Summary
concluding that there was no abuse of discretion where amendment would be futile
Summary of this case from Precise Aerospace Mfg. v. MAG Aerospace Indus.Opinion
No. 18-55169
08-08-2019
Jeffrey Wilens (argued), Lakeshore Law Center, Yorba Linda, California, for Plaintiff-Appellant. Shay Dvoretzky (argued) and Jeffrey R. Johnson, Jones Day, Washington, D.C.; Thomas Demitrack, Jones Day, Cleveland, Ohio; Lee A. Armstrong, Jones Day, New York, New York; for Defendants-Appellees.
Jeffrey Wilens (argued), Lakeshore Law Center, Yorba Linda, California, for Plaintiff-Appellant.
Shay Dvoretzky (argued) and Jeffrey R. Johnson, Jones Day, Washington, D.C.; Thomas Demitrack, Jones Day, Cleveland, Ohio; Lee A. Armstrong, Jones Day, New York, New York; for Defendants-Appellees.
Before: MILAN D. SMITH, JR. and MICHELLE T. FRIEDLAND, Circuit Judges, and STANLEY A. BASTIAN, District Judge.
The Honorable Stanley A. Bastian, United States District Judge for the Eastern District of Washington, sitting by designation.
M. SMITH, Circuit Judge:
"WE WANT YOU BACK!" Many of us have received, through phone calls, emails, texts, and the post, the plaintive entreaties of companies with whom we have decided to cease doing business, seeking recommencement of our patronage. Such was the experience of James Andrews, who, after the dealership from which he bought a used car provided his personal information to Sirius XM Radio Inc. (Sirius XM), received unsolicited advertisements asking him to renew his radio subscription.
The primary question before us is whether Sirius XM’s use of personal information derived from Andrews’s driver’s license violated the Driver’s Privacy Protection Act of 1994 (DPPA), 18 U.S.C. §§ 2721 – 2725. Because we conclude that the DPPA does not apply where the source of personal information is a driver’s license in the possession of its owner, rather than a state Department of Motor Vehicles (DMV), we affirm the district court’s grant of summary judgment in favor of Sirius XM. We also affirm the district court’s denial of Andrews’s motion to amend his complaint to add a claim under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
FACTUAL AND PROCEDURAL BACKGROUND
I. Factual Background
On January 14, 2017, Andrews purchased a pre-owned 2012 Chevy Equinox from Auto Source, a small used car lot in Banning, California. He presented the dealership with his California driver’s license, from which it obtained his name and PO Box address. He also filled out a California DMV Form 262—"Vehicle/Vessel Transfer and Reassignment Form"—a multipurpose form that serves as an odometer disclosure, bill of sale, and power of attorney. On the Form 262, Andrews provided his telephone number, street address, PO Box, and name. Auto Source input this information into its dealer management system (DMS), which ran on a database platform operated by a third party, AutoManager.
Andrews’s Equinox came equipped with Sirius XM radio, a subscription-based satellite radio service. Gail Berger, Sirius XM’s Vice President of Auto Remarketing, attested that her company has agreements with thousands of automotive dealerships across the country pursuant to which Sirius XM offers trial subscriptions for pre-owned vehicles and, in return, dealers provide Sirius XM with the names and addresses of customers who purchase or lease XM-equipped vehicles. According to Berger, Auto Source enrolled in Sirius XM’s pre-owned program in 2015. The terms of the agreement provided that Sirius XM "requires the use of data that exists in [Auto Source’s DMS], including customer data to activate [its] customers’ SiriusXM Trial Service and to communicate with customers regarding their Trial Subscriptions and options to extend their SiriusXM services following the Trial Subscriptions." It also permitted Auto Source’s DMS provider, AutoManager, "to extract and share [its] DMS data with SiriusXM." A separate agreement between Sirius XM and AutoManager specified that this information included "Customer Data."
Berger stated that, following Andrews’s purchase, AutoManager provided Sirius XM with a record of the sale. This electronic record included his name and street address. According to a Sirius XM manager, however, Andrews’s PO Box was not provided by AutoManager; instead, Sirius XM obtained that information through a separate contractor that used the U.S. Postal Service’s National Change of Address database. Andrews asserted that he gave neither Auto Source nor anyone else permission to share his personal information with Sirius XM.
Within days of Andrews’s purchase, the deluge began. Sirius XM sent various letters to Andrews’s PO Box between January and August 2017, imploring him—"We Want You Back!"—to resume his Sirius XM service after the subscription included with his car purchase ended. Sirius XM also telephoned him for the same purpose.
II. Procedural Background
On August 24, 2017, Andrews filed a putative class action complaint in the district court, alleging violations of the DPPA and seeking an injunction and statutory damages of $2,500 for each violation.
In his complaint, Andrews—apparently unaware of the agreements between Auto Source, AutoManager, and Sirius XM pursuant to which his personal information was shared—alleged that Sirius XM "obtained [his] name and address, as well as his phone number, from the motor vehicle records, most likely the registration documents submitted to the DMV after he purchased the car." Prior to filing its motion for summary judgment, Sirius XM’s counsel explained to Andrews’s counsel that, contrary to Andrews’s allegations, it had obtained his personal information not from the DMV, but instead from Auto Source and the Change of Address database. Subsequently, Andrews moved to file an amended complaint to add a claim for violation of the CFAA, based on Sirius XM’s access to Auto Source’s DMS.
The district court granted Sirius XM’s motion for summary judgment, and denied Andrews’s motion to file an amended complaint. As to the DPPA claim, the court determined, "[l]ike the Supreme Court and the vast majority of other courts to have analyzed the issue," that "the DPPA’s definition of ‘motor vehicle record’ [ ] requir[es] that the DMV be the source of the ‘record.’ " Because the court found that Sirius XM obtained Andrews’s personal information from his driver’s license and the Form 262—neither of which, it determined, constituted a DMV record—it concluded that "the undisputed facts establish that [Sirius XM] did not ‘use’ ‘personal information’ ‘from a motor vehicle record,’ " and that Sirius XM was therefore entitled to summary judgment on the DPPA claim. Turning to Andrews’s motion for leave to amend, the district court concluded that amendment would be futile because the proposed amended complaint "fail[ed] to allege that he ha[d] suffered a ‘loss’ or ‘damage’ cognizable under the CFAA."
This timely appeal followed.
JURISDICTION AND STANDARD OF REVIEW
We have jurisdiction pursuant to 28 U.S.C. § 1291. We review de novo a district court’s grant of summary judgment. WildEarth Guardians v. Provencio , 923 F.3d 655, 664 (9th Cir. 2019). "A court’s denial of leave to amend is reviewed for an abuse of discretion." Ebner v. Fresh, Inc. , 838 F.3d 958, 963 (9th Cir. 2016).
ANALYSIS
I. DPPA
Andrews contends that the district court erred when it granted summary judgment in favor of Sirius XM, arguing that the company violated the DPPA’s prohibition on using and disclosing personal information derived from DMV records when it obtained his name, address, and phone number from his driver’s license and the Form 262. He urges us to "issue a limited ruling holding that where a plaintiff can establish that a third party accessed a report (whether it be an accident report or dealership record of sales) containing information from a [driver’s license] issued by a state DMV ... the plaintiff can state a claim for violation of the DPPA." We decline to adopt such a holding, and instead conclude that Sirius XM’s conduct fell outside the scope of the DPPA.
A. Origins and Scope of the DPPA
Congress enacted the DPPA in 1994, in response to a troubling phenomenon that occurred throughout the 1980s and early 1990s—state DMVs’ practice of selling or freely disclosing drivers’ personal information, which led to unfortunate consequences ranging from the trivial (onslaughts of random solicitations) to the tragic (the murders of several people by stalkers or ex-spouses). See, e.g. , 140 Cong. Rec. H2,518, H2,522–24 (daily ed. Apr. 20, 1994) (statement of Rep. Moran) ("In Iowa, a gang of thieves copied down the license plate numbers of expensive cars they saw, found out the names and addresses of the owners and robbed their homes at night. In Virginia, a woman regularly wrote to the DMV, provided the license plate numbers of drivers and asked for the names and addresses of the owners who she claimed were stealing the fillings from her teeth at night."); 139 Cong. Rec. S15,745, S15,766 (daily ed. Nov. 16, 1993) (statement of Sen. Harkin) (recounting the story of a woman who visited an obstetrics clinics and received a "venomous letter" from anti-abortion activists who "got her name and address from department of transportation records, after they spotted her car parked near [the] clinic"); Protecting Driver Privacy: Hearing on H.R. 3365 Before the Subcomm. on Civil & Constitutional Rights , 1994 WL 212698 (Feb. 3, 1994) (statement of Rep. Moran) ("While the release of this information to direct marketers does not pose any inherent safety risks to people, it does present, to some people, an invasion of privacy."). At that time, "[u]nder the law in over 30 States, it [was] permissible to give out to any person the name, telephone number, and address of any other person if a drivers’ license or vehicle plate number [was] provided to a State agency." 139 Cong. Rec. at S15,765 (statement of Sen. Biden).
Perhaps the most infamous victim of this practice was actress Rebecca Schaeffer, who was shot to death by an obsessed fan who hired a private investigator to find Schaeffer’s home address, which the investigator then obtained from the DMV. See 140 Cong. Rec. at H2,522 (statement of Rep. Moran); Protecting Driver Privacy: Hearing on H.R. 3365 Before the Subcomm. on Civil & Constitutional Rights , 1994 WL 212822 (Feb. 3, 1994) (testimony of David Beatty, Dir. of Pub. Affairs, Nat’l Victim Ctr.).
Accordingly, "[c]oncerned that personal information collected by States in the licensing of motor vehicle drivers was being released—even sold—with resulting loss of privacy for many persons, Congress provided federal statutory protection" through the DPPA. Maracich v. Spears , 570 U.S. 48, 51–52, 133 S.Ct. 2191, 186 L.Ed.2d 275 (2013). As characterized by the Supreme Court, the purpose of the DPPA is to "regulate[ ] the disclosure and resale of personal information contained in the records of state DMVs." Reno v. Condon , 528 U.S. 141, 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000) ; see also id. at 144, 120 S.Ct. 666 ("The DPPA establishes a regulatory scheme that restricts the States’ ability to disclose a driver’s personal information without the driver’s consent."). Consistent with this primary objective, the first part of the DPPA expressly focuses on a state’s own records. It prohibits "[a] State department of motor vehicles" from "knowingly disclos[ing] or otherwise mak[ing] available ... personal information ... about any individual obtained by the department in connection with a motor vehicle record." 18 U.S.C. § 2721(a).
" ‘[P]ersonal information’ means information that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver’s status." 18 U.S.C. § 2725(3).
The DPPA’s second part, by contrast, concerns not DMVs themselves, but instead those who illicitly seek information from motor vehicle records. Section 2722 makes it unlawful "for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b)," and "for any person to make false representation to obtain any personal information from an individual’s motor vehicle record." Id. § 2722. It is this provision—along with the section that confers a private cause of action on those injured by violations of the statute, id. § 2724—on which Andrews relies to argue that Sirius XM’s conduct violated the DPPA. B. Andrews’s Claim
Such permitted uses include "use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, and removal of non-owner records from the original owner records of motor vehicle manufacturers." 18 U.S.C. § 2721(b). The statute also allows disclosure of an individual’s personal information "[f]or use in the normal course of business by a legitimate business," but only "to verify the accuracy of personal information submitted by the individual" and, "if such information as so submitted is not correct or is no longer correct, to obtain the correct information" in limited circumstances. Id. § 2721(b)(3).
To prevail on his DPPA claim, Andrews must satisfy § 2722(a) and prove that (1) Sirius XM knowingly obtained his personal information (2) from a motor vehicle record (3) for a nonpermissible use. See Taylor v. Acxiom Corp. , 612 F.3d 325, 335 (5th Cir. 2010). The first and third elements are undisputed here: Sirius XM obtained and used Andrews’s name and telephone number—"personal information" as defined by the DPPA—for nonpermissible promotional purposes. See 18 U.S.C. §§ 2721(b), 2725(3). Accordingly, the key issue on appeal is whether the documents from which Sirius XM obtained Andrews’s personal information—specifically, his driver’s license and the Form 262—qualify as "motor vehicle records" pursuant to the statute. We conclude that they do not.
The DPPA defines a "motor vehicle record" as "any record that pertains to a motor vehicle operator’s permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles." Id. § 2725(1). Sirius XM argues that "a driver’s license cannot qualify under that definition," citing to the district court’s analysis:
[A] driver license, although it contains "personal information" contained in the records of the DMV, is not itself a "record" "contained in the records" of the DMV. Nor does it make sense to include a driver license as a "motor vehicle record" when a "motor vehicle record" is defined as "any record that pertains to a motor vehicle operator’s permit." Interpreting the statute as [Andrews] suggests and construing a "motor vehicle record" to include a driver license would render the definition’s use of both "record" and "pertains to" as surplusage because the driver license would be "pertaining" to itself and ignore the requirement that [it] also be a "record."
We are not wholly persuaded by this linguistic analysis of the DPPA. Sirius XM argues, as the district court concluded, that "construing a ‘motor vehicle record’ to include a driver license would render the definition’s use of both ‘record’ and ‘pertains to’ as surplusage," but a "record" is defined as, among other things, "[i]nformation that is inscribed on a tangible medium." Record , Black’s Law Dictionary (11th ed. 2019); see also Webster’s Third New International Dictionary 1,898 (2002) (defining "record" as "evidence, knowledge, or information remaining in permanent form (as a relic, inscription, document)"). A driver’s license is a tangible document that serves as proof of an individual’s permission to operate a motor vehicle, and can therefore be considered a "record." And, although Sirius XM raises a fair point as to whether "pertains to" would be rendered surplusage, it would make little practical sense that a photocopy of a driver’s license—which is indisputably a "record that pertains to a motor vehicle operator’s permit"—could be a qualifying motor vehicle record, but the actual license lying right next to it on the desk at the DMV, containing identical personal information, could not. We are therefore unconvinced that a driver’s license is not a "record" based solely on the wording of the statute’s definition.
But just because a driver’s license is a "record" does not necessarily mean it is a "motor vehicle record." Reading § 2722’s words "in their context and with a view to their place in the overall statutory scheme," Davis v. Mich. Dep’t of Treasury , 489 U.S. 803, 809, 109 S.Ct. 1500, 103 L.Ed.2d 891 (1989), we conclude that a driver’s license in the possession of its owner is not a qualifying "motor vehicle record" under the DPPA.
It is clear, from the legislative history and case law, that Congress was motivated to enact the DPPA by the "growing threat from stalkers and criminals who could acquire personal information from state DMVs ," as well as "the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation." Maracich , 570 U.S. at 57, 133 S.Ct. 2191 (emphases added). With this purpose in mind, we interpret § 2721—prohibiting DMVs from "knowingly disclos[ing] ... personal information," 18 U.S.C. § 2721(a) —as covering one side of the prohibited transaction. Section 2722, by contrast, covers the other side of that same transaction, by creating liability for the person who "obtain[s] or disclose[s] personal information" from the DMV’s records. Id. § 2722(a).
A driver’s license, though issued by the DMV, becomes the possession of an individual , not the DMV that issued it. Congress intended the DPPA to reflect the Privacy Act of 1974, see Protecting Driver Privacy , 1994 WL 212698 (statement of Rep. Moran) ("The bill incorporates [ ] the intent of the 1974 Privacy Act."), which defines a "record" as "information about an individual that is maintained by an agency ." 5 U.S.C. § 552a(a)(4) (emphasis added); see also Wilborn v. Dep’t of Health & Human Servs. , 49 F.3d 597, 600 (9th Cir. 1995) ("[I]f a party discloses information obtained independently of any records, such a disclosure does not violate the [Privacy] Act, even if identical information is contained in the records."), abrogated on other grounds by Doe v. Chao , 540 U.S. 614, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004). A driver’s license in the possession of its owner is no longer maintained by the DMV, and so such a record is outside the bounds of the DPPA. The same is true of the Form 262 at issue here, which did not even pass through the DMV before the information made its way to Sirius XM.
After all, a Good Samaritan who finds a driver’s license lying on the sidewalk would probably return it to the person to whom it was issued, not to the DMV that issued it.
Put another way, we conclude that where, as here, the initial source of personal information is a record in the possession of an individual, rather than a state DMV, then use or disclosure of that information does not violate the DPPA. This conception of the DPPA’s scope is consistent both with its clear purpose, see Maracich , 570 U.S. at 51–52, 133 S.Ct. 2191 (noting Congress’s specific concern with the release of personal information by States ), and with two other circuits that have previously interpreted the statute, albeit in unpublished opinions.
See Fontanez v. Skepple , 563 F. App'x 847, 848–49 (2d Cir. 2014) ("[T]he DPPA does not protect against the use of personal information obtained from a driver’s license provided by the holder as proof of identity to gain access to a facility. ... [T]he statute was intended to bar the State from disclosing personal information obtained from DMV records without the individual’s consent."); Siegler v. Best Buy Co. of Minn. , 519 F. App'x 604, 605 (11th Cir. 2013) ("A plain reading of the DPPA makes clear that the Act was intended to prohibit only the disclosure or redisclosure of information originating from state department of motor vehicles [ ] records. ... On its face, the Act is concerned only with information disclosed, in the first instance, by state DMVs." (footnote omitted)).
Andrews contends that Sirius XM’s conduct violated the literal text of the statute. But, even if the statute could be read to cover this conduct, we will not adopt "a literal interpretation [that] ‘would thwart the purpose of the overall statutory scheme or lead to an absurd result.’ " Wilshire Westwood Assocs. v. Atl. Richfield Corp. , 881 F.2d 801, 804 (9th Cir. 1989) (quoting Brooks v. Donovan , 699 F.2d 1010, 1011 (9th Cir. 1983) ); see also Nixon v. Mo. Mun. League , 541 U.S. 125, 138, 124 S.Ct. 1555, 158 L.Ed.2d 291 (2004). As discussed above, Andrews’s expansive conception of the DPPA does not align with the statute’s clear purpose. And, although both Andrews and Sirius XM utilized a considerable quantity of briefing ink trading hypotheticals and parading various horribles in support of their respective positions, we conclude that Andrews’s position yields the more absurd results.
It would be patently unreasonable, for example, to penalize a security guard’s use of a driver’s license photograph—"personal information" under the DPPA, 18 U.S.C. § 2725(3) —on temporary security badges in office buildings and other locations. After all, "[t]he DPPA sought to ‘strike[ ] a critical balance between an individual’s fundamental right to privacy and safety and the legitimate governmental and business needs for this information.’ " Gordon v. Softech Int’l, Inc. , 726 F.3d 42, 50 (2d Cir. 2013) (second alteration in original) (quoting 140 Cong. Rec. at H2,522 (statement of Rep. Moran)). In light of this practical mindset, we will not subject a range of commonplace and innocuous activities involving driver’s licenses to potential DPPA liability. Accordingly, given that the statute was clearly intended to prevent the unauthorized, nonconsensual, and involuntary disclosure of personal information from DMV records, we conclude that Andrews’s driver’s license was not a "motor vehicle record" pursuant to the DPPA.
For that matter, it would be absurd to prosecute the Good Samaritan referenced in footnote 4, supra —a possibility under Andrews’s conception of the statute, given that returning a lost license to its owner is not an enumerated permissible use under the DPPA. See 18 U.S.C. § 2721(b).
The district court in Whitaker v. Appriss, Inc. provided further analysis on this point, noting that "[s]trange and far-reaching results follow from ... treating the license as the ‘motor vehicle record.’ " 266 F. Supp. 3d 1103, 1109 (N.D. Ind. 2017). It continued,
Any non-excepted use of information pulled off a driver’s license provided by its holder would subject the user of that information to DPPA liability. ... For example, a person who uses information on her spouse’s driver’s license information to make an order or reservation would be liable to the spouse for a DPPA violation. ... These interpretations balloon liability beyond the Act’s purpose of preventing disclosures by DMVs and misuse of information disclosed to third parties from DMVs.
Id. at 1109–10.
We acknowledge the potential abuses—such as the intrusive behavior Andrews experienced in this case—that can result from exploitation of personal information contained on an individual’s driver’s license. But we ultimately agree with the conclusion of the district court in O’Brien v. Quad Six, Inc. , which considered the use of a plaintiff’s personal information after he presented his driver’s license as identification at a nightclub:
We are sympathetic to plaintiff’s concerns about the way businesses collect and use personal information, and its implications for all of our privacies. But that is not what Congress intended the DPPA to regulate. This statute seeks to control dissemination of information collected using the coercive power of the state. It does not regulate information freely given by consumers to private businesses, such as when plaintiff tendered his driver’s license to [the nightclub].
219 F. Supp. 2d 933, 934–35 (N.D. Ill. 2002). Aggrieved plaintiffs, Andrews included, might have other statutory remedies to rectify alleged abuses of their personal information. But the DPPA—a statute concerned solely with the actions of state DMVs and those who illicitly retrieve information from them—is not the proper vehicle for such redress, where, as here, the source of that information is a driver’s license in its owner’s possession.
We similarly conclude that the Form 262—which was neither produced nor maintained by the DMV—does not constitute a "motor vehicle record" for purposes of the DPPA.
* * *
Sirius XM correctly observes that "[t]he DPPA was not designed to remedy every misuse of personal information that happened to come from a driver’s license." Instead, its scope is limited to impermissible disclosures by state DMVs to those who seek information from them. Andrews concedes that neither Sirius XM nor anyone else requested or acquired his information from the California DMV. Therefore, we conclude that Sirius XM’s conduct, annoying as it might have been, did not violate the DPPA.
II. CFAA
Andrews also challenges the district court’s conclusion that amending his complaint to add a claim under the CFAA would have been futile.
The CFAA makes it unlawful to, among other things, "intentionally access[ ] a computer without authorization" and obtain "information from any protected computer." 18 U.S.C. § 1030(a)(2). It provides a private right of action for "[a]ny person who suffers damage or loss by reason of a violation of [the statute] ... against the violator to obtain compensatory damages and injunctive relief or other equitable relief," but "only if the conduct involves 1 of the factors set forth" elsewhere in the CFAA. Id. § 1030(g). Of the five possible factors, the only one relevant to Andrews’s potential claim is that the offense caused "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value." Id. § 1030(c)(4)(A)(i)(I). As Sirius XM correctly characterizes the situation, "[w]hether Andrews could have brought a viable CFAA claim turns on whether Andrews could plausibly allege a qualifying loss."
Andrews’s theory of loss is that he and his fellow class members were denied the profits they might have received from commodifying the personal information that Sirius XM allegedly obtained through unlawful means. His proposed amended complaint claimed that this information
was extremely valuable .... This information is what is called in the marketing industry a "hot lead." [Andrews] is informed and believes, and thereupon alleges, that the retail value of a "hot lead" of this nature and for the price point of [Sirius XM’s] subscription plans is at least $100.
Accordingly, because Sirius XM allegedly "stole the personal information without compensating [Andrews], he lost the value of that information and the opportunity to sell it."
The proposed amended complaint pleaded that Sirius XM "obtained the aforementioned valuable personal information belonging to at least 100 persons," and that therefore his claim satisfied the CFAA’s $5,000 threshold.
The CFAA, however, defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11). This is a narrow conception of "loss," and the definition does not include a provision that aligns with Andrews’s theory. "[I]t is a commonplace of statutory construction that the specific governs the general." Morales v. Trans World Airlines, Inc. , 504 U.S. 374, 384, 112 S.Ct. 2031, 119 L.Ed.2d 157 (1992). This "canon has full application ... to statutes such as the one here, in which a general authorization and a more limited, specific authorization exist side-by-side." RadLAX Gateway Hotel, LLC v. Amalgamated Bank , 566 U.S. 639, 645, 132 S.Ct. 2065, 182 L.Ed.2d 967 (2012). In such cases, "[t]he terms of the specific authorization must be complied with," to avoid "the superfluity of a specific provision that is swallowed by the general one." Id . Accordingly, any theory of loss must conform to the limited parameters of the CFAA’s definition. And although the definition does include "revenue lost," that refers only to losses that occurred "because of interruption of service." 18 U.S.C. § 1030(e)(11) ; see also Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC , 774 F.3d 1065, 1073–74 (6th Cir. 2014) ("[T]he plain language of the [CFAA] treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption in service.’ " (alterations in original) (quoting Nexans Wires S.A. v. Sark-USA, Inc. , 166 F. App'x 559, 562 (2d Cir. 2006) )). Andrews does not—and cannot—argue that his allegedly lost revenue occurred because of an interruption of service, and so his purported injury is not cognizable under the CFAA.
We further observe that the CFAA is "an anti-hacking statute," not "an expansive misappropriation statute." United States v. Nosal , 676 F.3d 854, 857 (9th Cir. 2012) (en banc). The statute’s "loss" definition—with its references to damage assessments, data restoration, and interruption of service—clearly limits its focus to harms caused by computer intrusions, not general injuries unrelated to the hacking itself. Given this circumscribed focus, and the principle that "a general statutory term should be understood in light of the specific terms that surround it," Hughey v. United States , 495 U.S. 411, 419, 110 S.Ct. 1979, 109 L.Ed.2d 408 (1990), we will not expand the CFAA’s limited conception of loss to include the sort of injury pleaded in Andrews’s proposed amended complaint.
Andrews argues that this is "a hyper-technical interpretation of ‘loss’ " that is contrary to our decision in Creative Computing v. Getloaded.com LLC , 386 F.3d 930 (9th Cir. 2004). That case, however, does not support Andrews’s expansive interpretation of "loss." Although Creative Computing did indicate that "loss of business and business goodwill" constitutes "economic damages" within the meaning of the CFAA, id. at 935, it did so when considering the scope of recoverable damages, see 18 U.S.C. § 1030(g), not what qualifies as a predicate "loss." Whether or not a lost business opportunity can be recovered as economic damages is a different question than whether it constitutes a loss that gives rise to a civil CFAA action in the first place. Therefore, our conclusion is not inconsistent with Creative Computing .
Accordingly, the district court did not abuse its discretion when it concluded that an amendment adding a CFAA claim to Andrews’s complaint would have been futile.
CONCLUSION
The legislative history of the DPPA, and the decisions of the Supreme Court interpreting it, demonstrate that the purpose of the statute was to prevent the acquisition and exploitation of personal information from the records of state DMVs. We therefore conclude that Sirius XM did not violate the DPPA when it used personal information obtained from Andrews’s driver’s license. We further conclude that, given the CFAA’s limited conception of loss, the district court did not abuse its discretion when it denied Andrews leave to amend on futility grounds.