From Casetext: Smarter Legal Research

Cent. Bank & Trust v. Smith

United States District Court, D. Wyoming.
Aug 31, 2016
215 F. Supp. 3d 1226 (D. Wyo. 2016)

Summary

holding that a bank was "not a facility under the [SCA]" because it was not "an internet service provider or analogous to one"

Summary of this case from Cottle v. Plaid Inc.

Opinion

Case No. 15–CV–115–ABJ

08-31-2016

CENTRAL BANK & TRUST, Plaintiff, v. Frank SMITH, Mark Kiolbasa, Michelle Thomas, and Farmers State Bank, Defendants.

Chad S. Caby, Lewis Roca Rothgerber LLP, Denver, CO, for Plaintiff. Timothy Michael Stubson, Crowley Fleck, Casper, WY, for Defendants.


Chad S. Caby, Lewis Roca Rothgerber LLP, Denver, CO, for Plaintiff.

Timothy Michael Stubson, Crowley Fleck, Casper, WY, for Defendants.

ORDER GRANTING DEFENDANTS' MOTION TO DISMISS

ALAN B. JOHNSON, UNITED STATES DISTRICT JUDGE

The defendants' Motion to Dismiss (Doc. No. 9), the memorandum thereto (Doc. No. 10), the plaintiff's Brief in Opposition to Defendants' Motion to Dismiss (Doc. No. 13). and the defendants' Reply Brief in Support of Defendants' Motion to Dismiss (Doc. No. 15) are before the Court. After reviewing the parties' submissions, the pleadings, the applicable law, and being fully advised, the Court finds that the defendants' Motion to Dismiss (Doc. No. 9) should be GRANTED for the reasons stated below.

This case concerns whether the individual defendants, who were previously employees of the plaintiff, are liable for stealing clients and proprietary business information under federal and state law. First, the Court will give a factual background, discussing the relationship between the plaintiff and the defendants. Next, the Court will present the standard of review, followed by an analysis of the law and facts as to the motion to dismiss. Finally, the Court will conclude by dismissing this case.

BACKGROUND

Given the standard applicable when considering motions to dismiss, the Court is reciting the facts as alleged in the plaintiff's Complaint (Doc. No. 1).

Central Bank & Trust, the plaintiff, is a bank with its principle place of business in Lander, Wyoming. In 2008, Frank Smith, defendant, began working for Central Bank & Trust as its Chief Financial Officer. Smith's main job responsibilities were supervising and managing Central Bank & Trust's operations and financials for the Wyoming market. In 2009, in its acquisition of Bank of Wyoming, Central Bank & Trust acquired Michelle Thomas as its Assistant Cashier and Compliance Officer. The plaintiff's allegations do not address Thomas's job responsibilities. In 2010, Mark Kiolbasa joined Central Bank & Trust as the President of its Cheyenne branch. Kiolbasa's main job responsibilities were supervising the branch and monitoring an active commercial, agricultural, and personal loan portfolio totaling approximately $17.5 million.

Central Bank & Trust stores its electronic information on secure servers, which are kept under lock and key at Central Bank & Trust's Lander office. Only a select group of employees have physical access to the servers. Central Bank & Trust uses a number of electronic security protocols, including user passwords and different levels of restricted viewing rights for employees. Central Bank & Trust grants various levels of access to its electronic information based on each particular employee's responsibilities. Each employee accesses the secured information by using a user name and password to log into his or her computer.

Smith, Thomas, and Kiolbasa enjoyed nearly unfettered access to Central Bank & Trust's company information, which was electronically stored on its secured computer networks. Included in Central Bank & Trust's company information are customer details, balance sheets, income statements, overdraft reports, and new loan reports. Central Bank & Trust considers all of this information to be confidential, proprietary, and trade secret. Being as such, Central Bank & Trust alleges that this information is valuable in its industry.

When Smith, Kiolbasa, and Thomas were hired, they received a copy of Central Bank & Trust's Employee Handbook. Each executed an acknowledgement, agreeing to abide by the policies within the Employee Handbook. One policy in the handbook requires the employees to hold customer information in the strictest confidence.

On July 11, 2012, Thomas resigned her employment with Central Bank & Trust. A year and a half later, on December 23, 2013, Smith and Kiolbasa, presented a business plan to farmers State Bank, a Wyoming bank with its principal place of business located in Pine Bluffs, Wyoming. Under the plan, Smith and Kiolbasa would leave Central Bank & Trust, purchase an interest in farmers State Bank with Thomas, and begin working for Farmers State Bank. Farmers State Bank is one of Central Bank & Trust's direct competitors.

In June of 2014, six months after presenting the farmers State Bank business plan, Smith and Kiolbasa, while still employed by Central Bank & Trust, created three internet-based file transfer and storage sites, which functioned as electronic drop boxes. Smith. Thomas, and Kiolbasa transferred voluminous amounts of electronic information from Central Bank & Trust's computer system to these three drop boxes, one of which was labeled farmers State Bank. In July of 2014, Kiolbasa emailed John Gross, President of Farmers State Bank's holding company, a list of potential customers, including customers of Central Bank & Trust.

On September 10, 2014, Central Bank & Trust received notice that Kiolbasa had uploaded over one hundred megabytes of electronic data to one of the drop box accounts. Central Bank & Trust's information technology personnel informed Smith about the situation. Smith told them that Kiolbasa's uploading was work-related. The next day, September 11, 2014, Kiolbasa resigned. The day after that, on September 12, 2014, Smith and Kiolbasa signed a stock purchase agreement through which Smith, Thomas, and Kiolbasa gained a controlling interest in Farmers State Bank in exchange for around $700,000. Approximately six months later, on March 18, 2015, Smith resigned.

Central Bank & Trust alleges that Smith, Thomas, and Kiolbasa are currently employed and own an interest in Farmers State Bank. Smith, Thomas, and Kiolbasa took the information acquired from Central Bank & Trust to Farmers State Bank and allegedly used the information to steal business from Central Bank & Trust. Central Bank & Trust claims that within three weeks of Kiolbasa leaving, Farmers State Bank acquired eighteen accounts receivable from Central Bank & Trust that were worth more than $4.3 million. Central Bank & Trust asserts that the defendants continue to use this information to obtain business advantages.

On July 23, 2015, the plaintiff filed its Complaint (Doc. No. 1). The defendants filed their Motion to Dismiss (Doc. No. 9) and memorandum thereto (Doc. No. 10) on September 23, 2015. On October 12, 2015, the plaintiff filed its Brief in Opposition to Defendants' Motion to Dismiss (Doc. No. 13), contesting the motion to dismiss. On October 20, 2015, the defendants filed their Reply Brief in Support of Defendants' Motion to Dismiss (Doc. No. 15).

STANDARD OF REVIEW

In Ashcroft v. Iqbal , the Supreme Court of the United States articulated a two-step approach for district courts to use when considering a motion to dismiss under Fed. R. Civ. P. 12(b)(6). 556 U.S. 662, 679, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). First, "a court considering a motion to dismiss can choose to begin by identifying pleadings that, because they are no more than conclusions, are not entitled to the assumption of truth." Id.Iqbal clarified that "the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions." and "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. at 678, 129 S.Ct. 1937.

Second, "[w]hen there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief." Id. at 679, 129 S.Ct. 1937. The Court has slated that "[t]o survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Id. at 678, 129 S.Ct. 1937. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Plausibility lies somewhere between possibility and probability; a complaint must establish more than a mere possibility that the defendant acted unlawfully but the complaint does not need to establish that the defendant probably acted unlawfully. See id. "Determining whether a complaint states a plausible claim for relief will ... be a context-specific task that requires the reviewing court to draw on its judicial experience and common sense." Id. at 679, 129 S.Ct. 1937.

DISCUSSION

The plaintiff's Complaint (Doc. No. 1) contains four counts arising under federal law and six counts involving state law claims. The defendants contend that the four federal counts are legally impossible under these facts, requiring their dismissal. The defendants assert that the six state law claims therefore fall to the wayside, given the lack of diversity in this case. The plaintiff asserts otherwise, explaining that the Tenth Circuit is yet to decide the legal issue arising under the federal counts. The plaintiff contends that the current circuit split should be resolved in its favor. The plaintiff argues that, even if the federal claims must be dismissed, the state law claims deal with an important federal interest. This Court does not agree with the plaintiff's final argument, so jurisdiction in this case rests solely on this Court's interpretation of whether the plaintiff states claims for relief under the Computer Fraud and Abuse Act and the Stored Communications Act.

I. Central Bank & Trust does not state a claim for relief under the Computer Fraud and Abuse Act, because there are no alleged facts supporting the legal conclusion that the defendants acted "without authorization" or "exceed[ed] authorized access" when acquiring Central Bank & Trust's electronic information.

In the Complaint (Doc. No. 1), Central Bank & Trust alleges three claims under the Computer Fraud and Abuse Act. The first count alleges liability under 18 U.S.C. § 1030(a)(2)(A) and (C), which states as follows.

(a) Whoever—

(2) intentionally accesses a computer without authorization or exceeds authorized access , and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq. ); ... or

(C) information from any protected computer; ...

shall be punished as provided in subsection (c) of this section.

18 U.S.C. § 1030(a)(2)(A) and (C) (2016) (emphasis added). The second count alleges liability under 18 U.S.C. § 1030(a)(4). which states as follows.

Subsection (c) of this section discusses criminal penalties for violation of this statute, which are not applicable in this case. This case deals with civil liability, which is further discussed in subsection (g) of this section.

(a) Whoever—

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access , and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1–year period; ...

shall be punished as provided in subsection (c) of this section.

Id. § 1030(a)(4) (emphasis added). The third count alleges liability under 18 U.S.C. § 1030(a)(5)(C), which states as follows.

(a) Whoever—

(5)(C) intentionally accesses a protected computer without authorization , and as a result of such conduct, causes damage and loss ...

shall be punished as provided in subsection (c) of this section.

Id. § 1030(a)(5)(C) (emphasis added). These three counts, brought pursuant to the Computer Fraud and Abuse Act, involve slightly different elements. But, for this analysis, the Court need not focus on the differences, because the dispositive language in this case appears in the three statutory sections: "without authorization" and "exceeds authorized access." Before addressing the facts, a look into the meaning of these phrases is necessary.

The phrase "exceeds authorized access" is not in the statutory subsection used in count three.

This Court is not the first to see the linguistic dilemma present in this section of the Computer Fraud and Abuse Act, nor will it be the last. The definitions of "without authorization" and "exceeds authorized access" vary greatly between two sets of circuit courts. The First, Fifth, Seventh, and Eleventh Circuit interpret the statute broadly, stating the statute is violated not only when someone accesses electronic information that they are not allowed to, but also when someone accesses electronic information they are allowed to with the intent and purpose to misuse that information. See, e.g. , United States v. Rodriguez , 628 F.3d 1258 (11th Cir. 2010) ; United States v. John , 597 F.3d 263 (5th Cir. 2010) ; International Airport Centers, LLC v. Citrin , 440 F.3d 418 (7th Cir. 2006) ; EF Cultural Travel BV v. Explorica, Inc. , 274 F.3d 577 (1st Cir. 2001). Opposing that view, the Second, Fourth, and Ninth Circuit interpret the statute narrowly, stating that the statute is only violated if someone accesses electronic information they are not allowed to access. See, e.g. , United States v. Valle , 807 F.3d 508 (2nd Cir. 2015) ; WEC Carolina Energy Solutions LLC v. Miller , 687 F.3d 199 (4th Cir. 2012) ; LVRC Holdings LLC v. Brekka , 581 F.3d 1127 (9th Cir. 2009). In the Second, Fourth, and Ninth Circuit, the remedy for subsequent unlawful use of the information is not considered to be within the purview of the Computer Fraud and Abuse Act.

The Tenth Circuit has not yet addressed this issue, but district courts in the Tenth Circuit have done so. specifically in the civil context. Cloudpath Networks. Inc. v. SecureW2 B.V. , 157 F.Supp.3d 961, 972–84 (D. Colo. 2016) ; Giles Construction, LLC v. Tooele Inventory Solution, Inc. , No. 2:12–cv–37, 2015 WL 3755863, at *2–3 (D. Utah June 16, 2015) (unpublished); Koch Industries, Inc. v. Does , No. 2:10CV1275DAK, 2011 WL 1775765, at *7–9 (D. Utah May 9, 2011) (unpublished); Farmers Bank & Trust, N.A. v. Witthuhn, No. 11–2011–JAR, 2011 WL 4857926, at *3–6 (D. Kan. Oct. 13, 2011) ; U.S. Bioservices Corp. v. Lugo , 595 F.Supp.2d 1189 (D. Kan. 2009). In fact, a recent district court case involving this particular issue was appealed to the Tenth Circuit, potentially teeing it up for disposition. Tank Connection, LLC v. Haight , 161 F.Supp.3d 957, 966–70 (D. Kan. 2016). However, the parties settled the case, and the pending appeal was dismissed on July 18, 2016.

The Tenth Circuit may have had the opportunity to address this issue in a previous case, but instead focused on a different element: the definition of the phrase "obtain anything of value." Triad Consultants, Inc. v. Wiggins, 249 Fed.Appx. 38, 41 (10th Cir. 2007) (unpublished).

The district courts in the Tenth Circuit that have addressed the issue so far have followed the persuasive precedent of the Second, fourth, and Ninth Circuit. This Court agrees with the narrow interpretation of the statute and sees no reason to depart from the interpretation of sister district courts.

The narrow-interpreting circuits have approached defining "without authorization" and "exceeds authorized access" with slight differences. This Court finds the fourth Circuit's definitions of "without authorization" and "exceeds authorized access" persuasively clear.

The CFAA is concerned with the unauthorized access of protected computers. Thus, we note at the outset that "access" means "[t]o obtain, acquire," or "[t]o gain admission to." Oxford English Dictionary (3d ed.2011; online version 2012). Moreover, per the CFAA, a "computer" is a high-speed processing device "and includes any data storage facility or communications facility directly related to or operating in conjunction with such device." § 1030(e)(1). A computer becomes a "protected computer" when it "is used in or affecting interstate or foreign commerce." § 1030(c)(2).

With respect to the phrase, "without authorization." the CFAA does not define "authorization." Nevertheless, the Oxford English Dictionary defines "authorization" as "formal warrant, or sanction." Oxford English Dictionary (2d ed.1989; online version 2012). Regarding the phrase "exceeds authorized access," the CFAA defines it as follows: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." § 1030(e)(6).

Recognizing that the distinction between these terms is arguably minute, see Citrin , 440 F.3d at 420, we nevertheless conclude based on the "ordinary, contemporary, common meaning," see Perrin v. United States , 444 U.S. 37, 42, 100 S.Ct. 311, 62 L.Ed.2d 199 (1979), of "authorization," that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer. Thus, he accesses a computer "without authorization" when he gains admission to a computer without approval. See Brekka , 581 F.3d at 1133. Similarly, we conclude that an employee "exceeds authorized access" when he has approval to access a computer, but uses his access

to obtain or alter information that falls outside the bounds of his approved access. See id. Notably, neither of these definitions extends to the improper use of information validly accessed.

WEC Carolina Energy Sols. LLC , 687 F.3d at 204. Using these definitions, the Court will address the facts before it.

The facts alleged in the Complaint (Doc. No. 1) do not indicate that the defendants acted "without authorization" or "exceed[ed] authorized access." In fact, according to the allegations, all three employees had nearly unfettered access to the electronic information that was maintained in the employer's servers. (Doc. No. 1. pp. 4–6). There are not allegations that the employees even attempted to venture beyond their nearly unfettered access. The employees stole company information while still working for Central Bank & Trust and using the access granted to them by Central Bank & trust. This is not a violation of the Computer Fraud and Abuse Act.

The factual allegations suggest that the defendants' purpose and intent while using their authorized access made the access unauthorized. The allegations may very well state a claim in the First. Fifth, Seventh, and Eleventh Circuit. However, this Court disagrees with that particular reading of this section of the Computer Fraud and Abuse Act and believes the Tenth Circuit would follow the examples set by the Second, Fourth, and Ninth Circuit, considering the overwhelming agreement of this Court's sister districts. For the above reasons, the first three counts of the Complaint (Doc. No. 1) will be dismissed.

II. Central Bank & Trust does not state a claim for relief under the Stored Communications Act, because it does not allege facts supporting that it was a facility through which an electronic communication service was provided or that the defendants accessed information without authorization or by exceeding authorized access.

In the Complaint (Doc. No. 1). Central Bank & Trust alleges one claim under the Stored Communications Act. claiming that the defendants accessed its electronic information without authorization or by exceeding the authorization granted to them. This claim is based on 18 U.S.C. § 2701(a), which states as follows.

... whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

18 U.S.C. § 2701(a). In addition, this section includes exceptions to liability.

Subsection (b) of this section discusses criminal penalties for violation of this statute, which are not applicable in this case.
--------

Subsection (a) of this section does not apply with respect to conduct authorized—

(1) by the person or entity providing a wire or electronic communications service;

(2) by a user of that service with respect to a communication of or intended for that user;

18 U.S.C. § 2701(c). Section 2707 discusses civil action for violation of section 2701.

any provider of electronic communication service, subscriber, or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate.

(b) Relief.—In a civil action under this section, appropriate relief includes—

(1) such preliminary and other equitable or declaratory relief as may be appropriate;

(2) damages under subsection (c); and

(3) a reasonable attorney's fee and other litigation costs reasonably incurred.

(c) Damages.—The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.

18 U.S.C. § 2707(a) -(c).

With this count. Central Bank & Trust is attempting to put a square peg of facts in a round hole of law. The complaint fails to allege facts supporting at least two of the elements required by the Stored Communications Act. First, Central Bank & Trust does not allege facts supporting the claim that it is "a facility through which an electronic communication service is provided." To be a facility under the statute. Central Bank & Trust would need to be an electronic communication service provider.

While the SCA docs not define the term "facility," it does define the terms "electronic communication service" and "electronic storage." The statute defines an "electronic communication service" ("ECS") as "any service which provides to users thereof the ability to send or receive wire or electronic communications." 18 U.S.C. § 2510(15) (incorporated by reference in 18 U.S.C. § 2711(1) of the SCA). "Electronic storage" is defined as "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication." Id. § 2510(17).

Courts have interpreted the statute to apply to providers of a communication service such as telephone companies, Internet or e-mail service providers, and bulletin board services, for example, in Steve Jackson Games. Inc. v. United States Secret Service , we found that the SCA applied to cover the seizure of a computer used to operate an electronic bulletin board system. 36 F.3d 457, 462–63 (5th Cir.1994). Other circuits have applied the SCA to Internet service providers. See. e.g., Councilman , 418 F.3d at 81–82 ; Theofel v. Farey–Jones , 359 F.3d 1066, 1075 (9th Cir.2004).

These cases, however, are not helpful to Garcia in establishing that an individual's computer, laptop, or mobile device fits the statutory definition of a "facility through which an electronic communication

service is provided." The Eleventh Circuit's decision in United Stales v. Steiger provides useful guidance. 318 F.3d 1039, 1049 (11th Cir.2003). In Steiger , when a hacker accessed an individual's computer and obtained information saved to his hard drive, the court held such conduct was beyond the reach of the SCA. Id. The court found that "the SCA clearly applies ... to information stored with a phone company. Internet Service Provider (ISP), or electronic bulletin board system." but does not, however, "appear to apply to the source's hacking into Steiger's computer to download images and identifying information stored on his hard-drive." Id. It noted that "the SCA may apply to the extent the source accessed and retrieved any information stored with Steiger's Internet service provider ." Id. (emphasis added).

A number of district courts that have considered this question have also concluded that "the relevant ‘facilities' that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage." Freedom Banc Mortg. Servs., Inc. v. O'Harra , No. 2:11–cv–01073, 2012 WL 3862209, at *9 (S.D.Ohio Sept. 5, 2012) (emphasis added).

* * *

This reading of the statute is consistent with legislative history, as "Sen. Rep. No. 99–541 (1986)'s entire discussion of [the SCA] deals only with facilities operated by electronic communications services such as ‘electronic bulletin boards' and ‘computer mail facilit[ies],’ and the risk that communications temporarily stored in these facilities could be accessed by hackers. It makes no mention of individual users' computers ...." In re DoubleClick Inc. Privacy Litig , 154 F.Supp.2d 497, 512 (S.D.N.Y.2001) (quoting S. Rep. No. 99–541. at 36. reprinted in 1986 U.S.C.C.A.N. 3555. 3590).

Garcia v. City of Laredo, Tex. , 702 F.3d 788, 792–93 (5th Cir. 2012). Central Bank & Trust is not a facility under the statute. There is no allegation that any such facility is involved in this case. Central Bank & Trust is not an internet service provider or analogous to one. Under these alleged facts, the statute does not apply.

Second, no allegation suggests that any access by the defendants to email or stored information was unauthorized. The Tenth Circuit has not defined "without authorization" or "exceeds authorization to access" under the Stored Communications Act. Bovino v. MacMillan , 28 F.Supp.3d 1170, 1176 (D. Colo. 2014). But another district in this circuit has examined the definitions, and did so persuasively.

The SCA prohibits conduct whereby a person, without authorization, "obtains, alters, or prevents authorized access." 18 U.S.C. § 2701(a). The SCA does not prohibit obtaining or altering emails without authorization, but obtaining or altering access without authorization. See Sherman & Co. v. Salton Maxim Housewares, Inc. , 94 F.Supp.2d 817, 820 (K.D.Mich.2000). Thus, the SCA prohibits unauthorized access, not "the disclosure or use of information gained without authorization." Id. (emphasis in original); accord Wesley College v. Pitts , 974 F.Supp. 375. 389 (D.Del. 1997) ("a person who docs not provide an electronic communication service ... can disclose or use with impunity the contents of an electronic communication"); Penrose Computer Marketgroup. Inc. v.Camin , 682 F.Supp.2d 202, 211 (N.D.N.Y.2010) ("[S]ection 2701 outlaws

illegal entry, not larceny" (internal quotation marks omitted)). The SCA is therefore violated when "the trespasser gains access to information to which he is not entitled to see, not [when] the trespasser uses the information in an unauthorized way." Int'l Ass'n of Machinists & Aerospace Workers v. Werner–Masuda , 390 F.Supp.2d 479, 497 (D.Md.2005) (internal quotation marks omitted). As a matter of law, Mrs. MacMillan did not exceed the scope of her authorized access by forwarding or printing emails from Mr. MacMillan's AOL account.

Bovino v. MacMillan , 28 F.Supp.3d 1170, 1177–78 (D. Colo. 2014). Judge Philip Brimmer went on to find that a dispute of material fact existed as to the plaintiff's claim that Mrs. MacMillian exceeded the scope of her access when she prevented her ex-husband's access to emails from his attorney on his personal AOL email account. Id. at 1178–79.

In Bovino , the defendant gained access to her ex-husband's email account, because he saved his password on her computer. Id. at 1172–73. The Court found that she was authorized to access his email account, but held that a question of fact existed as to whether she was authorized to delete emails or shuffle emails to spam. Id. at 1178–79. Here, the factual allegations made by Central Bank & Trust do not clarify how the defendants "accesse[d] without authorization a facility" or "exceed[ed] an authorization to access that facility" other than to slate that the defendants "ceased to be authorized users when they began acting for the benefit of themselves and FSB, or otherwise used CB & T computers, networks and systems in an unauthorized manner." (Doc. No. 1, pp. 15–16). The Stored Communications Act is not violated when the accessor uses the information in an unauthorized way, but is violated when a "trespasser gains access to information to which he is not entitled to see." Bovino , 28 F.Supp. at 1177 citing Int'l Ass'n of Machinists & Aerospace Workers v. Werner–Masuda , 390 F.Supp.2d 479, 497 (D. Md. 2005). Central Bank & Trust makes no allegation that the defendants were accessing electronic information beyond what its information technology department authorized them to see.

The definition of authorization in the Stored Communications Act appears to compare to the definition of authorization in the Computer fraud and Abuse Act. As long as the accessor has authorization to access the particular information, allegations of a deceitful and dishonest purpose are not sufficient to slate a cause of action under both the Computer fraud and Abuse Act and the Stored Communications Act. The Stored Communications Act does not apply under the alleged facts, for that reason, Count Four of the Complaint (Doc. No. 1) must be dismissed.

III. The remaining state claims will be dismissed, because this Court, in its discretion, declines to exercise jurisdiction over them.

When a federal district court possesses original jurisdiction in a case and the claims forming the basis of that original jurisdiction are dismissed, the Court may decline supplemental jurisdiction over the state law claims. 28 U.S.C. § 1367(c)(3). In fact, this is the presumption. See Koch v. City of Del City , 660 F.3d 1228, 1248 (10th Cir. 2011) (" ‘When all federal claims have been dismissed, the court may, and usually should, decline to exercise jurisdiction over any remaining state claims' ") quoting Smith v. City of Enid ex rel. Enid City Comm'n , 149 F.3d 1151, 1156 (10th Cir. 1998). The Court, in its discretion, finds no reason why this Court should retain jurisdiction over the state law claims. All the parties are citizens of Wyoming. There is no better place for this dispute than in the courts of the State of Wyoming. For the above reasons, the remaining claims, counts live through ten, will be dismissed.

CONCLUSION

The current circuit split on the meaning of authorization within the Computer Fraud and Abuse Act is markedly deep. Three districts in the Tenth Circuit have weighed in and have done so persuasively. Although the alleged acts of the defendants walk the thin line between white collar crime and business competition, they do not fit the language Congress used for federal criminal and civil lawsuits. The Computer Fraud and Abuse Act is not an anti-sneaky, disgruntled, and deceitful employee statute. Nor is it an anti-distracted and internet-surfing employee statute. It is an anti-hacking statute. It prevents outside hacking with the "without authorization" language and inside hacking with the "exceeds authorized access" language. The Stored Communication Act docs not lit the facts of this case either. Here, the defendants were accessing information they were allowed to access while employed by Central Bank & Trust, Federal law does not allow for civil or criminal liability under the facts as alleged.

For the reasons stated above. Central Bank & Trust's claims for relief are legally insufficient. its Complaint (Doc. No. 1) lacks of a federal cause of action. These non-diverse parties may seek justice in the state courts of Wyoming. Accordingly, it is

ORDERED that the defendants' Motion to Dismiss (Doc. No. 9) shall be, and is. GRANTED .

The Court will issue judgment accordingly.


Summaries of

Cent. Bank & Trust v. Smith

United States District Court, D. Wyoming.
Aug 31, 2016
215 F. Supp. 3d 1226 (D. Wyo. 2016)

holding that a bank was "not a facility under the [SCA]" because it was not "an internet service provider or analogous to one"

Summary of this case from Cottle v. Plaid Inc.

finding that the bank's business computer network did not constitute a "facility" under the SCA because it was "not an internet service provider or analogous to one."

Summary of this case from Satcom Solution & Res. LLC v. Pope

explaining the two different ways to construe the element and favoring the narrower one

Summary of this case from MSC Safety Sols. v. Trivent Safety Consulting, LLC
Case details for

Cent. Bank & Trust v. Smith

Case Details

Full title:CENTRAL BANK & TRUST, Plaintiff, v. Frank SMITH, Mark Kiolbasa, Michelle…

Court:United States District Court, D. Wyoming.

Date published: Aug 31, 2016

Citations

215 F. Supp. 3d 1226 (D. Wyo. 2016)

Citing Cases

Satcom Solution & Res. LLC v. Pope

Unfortunately, the SCA does not define the term "facility" and the Tenth Circuit has yet to define "without…

Mathey Dearman, Inc. v. H&M Pipe Beveling Mach. Co.

Thus, an employee "accesses a computer 'without authorization' when he gains admission to a computer without…