Tagging Damages for Violating the CAN-SPAM Act on a Social Networking Site

A registered Facebook user allegedly gained unauthorized access to 116,000 Facebook accounts and sent in excess of 7.2 million spam email messages. Facebook, Inc. v. Fisher, 2011 U.S. Dist. LEXIS 9668, at *3 (N.D. Cal. Jan. 26, 2011). 

These spam emails were designed to “phish” for log-in information from Facebook users and continue the spam email message cycle.  Id.

Facebook received over 8,000 complaints and over 4,500 people deactivated their Facebook accounts.  Fischer, at *8.

Un-friending the Defendant was not simply enough for Facebook. 

Facebook sued on the following causes of action:

(1) Violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), 15 U.S.C. § 7701 et seq.;

(2) Violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 et seq.;

(3) Violation of Cal. Penal Code § 502; and

(4) Violation of Cal. Bus. & Prof. Code § 22948. 

Fischer, at *4.

The Plaintiff obtained a default judgment and proceeded to tag the Defendant with as many damages as possible. 

The maximum penalty under the CAN-SPAM Act allows for an award of $100 for each of the 7.2 million violations, plus aggravated damages.  Total sought:  $2,160,000,000. Fischer, at *6.

The Plaintiff also sought $500,000 under the under Cal. Bus. & Prof. Code § 22948 and requested treble damages for a total award of $1,500,000. Fischer, at *6.

The Court found that a damages award in excess of $2 billion was not proportionate to the violation of the various statutes.  Fischer, at *6.  Instead, the Court awarded statutory damages of $.50 for each CAN-SPAM Act violation for $360,000,000.  The Court also awarded damages of $500,000 pursuant to Cal. Bus. & Prof. Code § 22948.2, making the total damages $360,500,000. Fischer, at *7.  The Court declined to award treble damages.  Id.

Bow Tie Thoughts

There is a phrase from Political Science and History classes on war: Making the rubble bounce. 

Some damage awards are to prove a point, and deterrence, from future violations.  Facebook sought to prove a point to deter spammers from any phishing and other attacks on identity theft by dropping a nuclear bomb on this Defendant.  While Facebook did not vaporize the Defendant, a default damage award of $360,500,000 certainly made the rubble bounce.  It showed both the Plaintiff, and the Court, did not tolerate 116,000 people having their Facebook accounts being compromised.