Summary
limiting losses from responding to offense to situations involving damage to or impairment of computer
Summary of this case from Pinebrook Holdings, LLC v. NarupOpinion
20-CV-8686 (JPC)
07-26-2021
OPINION AND ORDER
JOHN P. CRONAN, United States District Judge.
Plaintiff Better Holdco, Inc. (“Better”) sued one of its competitors, Defendant Beeline Loans, Inc. (“Beeline”), alleging that Beeline misappropriated Better's confidential information and trade secrets. The allegations concern the actions of a former Better employee that Beeline hired. Among the claims brought by Better is one under the Consumer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, in connection with that individual's alleged accessing of Better's Facebook Ad Manager Account after he left the company. Beeline now moves to dismiss that claim. For the reasons that follow, Beeline's motion is granted, and Better's claim under the CFAA is dismissed with prejudice for its failure to sufficiently allege “loss” under the statute.
I. Background
The following facts are taken from the Amended Complaint and are assumed to be true only for purposes of the instant motion to dismiss. See Harris v. Mills, 572 F.3d 66, 71 (2d Cir. 2009).
Better and Beeline are competitors in the home mortgage industry space. Dkt. 35 (“Amended Compl.”) ¶¶ 1, 20, 32. Better, which was founded in 2014, is larger and more well-established. Id. ¶¶ 1, 20-22. In October 2018, Better hired non-party Jack Abramowitz. Id. ¶ 23. As a condition of his employment, Abramowitz promised to protect Better's confidential information. Id. ¶¶ 24-28. He also promised that for a year after the end of his employment with Better, he would not “use Company trade secret information to attempt to call on, solicit or take away any clients or prospects of the Company except on behalf of the Company.” Id. ¶ 29. Finally, he promised to participate in an exit interview in the event his employment was terminated. Id. ¶ 30.
Beeline was formed in September 2018. Id. ¶ 32. In early 2020, while he was working at Better, Abramowitz met with several Beeline executives to discuss a job opportunity. Id. ¶ 36. Better alleges that during these meetings, Beeline asked Abramowitz to share Better's confidential and proprietary information. Id. ¶ 37.
On June 15, 2020, Beeline offered Abramowitz the role of Director, Strategy & Corporate Development. Id. ¶ 40. On June 18 and 19, 2020, Abramowitz sent several of Better's highly confidential documents from his Better email address to his personal email address. Id. ¶ 41. On June 19, 2020, Abramowitz accepted the position at Beeline and informed Better he was quitting and would be seeking work at a venture capital fund. Id. ¶¶ 42-43. Abramowitz declined to participate in an exit interview and refused to reaffirm his contractual obligations to Better. Id. ¶ 44. He also retained several of Better's documents without Better's consent. Id. ¶ 45.
Abramowitz started working at Beeline on or about July 8, 2020. Id. ¶ 60. Better alleges that once Abramowitz began this employment, he provided Better's confidential and proprietary information to Beeline, id. ¶¶ 46, 52-59, and loaded confidential documents to Beeline's Google Drive, id. ¶¶ 47, 50. Then, and particularly relevant to the instant motion, during an August 2020 videoconference with Beeline's Vice President of Marketing, Jay Stockwell, Abramowitz logged onto Facebook and accessed Better's Facebook Ad Manager Account (the “Account”). Id. ¶ 51. Abramowitz and Stockwell reviewed, took screenshots of, and downloaded Better's advertising data from the Account, including information about Better's online advertising strategies. Id. This information was then loaded to Beeline's Google Drive. Id.
After Better discovered that Abramowitz had begun working at Beeline, Better's outside counsel reached out to Abramowitz and then to Beeline regarding the appropriateness of Abramowitz's involvement at Beeline. See id. ¶¶ 60-75. Beeline eventually terminated Abramowitz's employment on September 8, 2020. See id. ¶ 72. It was only after his termination from Beeline that Abramowitz finally agreed to sit for an exit interview with Better, at which he admitted to sharing Better's confidential and proprietary information. Id. ¶¶ 73-74.
Upon learning that Abramowitz had accessed the Account after he was no longer employed by Better, “Better expended substantial time and resources to investigate and address the intrusion.” Id. ¶ 75. Better's in-house counsel “conferred with Better's business personnel, who investigated access to the account and reviewed change logs, the Ad Data that was improperly downloaded, and the screenshots Abramowitz had taken of the Facebook Ad Manager Account.” Id.
B. Procedural History
Better initially filed suit on October 19, 2020, at which point it also sought emergency relief. Dkts. 1-10. Better and Beeline, however, stipulated to a preliminary injunction pursuant to which Beeline would not use or disclose any of Better's confidential information or trade secrets provided by Abramowitz. Dkts. 18, 20. Better's initial Complaint alleged five counts: (I) misappropriation of confidential information, (II) misappropriation of trade secrets in violation of the Defend Trade Secrets Act, 18 U.S.C. § 1836, (III) tortious interference with contract, (IV) aiding and abetting breach of fiduciary duty, and (V) violation of the CFAA, 18 U.S.C. § 1030, in connection with Abramowitz's access of the Account. Dkt. 1.
On December 2, 2020, Beeline filed a motion to dismiss Counts III and V of the Complaint. Dkt. 32. In response, on December 16, 2020, Better filed an Amended Complaint alleging the same Counts but adding additional factual allegations. Amended Compl. On February 5, 2021, Beeline moved to dismiss Count V. Dkts. 48, 49 (“Motion”). Better filed its opposition on February 19, 2021, Dkt. 53 (“Opposition”), and Beeline filed its reply on February 26, 2021, Dkt. 54 (“Reply”). Then, on June 17, 2021, Beeline filed a letter regarding the Supreme Court's recent decision in Van Buren v. United States, 141 S.Ct. 1648 (2021), which Beeline contends is relevant to “and arguably dispositive” of the issues in its motion, Dkt. 86, and Better filed a response addressing Van Buren later that day, Dkt. 87.
Beeline no longer seeks dismissal of Count III.
II. Legal Standard
Under Federal Rule of Civil Procedure 8(a)(2), a pleading must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). To survive a motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). In deciding a motion to dismiss, a court must “accept all allegations in the complaint as true and draw all inferences in the non-moving parties favor, ” LaFaro v. N.Y. Cardiothoracic Grp., 570 F.3d 471, 475 (2d Cir. 2009) (citation and internal quotation marks omitted), but is “not bound to accept as true legal conclusions couched as factual allegations, ” id. at 475-76 (citing Iqbal, 556 U.S. at 681).
III. Discussion
Beeline moves to dismiss Count V, which alleges a violation of the CFAA in connection with Abramowitz's accessing of the Account without authorization or exceeding authorization. Amended Compl. ¶¶ 123-126. Better seeks to hold Beeline responsible for Abramowitz's conduct on a theory of vicarious liability because Stockwell, Beeline's Vice President of Marketing at the time, “affirmatively urged and encouraged Abramowitz to access the . . . Account.” Id. ¶ 125.
The CFAA is “a scheme ‘aimed at preventing the typical consequences of hacking.'” Van Buren, 141 S.Ct. at 1660 (quoting Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 757 (6th Cir. 2020)). The CFAA “subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,' and thereby obtains computer information.” Id. at 1652 (quoting 18 U.S.C. § 1030(a)(2)). As is relevant here, the CFAA also provides a limited private civil cause of action against a person who “knowingly accessed a computer without authorization or exceeding authorization” if the prohibited access resulted in “loss” exceeding $5,000. 18 U.S.C. § 1030(a), (g), (c)(4)(A)(i)(I)-(V); see Hancock v. County of Rensselaer, 882 F.3d 58, 63 (2d Cir. 2018) (“The scope of the civil actions permitted under [the CFAA], however, has always been limited.”).
“To state a claim for loss in excess of $5,000, Plaintiff must plead that Defendant: (1) accessed a ‘protected computer'; (2) ‘without any authorization or exceeding its authorized access'; and (3) caused ‘loss' in excess of $5,000.” LivePerson, Inc. v. 24/7 Customer, Inc., 83 F.Supp.3d 501, 511 (S.D.N.Y. 2015). Beeline argues that Count V must be dismissed because Better has failed to plead (1) “loss” within the meaning of the statute, (2) that Abramowitz's access was “unauthorized, ” and (3) that Beeline encouraged or urged Abramowitz to access the Account. Because the Court agrees that the Amended Complaint must be dismissed because it does not allege any “loss” as defined by the CFAA, it does not address Beeline's other arguments.
The Court does note that while Van Buren resolved a circuit split as to how to interpret the phrase “exceeds authorized access, ” that is not the theory that Beeline is pursuing here. Beeline states in the Amended Complaint that “[w]hile employed at Beeline, Abramowitz knowingly accessed the Better Account through a protected computer without authorization or exceeding any authorization.” Amended Compl. ¶ 124. But its entire argument in opposition to the motion to dismiss is that Abramowitz, after he left Better, gained “unauthorized” access to Better's Facebook Ad Manager Account. See Opposition at 2, 8; see also Amended Compl. ¶ 51. Van Buren thus has little relevance-and is surely not “arguably dispositive”-as to the question of whether Better has adequately pleaded that Abramowitz's access was “unauthorized.” However, as noted below, the Supreme Court's discussion of loss in Van Buren is in fact relevant to the claims before this Court.
The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8).
The Supreme Court recently clarified in Van Buren that “[t]he statutory definitions of ‘damage' and ‘loss' . . . focus on technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data.” 141 S.Ct. at 1660; accord id. at 165960 (“The term ‘loss' . . . relates to costs caused by harm to computer data, programs, systems, or information services.”). The Van Buren Court explained that “[l]imiting ‘damage' and ‘loss' in this way makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.'” Id. at 1660 (quoting Royal Truck, 974 F.3d at 760). Prior to Van Buren, courts in this District similarly interpreted the CFAA's civil remedy as requiring loss related to damage or impairment to the targeted computer. See, e.g., Deutsch v. Hum. Res. Mgmt., Inc., No. 19 Civ. 5305 (VEC), 2020 WL 1877671, at *4 (S.D.N.Y. Apr. 15, 2020) (“Losses are compensable under the CFAA only when caused by damage to or impairment of the protected device.”); New London Assocs., LLC v. Kinetic Social LLC, 384 F.Supp.3d 392, 412 (S.D.N.Y. 2019) (dismissing CFAA claim for the plaintiff's failure to adequately allege that it suffered losses because “[t]here is no allegation . . . that these alleged economic losses arose from damage to, or [the inoperability] of, any of the allegedly accessed computers”); Garland-Sash v. Lewis, No. 05 Civ. 6827 (WHP), 2011 WL 6188712, at *3 (S.D.N.Y. Dec. 6, 2011) (“CFAA defines [‘damage' and ‘loss'] narrowly.... Thus, ‘damage' or ‘loss' under CFAA are inextricably intertwined with a harm to the computer system itself, its data, or delivery of service.”); Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 478 (S.D.N.Y. 2004) (“[T]here is nothing to suggest that the ‘loss' or costs alleged can be unrelated to the computer.”), aff'd, 166 Fed.Appx. 559 (2d Cir. 2006). In affirming the district court in Nexans Wires, the Second Circuit similarly noted in an unpublished summary order that “the plain language of the [CFAA] treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption in service.'” Nexan Wires S.A., 166 Fed.Appx. at 562 (citing Nexans Wires S.A., 319 F.Supp.2d at 477). This Court agrees with these authorities and, consistent with the Supreme Court's discussion in Van Buren, and interprets “costs of responding to an offense” as limited to situations involving damage to or impairment of the protected computer.
Better argues that the Amended Complaint survives Beeline's motion to dismiss because Better expended over $5,000 in “responding to” the CFAA violation. Opposition at 12-13. In assessing whether certain costs are properly considered the “cost of responding to an offense, ” 18 U.S.C. § 1030(e)(11), courts in this District focus on the connection between the plaintiff's response and “damage to or impairment of the protected device.” Deutsch, 2020 WL 1877671, at *4 (citing Civic Ctr. Motors, Ltd. v. Mason St. Imp. Cars, Ltd., 387 F.Supp.2d 378, 381 (S.D.N.Y. 2005)); see, e.g., Nexan Wires S.A., 166 Fed.Appx. at 563 (requiring a showing of a “connection between the . . . costs incurred . . . and ‘any type of computer investigation or repair,' or any preventative security measures or inspections” (quoting Nexans Wires S.A., 319 F.Supp.2d at 476-77)); Garland-Sash, 2011 WL 6188712, at *3 (explaining that “‘loss' under the CFAA means ‘any remedial costs of investigating the computer for damage, remedying the damage and any costs incurred because the computer cannot function while or until repairs are made'” (quoting Nexans, 319 F.Supp.2d at 474)). Thus, for example, a covered loss likely would include costs stemming from “efforts to identify, diagnose, or address damage to the protected device or from an interruption of service, ” Deutsch, 2020 WL 1877671, at *5, and the “costs involved in investigating the damage to the computer system, ” Kaufman v. Nest Seekers, LLC, No. 05 Civ. 6782 (GBD), 2006 WL 2807177, at *8 (S.D.N.Y. Sept. 26, 2006). See also Univ. Sports Pub. Co. v. Playmakers Media Co., 725 F.Supp.2d 378, 388 (S.D.N.Y. 2010) (concluding that “loss” included an audit that “sought to identify evidence of the breach, assess any damage it may have caused, and determine whether any remedial measures were needed to resecure the network”). By contrast, travel costs associated with investigating a violation and lost revenues resulting from the defendant's use of stolen information are not covered “losses.” Nexans Wires S.A., 319 F.Supp.2d at 478.
Here, Better alleges that it “expended substantial time and resources to investigate and address the intrusion.” Amended Compl. ¶ 75. Better specifies that, “[a]mong other things, Better's in-house counsel conferred with Better's business personnel, who investigated access to the [A]ccount and reviewed change logs, the Ad Data that was improperly downloaded, and the screenshots Abramowitz had taken of the . . . Account.” Id.
Although Better may technically have expended these resources in investigating Abramowitz's post-employment access to the Account, those resources are not a covered “cost of responding to an offense” under the CFAA. As Beeline points out, the Amended Complaint “fails to allege any facts that the . . . Account was damaged or required remediation, or that Better even investigated or assessed any potential damage to the Account.” Motion at 14. Indeed, it is not clear what sort of damage in the sense of “technological harm[], ” Van Buren, 141 S.Ct. at 1660, that Better could have suffered here. Better alleges only that Abramowitz downloaded and copied Better's data. It does not allege that it lost service or access to its data, or that its systems were otherwise harmed. Loss of one's competitive advantage is not “damage” or a “loss” covered by the statute. See Nexans Wires S.A., 319 F.Supp.2d at 477 (concluding that lost revenue from an interruption of service would be a covered “loss” but “lost money because . . . of the way the information was later used by defendants” would not be). And an investigation-particularly one led by counsel-into the extent of any misappropriation of confidential information is not a “cost of responding to an offense” because it is not done to identify, investigate, or remedy any covered damage. To hold otherwise would eviscerate the requirement that damage be related to a technological harm. Simply put, this is not the form of harm for which a plaintiff has recourse under the CFAA.
IV. Conclusion
Accordingly, for the aforementioned reasons, Count V of the Amended Complaint is dismissed. The Clerk of the Court is respectfully directed to terminate the motion pending at Docket Number 48.
SO ORDERED.