Sixth Circuit Rules on Data Law Issues

Court clarifies proofs under CFAA and twice constrains E-Discovery sanctions

Legal Alerts

2.26.15

In two key decisions in the second half of 2014, the Court of Appeals for the Sixth Circuit ruled on data law issues of first impression at the appellate level within the circuit. It upheld a denial of summary judgment motion based on the “damages” and “loss” elements of a civil claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (CFAA) and twice upheld denials of E-Discovery sanctions.

Yoder & Frey Auctioneers: defining “damage” and “loss” in CFAA cases and precluding speculative claims of destroying electronic evidence

The Sixth Circuit addressed a key element of CFAA claims in Yoder & Frey Auctioneers, Inc. v. Equipment Facts, LLC, No. 14-3002 (December 22, 2014), recommended for publication. There, an auction house (Yoder & Frey) alleged that its former electronic bid management service (Efacts) inappropriately accessed bidding systems hosted by its replacement (RTB) (Yoder & Frey and RTB are discussed here as “plaintiffs”). Specifically, the owner of Efacts used an administrator password to access an auction hosted by RTB, and another Efacts employee used spoofing to bid as one of Yoder & Frey’s customers. The results of these activities included millions of dollars in winning bids that were never paid—and plaintiffs’ extensive investigation and remediation of the security breaches.

The key substantive issue before the court was defining “damages” and “loss,” two required elements of a civil claim under CFAA, 18 U.S.C. § 1030(a)(5)(C). “Damage” is defined by the statute as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Loss” is defined as:

…any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

18 U.S.C. § 1030(e)(11). In trying to obtain summary judgment, Efacts made conclusory arguments regarding lack of proofs on damages and argued that its actions did not constitute an “interruption in service” supporting a “loss” under § 1030(e)(11) of the statute. The district court held that the damages requirement was met and that crowding out legitimate bids was an “interruption in service” and therefore a “loss.” On appeal from a jury verdict for the plaintiffs, the Sixth Circuit upheld the result—albeit on somewhat different grounds. It held that the false bids caused “damage” by crowding out legitimate (and presumably paying) bids and that the “loss” requirement was met by virtue of Efacts’ actions, which caused the plaintiffs to undertake an expensive security investigation and remediation. On this second point, the court rejected Efacts’ contention that an “interruption in service” was a statutory component of a “loss.” Along the way, the court also rejected Efacts’ argument that lack of access to original web site logs (based on the loss of those logs) gave rise to remedies for destroying electronic evidence. It held that where Efacts could not demonstrate except by speculation why only the originals (and not copies) would suffice, there was no basis for sanctions.

The practical effect of the decision is to clarify that the definition of “damage” under CFAA is broad enough to comprehend lost financial opportunities resulting from misuse of other parties’ systems. It also clarifies that to establish a “loss” under CFAA, interference with the data systems of another need not cause a breakdown. This arguably lowers the barriers to getting civil actions to trial under CFAA. On the other hand, the E-Discovery component reinforces the holding in Automated Solutions, below, that a speculative claim that something was lost and was important will not justify corrective measures by courts. In addition, Yoder & Frey points to the importance of making sure that both from a contractual and practical standpoint, outgoing service providers are precluded from further access to the systems they previously supported.

Automated Solutions: raising the bar for E-Discovery sanctions based on failures to preserve data

In Automated Solutions Corp. v. Paragon Data Systems: 756 F.3d 504 (6th Cir. 2014), the Sixth Circuit upheld the denial of an adverse inference for spoliation at the summary judgment stage and raised the bar for bringing such motions for sanctions. Automated Solutions involved intellectual property in customized software and hardware for the newspaper industry. There, the plaintiff (ASC) took the defendant to task for the loss of two types of information: (1) active systems (servers and individual computers that eventually failed and were disposed of) and (2) backup systems that were never retained pursuant to a litigation hold. The magistrate recommended that a jury instruction be considered for trial: that, on hearing all the evidence, the jury could infer that the data lost would have supported ASC’s claim. The district court obviated the jury instruction issue by granting summary judgment to the defendant on all pending claims. On appeal, the Sixth Circuit made three key holdings with regard to spoliation sanctions:

  • Burden of proof in demonstrating that information lost was relevant. In response to the alleged failure to preserve active systems (including the disposal of an old server and failure to move data from an old personal computer to a new one) the court held that notwithstanding any duty to preserve these materials, sanctions would not be justified unless “a reasonable trier of fact could infer that the destroyed [or unavailable] evidence would have been of the nature alleged by the party affected by its destruction.” Although it observed that this burden could be met by circumstantial evidence, the court noted that the plaintiff had not demonstrated a link between the subject matter of the case and the data systems in question. Id. at 513-514.
  • Duty to preserve backups. The court’s discussion of backup tapes represents a rare federal appellate ruling on the subject. Citing Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) and the 2007 Sedona Principles, the court held that where backup tapes are used solely for disaster recovery and overwritten daily, they are not subject to a general duty to preserve. The court also recognized that this principle had already been endorsed in one lower court within the Sixth Circuit in Forest Labs., Inc. v. Caraco Pharm. Labs., Ltd., No. 06-CV-13143 (E.D. Mich. April 14, 2009). The court was unpersuaded by the argument that the failure of the active servers and PCs made backups the only source of information, holding that the nature of the backups as a disaster-recovery system governed and further noting that the backup systems were demonstrably unreliable even for their intended purpose. Id. at 514-515.
  • Standards of proof for culpability. Although the above circumstances in themselves eliminated the plaintiff’s right to relief, the Sixth Circuit went on to examine culpability in failures to institute litigation holds. In doing so, it rejected the plaintiff’s argument that the Court should adopt the broad view of Pension Committee of University of Montreal Pension Plan v. Banc of America Securities, 685 F.Supp.2d 456 (S.D.N.Y.2010), a decision concluding that failure to institute a hold was, ipso facto negligent—and possibly grossly negligent or willful. Noting that this controversial principle had been rejected by the Second Circuit, the court held that culpability was to be addressed by district courts on a case-by-case basis. The court did conclude that an IT company should have a better-than-average knowledge of data preservation and concluded that the defendant was indeed negligent. That alone, however, would not support sanctions. Id. at 515-517.

One practical effect of Automated Solutions will be to focus trial courts on the importance of information allegedly lost as a result of failures to preserve and tailor any further analysis of standards of care to the facts and circumstances of each case. This will likely make it more difficult to pursue sanctions based on apparent breaches of duties of care; parties seeking sanctions will now have to establish both the specific relevance of the lost information and a duty of care appropriate to the situation. Businesses with sophisticated IT capabilities should note that after Automated Solutions, they may be held to different (and possibly greater) duties of care in instituting legal holds and preserving potential evidence. And all businesses should bear in mind as well that in the wake of Automated Solutions, there may be more judicial development of exceptions to normal retention in litigation, such as in cases where the deletion or modification of information is central to claims.

Another practical effect of Automated Solutions is to bring Sixth Circuit practice into alignment with a pending amendment to Federal Rule of Civil Procedure 37(e). That amendment, expected to take effect on December 1, 2015, puts the emphasis on fact-specific, tailored approaches to the alleged loss of evidence - and constrains the availability of severe sanctions (jury instructions or measures terminating a case) to situations where a party acts with the intent to deprive its adversary of evidence.

More Information

For more information on this article, please contact Dante Stella at (313) 568-6693, Steve Tupper at (248) 203-0895, any of the attorneys on Dykema’s E-Discovery or Cybersecurity teams, or your relationship attorney.