter type relationship also qualifies as a CFAA loss. The Doyle v. Chase and Doyle v. Taylor cases show what is generally well settled which is that whatever is claimed to be the loss must be proven beyond mere speculation.
- No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee — Lee v. PMSI (ericgoldman.org)
- Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use “Exceeds Authorized Access” (Making It a Federal Crime) (volokh.com)
- Bye Bye Brekka – Hello Nosal: Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act (shawnetuma.com)