386 F. 3d 930 - Creative Computing v. Getloadedcom Llc C

This case requires us to construe damages provisions in the Computer Fraud and Abuse Act.1

Truck drivers and trucking companies try to avoid dead heading. "Deadheading" means having to drive a truck, ordinarily on a return trip, without a revenue-producing load. If the truck is moving, truck drivers and their companies want it to be carrying revenue-producing freight. In the past, truckers and shippers used black-boards to match up trips and loads. Eventually television screens were used instead of blackboards, but the matching was still inefficient. Better information on where the trucks and the loads are — and quick, easy access to that information — benefits shippers, carriers, and consumers.

Creative Computing developed a successful Internet site, truckstop.com, which it calls "The Internet Truckstop," to match loads with trucks. The site is very easy to use. It has a feature called "radius search" that lets a truck driver in, say, Middletown, Connecticut, with some space in his truck, find within seconds all available loads in whatever mileage radius he likes (and of course lets a shipper post a load so that a trucker with space can find it). The site was created so early in Internet history and worked so well that it came to dominate the load-board industry.

Getloaded decided to compete, but not honestly. After Getloaded set up a load-matching site, it wanted to get a bigger piece of Creative's market. Creative wanted to prevent that, so it prohibited access to its site by competing loadmatching services. The Getloaded officers thought trucking companies would probably use the same login names and passwords on truckstop.com as they did on getloaded.com. Getloaded's president, Patrick Hull, used the login name and password of a Getloaded subscriber, in effect impersonating the trucking company, to sneak into truckstop.com. Getloaded's vice-president, Ken Hammond, accomplished the same thing by registering a defunct company, RFT Trucking, as a truckstop.com subscriber. These tricks enabled them to see all of the information available to Creative's bona fide customers.

Getloaded's officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded's president and vice-president hacked into Creative Computing's website through the back door that this patch would have locked. Once in, they examined the source code for the tremendously valuable radius-search feature.

Getloaded used a more old-fashioned trick to get unauthorized access to Creative Computing's customer list. It hired away a Creative Computing employee who had given Getloaded an unauthorized tour of the truckstop.com website. This employee, while still working for Creative, accessed confidential information regarding several thousand of Creative's customers. He downloaded, and sent to his home email account, the confidential address to truckstop.com's server so that he could access the server from home and retrieve customer lists.

Creative Computing first discovered what Getloaded had done at a trade show in 1999. Getloaded was demonstrating a program that looked suspiciously like truckstop.com. Years later, it was clear why. During discovery, Creative uncovered a handwritten Getloaded employee's to-do list that included "mimic truckstop.com." After the Creative employee who had been feeding confidential information to Getloaded defected, Creative checked his computer and found evidence that he improperly accessed customer information before his departure.

Creative Computing sued Getloaded in district court for copyright infringement, Lanham Act violations, and misappropriation of trade secrets under the Idaho Trade Secrets Act. Creative also sought a temporary restraining order. The court granted a TRO that prohibited Getloaded from, among other things, removing or destroying evidence of how it had copied and used truckstop.com's source code, marketed to customers on Creative's customer list, or accessed the truckstop.com site. The parties stipulated to continuing the order in substantially the same form as a preliminary injunction while the litigation was pending. Subsequently, Creative amended its complaint, adding claims for damages under the federal Computer Fraud and Abuse Act.2

The injunction did not work. Getloaded violated it. The district court made an express finding that "Getloaded acted in bad faith as its senior management — and others under its supervision and with its knowledge — lied under oath and violated the Court's injunction."3 The district judge carefully worked his way through contradictions in Patrick Hull's testimony, matching the testimony with truckstop.com's log of access to the site and the testimony of others who could have logged on at the critical times, thereby establishing that Hull had lied under oath. Expert testimony demonstrated to the judge that Getloaded had destroyed evidence that showed it had copied source code in violation of the injunction.

The case went to a jury trial. It turned out that none of truckstop.com's code was found in getloaded.com's code, so the jury's special verdict was for the defendant on the copyright claim. Also, the site looked different enough that the special verdict was in favor of the defendant on the Lanham Act trade dress claim. But Creative Computing won anyway because the jury rendered special verdicts that Getloaded had violated the Idaho Trade Secrets Act and the federal Computer Fraud and Abuse Act. Damages awarded were $60,000 for the state law violation and $150,000 for each of three federal law violations, totaling $510,000. Pursuant to the Idaho Trade Secrets Act, the district court awarded an additional $120,000 in exemplary damages because of Getloaded's willful and malicious conduct.4 The court also awarded $300,000 in fees and $42,787.35 in expenses as sanctions to compensate Creative Computing for the expense of figuring out and proving Getloaded's violations of the preliminary injunction and false statements in depositions.5 The court entered a permanent injunction extending indefinitely several provisions of the preliminary injunction, such as the prohibition against Getloaded's accessing truckstop.com. Getloaded appeals.

Getloaded argues that no action could lie under the Computer Fraud and Abuse Act because it requires a $5,000 floor for damages from each unauthorized access, and that Creative Computing submitted no evidence that would enable a jury to find that the floor was reached on any single unauthorized access. It relies for this argument on several district court cases that required $5,000 damages from "a single act or event"6 and on a phrase in the Senate Report on the bill.7 Creative Computing cites several district court cases going the other way,8 but neither the parties nor we have found circuit court authority on point.

The briefs dispute which version of the statute we should apply — the one in effect when Getloaded committed the wrongs, or the one in effect when the case went to trial (which is still in effect). The old version of the statute made an exception to the fraudulent access provision if "the value of such use [unauthorized access to a protected computer] is not more than $5,000 in any 1-year period."9 The new version, in effect now and during trial, says "loss ... during any 1-year period. . . aggregating at least $5,000 in value."10 These provisions are materially identical.

The old version of the statute defined "damage" as "any impairment to the integrity or availability of data, a program, a system, or information" that caused the loss of at least $5,000.11 It had no separate definition of "loss." The new version defines "damage" the same way, but adds a definition of loss. "Loss" is defined in the new version as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data ... and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."12

For purposes of this case, we need not decide which version of the Act applies, because Getloaded loses either way. Neither version of the statute supports a construction that would require proof of $5,000 of damage or loss from a single unauthorized access. The syntax makes it clear that in both versions, the $5,000 floor applies to how much damage or loss there is to the victim over a one-year period, not from a particular intrusion. Getloaded argues that "impairment" is singular, so the floor has to be met by a single intrusion. The premise does not lead to the conclusion. The statute (both the earlier and the current versions) says "damage" means "any impairment to the integrity or availability of data[etc.] ... that causes loss aggregating at least $5,000." Multiple intrusions can cause a single impairment, and multiple corruptions of data can be described as a single "impairment" to the data. The statute does not say that an "impairment" has to result from a single intrusion, or has to be a single corrupted byte. A court construing a statute attributes a rational purpose to Congress.13 Getloaded's construction would attribute obvious futility to Congress rather than rationality, because a hacker could evade the statute by setting up thousands of $4,999 (or millions of $4.99) intrusions. As the First Circuit pointed out in the analogous circumstance of physical impairment, so narrow a construction of the $5,000 impairment requirement would merely "reward sophisticated intruders."14 The damage floor in the Computer Fraud and Abuse Act contains no "single act" requirement.

Getloaded's scrap of legislative history is a remark in the Senate Report that "the Committee intends to make clear that losses caused by the same act may be aggregated for purposes of meeting the ... threshold."15 The obvious purpose of this remark was permissive, to allow aggregation to meet the $5,000 floor, as when one intrusion causes one expense after another for months. Getloaded wants us to read the remark restrictively instead of permissively, to mean that the $5,000 floor has to be reached from a single intrusion. This seems a fine example of an unambiguous statute to which we are asked to apply an ambiguous snippet of legislative history.16 "It makes no sense to parse the ambiguous legislative history as though it were the law. The preferable way to resolve linguistic ambiguity is to evaluate the alternative readings in light of the purpose of the statute."17

Getloaded argues that the district court erred by not confining damages to economic damages, as the statute requires. No inappropriate damages were allowed or granted. Both the old and new versions of the statute limit damages for loss aggregating at least $5,000 in a year to "economic damages."18 Getloaded objects to paying damages for loss of business and business goodwill. The objection is without force because those are economic damages. The statutory restriction, "limited to economic damages," precludes damages for death, personal injury, mental distress, and the like. When an individual or firm's money or property are impaired in value, or money or property is lost, or money must be spent to restore or maintain some aspect of a business affected by a violation, those are "economic damages."19 The same result is compelled under both the old and new versions of the statute.

Next, Getloaded argues that many of the expenses for which Creative Computing claimed damages were routine computer maintenance and upgrades they would have needed to do anyway. Getloaded also argues that, had truckstop.com installed Microsoft's free patch that had been distributed before Getloaded hacked in, the hack would have been prevented. Both the old version of the statute and the new one require that the impairment "causes" the $5,000 aggregate loss in a year.20 Damages are indeed limited to those caused by the impairment, which may not be the same thing as the expenses of the victim subsequent to the impairment.21 While some of the damages claimed were arguable, there was no reversible error in what was allowed. Getloaded's argument that truckstop.com could have prevented some of the harm by installing the patch is analogous to a thief arguing that "I would not have been able to steal your television if you had installed deadbolts instead of that silly lock I could open with a credit card." A causal chain from the thief to the victim is not broken by a vulnerability that the victim negligently leaves open to the thief.

Getloaded argues that the evidence was insufficient for the jury's award because the form in which Creative Computing's expert witness presented the damages allowed only for an all or nothing amount that included damages for the claims on which Creative Computing lost. But we do not review the expert's testimony, we review the judgment based on the verdict. The verdict was not "clearly unsupported by the evidence,"22 so it withstands Getloaded's challenge. The jury awarded $150,000 on each of the three federal claims plus $60,000 on the state law claim on which Creative Computing prevailed, not the $740,000 its expert opined. The jury did not, blindly or otherwise, adopt the expert's conclusion. Getloaded's argument also assumes too much, by supposing that because Creative Computing lost on some claims, its damages necessarily were less. If an accident breaks a person's leg, and he sues on theories of assault and battery, negligence, and strict liability, but prevails only on his strict liability claim, he is still entitled to the full compensatory damages for his broken leg. Getloaded does not argue that the expert should not have been allowed to testify, nor does it challenge the jury instructions, and the jury was required to analyze causation and damages from the wrongs that they found. The jury was told that it could accept all, part, or none of the expert witness's testimony, and it had other evidence aside from that testimony from which it could reach a reasonable conclusion about the amount of damages.

The district court imposed sanctions of $300,000 for attorneys' fees plus $42,787.35 for expenses for experts. This award was to compensate Creative Computing for what it had to spend because of Getloaded's dishonesty in discovery and its destruction of evidence. Getloaded does not challenge all of this award, but does challenge $19,356.59. The $19,356.59 was half of what Creative Computing's damages expert charged Creative Computing. The other expert, the award for whose expenses Getloaded does not challenge, was brought in solely to deal with the harm caused by Getloaded's lies in depositions and destruction of evidence. But the district judge explained that "about one-half of" the work of both experts was focused on the "bad faith" conduct of Getloaded, so the judge awarded half the total of both. Getloaded is correct that such a sanction is limited to actual costs related to the "contumacy."23 The district judge made a reasonable finding on precisely that point, which is not clearly erroneous.

Getloaded argues that because Creative Computing lost on its copyright and Lanham Act claims, the district court should have required allocation of attorneys' fees and costs between losing and winning claims and awarded only those amounts attributable to the claims on which Creative Computing prevailed. The district judge carefully inquired as to this matter, and concluded that the claims in this case were not distinct enough to separate them for purposes of fees or costs. The evidence overlapped, and on the central issue, that Getloaded made unauthorized intrusions that caused substantial damages, it was the same. Allocation is not required where there is a "common core of facts" that requires substantially the same expense on prevailing and unsuccessful claims.24

Getloaded argues that the terms of the permanent injunction the district court granted are overbroad and not "specific in terms" as required by Federal Rule of Civil Procedure 65(d). The terms to which it objects are prohibitions against Getloaded copying or storing truckstop.com's source code, using information related to or based on truckstop.com's source code, using Creative Computing's trade secrets such as by selling its customer lists or contacting its customers, or assisting anyone else in doing any of these things. In the context of this case, the district court did not abuse its discretion in determining that the prohibitions were sufficiently clear, and the reasons for them were sufficiently established.25 Getloaded's belligerent violation of the temporary restraining order and preliminary injunction during the litigation, and its executives' lies in their depositions, justified an especially aggressive prophylactic injunction. Marketing to Creative Computing's customers is restricted by the injunction's terms to marketing based in any way on exploitation of Creative Computing's trade secrets, which Getloaded had done in the past by subverting Creative Computing's employee.

Getloaded objects to being prohibited from accessing truckstop.com. It is out of the ordinary, except in child pornography cases, to prohibit a person or company from accessing what is otherwise a publicly-available website. Ordinarily, when a company chooses to make certain information public via its website, it does so knowing that its competitors may view and may take advantage of any information it chooses to publicize. The prohibition imposed in this case — barring Getloaded from accessing any portion, public or not, of the truckstop.com website — is especially far-reaching, because the prohibition is not limited to a particular period of time or to just the non-public, password-protected areas of the website. Under the particular facts of this case, the past egregious conduct of Getloaded, its owners and employees, nevertheless justified the extraordinarily broad prohibition imposed by the district court. Getloaded is in a position analogous to one who has repeatedly shoplifted from a particular store, so the judge prohibits him from entering it again, saving the store's security guards from the burden of having to follow him around whenever he is there. One of Getloaded's owners also owns another company that is a client of truckstop.com, so in view of Getloaded's past abuse, the district court was within its discretion in giving extended reach to its injunction to assure that that owner, or others like him, would not be a channel for further abuse.

AFFIRMED.