Opinion
Case No: 6:17-cv-933-Orl-40DCI
08-31-2017
COLL BUILDERS SUPPLY, INC., Plaintiff, v. ROBERT J. VELEZ, ROSALY MENDEZ RODRIGUEZ and APEX TOOL & FASTENERS, INC., Defendants.
REPORT AND RECOMMENDATION
This cause comes before the Court for consideration without oral argument on the following motions:
MOTION: DEFENDANT APEX TOOL & FASTENER, INC.'S MOTION TO DISMISS AMENDED COMPLAINT (Doc. 36)
FILED: July 10, 2017
THEREON it is RECOMMENDED that the motion be GRANTED in part and DENIED in part.
MOTION: DEFENDANTS', ROBERT VELEZ AND ROSALY MENDEZ RODRIGUEZ, MOTION TO DISMISS PLAINTIFF'S AMENDED COMPLAINT (Doc. 42)
FILED: July 24, 2017
THEREON it is RECOMMENDED that the motion be GRANTED in part and DENIED in part.
Introduction
On July 3, 2017, Plaintiff Coll Builders Supply, Inc. filed a six-count Amended Complaint that, in Count III, contained alleged violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. Doc. 27. Plaintiff alleged state law torts in Counts I, II, IV, V, and VI of the Amended Complaint. Id. The CFAA violations in the Amended Complaint gave rise to this Court's federal question jurisdiction, and the remaining state law claims came within the Court's supplemental jurisdiction.
Pursuant to Federal Rule of Civil Procedure 12(b)(6), Defendants have moved to dismiss the CFAA violations within Count III and, assuming the Court dismissed those CFAA violations, requested that the Court decline to exercise jurisdiction over the remaining state law claims and dismiss the Amended Complaint. Docs. 36; 42. Defendant Apex Tool & Fastener, Inc. moved to dismiss (Doc. 36) the Amended Complaint separately from Defendants Robert J. Velez and Rosaly Mendez Velez (collectively, the Individual Defendants) (Doc. 42).
In the Amended Complaint, within Count III, Plaintiff alleged four, separate, alternative grounds for relief under the CFAA. Specifically, Plaintiff alleged the following violations against the following Defendants:
| Para. | Statutory Citation | Summary of CFAA Violation | Defendant |
| 38 | Intentionally obtaininginformation | Rodriguez | |
| 39 - 41 | 18 U.S.C. § 1030(a)(4) | Knowingly, and with intent todefraud, obtaining anything ofvalue in excess of $5,000 | Apex, Rodriguez |
| 42 | Knowingly transmitting a programand intentionally causing damage | Apex, Rodriguez | |
| 43 | Conspiracy | Apex, Rodriguez, Velez |
In addition, it must be noted that, in its Motion to Dismiss, Apex sought only to dismiss the CFAA violations made pursuant to § 1030(a)(2)(C) and § 1030(b). Doc. 36 at 1, 3, 5, 7-8. However, Apex is not even named in the § 1030(a)(2)(C) violation. Doc. 27 at 11. And, even if the Court construed the portions of Apex's motion to dismiss attacking the allegations related to "exceeding authorized access" also to be attacking the § 1030(a)(4) violation (which the undersigned will not do), Apex has made absolutely no argument to dismiss the § 1030(a)(5)(A) violation. Thus, if the Court were to grant the relief Apex actually requested, there would still remain two CFAA violations pending against Apex, this Court would still have subject matter jurisdiction over this case, and it would still be appropriate to exercise supplemental jurisdiction over the remaining state law claims. See Aquent LLC v. Stapleton, 65 F. Supp. 3d 1339, 1346 (M.D. Fla. 2014) (in the context of a Rule 12(b)(6) motion to dismiss, analyzing each alleged violation of § 1030 as a separate violation, and dismissing one of those violations while declining to dismiss the other two).
Finally, the Defendants' requests to dismiss the remaining state law claims is contingent entirely on the Court dismissing the CFAA claims in whole - there is no assertion by any Defendant that the state law claims fail to state a cause of action. See Docs. 36; 42. With that backdrop, the undersigned will consider the pending motions to dismiss.
The Allegations in the Complaint Relating to the CFAA Violations
Because the undersigned is considering motions to dismiss made pursuant to Rule 12(b)(6), the undersigned must take as true the factual allegations in the Complaint. Specifically relevant to the CFAA violations are the following factual allegations, all of which were incorporated by reference in the CFAA violations contained within Count III (all paragraph citations are to the Amended Complaint (Doc. 27)):
• Plaintiff is in the business of purchasing and selling construction tools and equipment. . . . Plaintiff expends substantial time, effort, and expense developing and maintaining information about its clients. . . . Plaintiff stores this information on a secure database. . . . Plaintiff's computer system has access to and utilizes the Internet. . . . Thus, Plaintiff's computer system is . . . a "protected computer" as defined by the Computer Fraud and Abuse Act. ¶ 6.
• Plaintiff hired Velez on August 1, 2014 as a salesman. Plaintiff subsequently hired . . . Rodriguez, on August 25, 2014 as an operating manager. As part of her employment package, Rodriguez held a 10% stake in Plaintiff. . . . Rodriguez also managed the computer system, had access to all the passwords, and was in charge of making sure that the computer system was secure once employees left the company. Through Rodriguez' position as operating manager for Plaintiff, she had access to Plaintiff's internal computer systems that contained all the confidential and proprietary information . . . . ¶ 7.
• Velez ended his employment with Plaintiff on July 11, 2016 . . . . ¶ 11.
• Rodriguez also resigned her position with Plaintiff on July 11, 2016. She simply did not show up for work, and when Plaintiff finally made contact with her in the afternoon of the 11th, Rodriguez stated that she was resigning her position effective immediately. As further confirmation that she had completely severed her relationship with Plaintiff, Rodriguez sent a text message on July 19, 2016, to Plaintiff stating that she had left a letter on the top of her desk relinquishing her 10% share of the company. ¶ 16.
• Rodriguez knew that, effective immediately after her resignation on July 11, 2016, she was no longer authorized to access Plaintiff's computer system. Plaintiff had a well-established policy that, the moment an employee leaves the company, they were no longer authorized to gain access to the computer systems and facilities. Indeed, Rodriguez had been the person at Plaintiff's business who made sure that passwords were changed each time a person left the company so that he or she could not surreptitiously gain access to Plaintiff's computer system after the employment relationship ended. During the conversation on July 11, 2016, where Rodriguez informed Plaintiff that she was resigning all connections to the company, Rodriguez and one of Plaintiff's agents discussed the fact that Rodriguez was no longer authorized to access the computer system. . . . ¶ 17.
• Rodriguez accessed Plaintiff's protected computer systems on July 20, 2016, without authorization in violation of the CFAA, 18 U.S.C. §§ 1030(a)(2)(C), (a)4, and (a)(5). Once she got into the computer system, Rodriguez improperly altered key client information in a way that would benefit her and APEX to Plaintiff's detriment. Specifically, Rodriguez changed claim orders so that they would show that certain invoices had been paid by Plaintiff's clients when, in fact, Plaintiff had not received payment. Plaintiff later learned that the clients had paid these invoices to Velez and/or Rodriguez, but that such money was never transferred to Plaintiff. To cover-up this fraud, Defendant Rodriguez illegally gained access to the Plaintiff's computer system and altered documents in intentional furtherance of this fraud against Plaintiff. Upon information and belief, the altered work orders were paid by Plaintiff's clients directly to Velez on behalf of APEX without the clients knowing that Velez was no longer working for Plaintiff. These actions resulted in Defendants pocketing the money. Rodriguez also altered billing information, deleted work orders, deleted the contact information of several of Plaintiff's important clients, deleted client credit card information, and deleted certain accounts. All of this resulted in an interruption of service and interrupted Plaintiff's business. Defendant Rodriguez illegally gained access to Plaintiff's protected computer system and altered/deleted documents and data so that APEX would receive those customers' business at a detriment to Plaintiff. Rodriguez' actions constituted violations of CFAA, 18 U.S.C. § 1030(a)(2)(C), (a)(4), and (a)(5) . . . . ¶ 18.
• Defendant Rodriguez currently works for Defendant APEX. On information and belief, Plaintiff alleges that Defendant Rodriguez began working for APEX immediately after she quit working for Plaintiff - the same time her husband/domestic partner, Velez, began working for APEX. ¶ 19.
• As a direct and proximate result of Defendants' . . . computer fraud, Plaintiff has suffered, and will continue to suffer, damages in the form of lost income, profits, and business opportunities. Through the first quarter of 2017, Plaintiff lost more than $450,000 in business as a direct result of Defendants' illegal activity. Plaintiff is attempting to mitigate damages as much as possible, but if such illegal activity is not stopped, such losses will continue in the future. Defendant Rodriguez' decision to wrongfully access Plaintiff's computer system, after her employment with Plaintiff had
ended, caused Plaintiff to suffer loss in at least two ways. First, Plaintiff had to pay inside and outside people to scour its computer system, detect where the foul play had occurred and correct the damage that had been inflicted. The cost of performing such activities exceeded $5,000. Additionally, Plaintiff suffered an interruption of services occasioned by Rodriguez' deletion of Plaintiff's client contact information, work orders, credit card information and other important client information. This loss included lost revenue from Plaintiff's customers, and it far exceeds $5,000. ¶ 24.Doc. 27 at 2-8.
In addition to the foregoing allegations, Plaintiff made specific allegations in Count III relevant to each of the four ways in which it alleged the Defendants violated the CFAA. Those violations including the following paragraphs (all paragraph citations are to the Amended Complaint (Doc. 27)):
• 18 U.S.C. § 1030(a)(2)(C) makes it unlawful for anyone to intentionally access a computer without authorization or in excess of one's authorized access, and thereby obtain information from a protected computer. Defendant Rodriguez knowingly and/or with intent to defraud Plaintiff, accessed Plaintiff's protected computer systems after her employment with Plaintiff had ended and after her authorization to access Plaintiff's computer system had been revoked to obtain information from Plaintiff's protected computer. Because of the breach into the computer system and in response thereto, Plaintiff suffered loss in excess of $5,000 as alleged more fully herein. Plaintiff alleges that the computer system at issue in this case is "protected" by the CFAA because it utilizes the internet and because it assists Plaintiff in engaging in interstate commerce and communications. ¶ 38.
• 18 U.S.C. § 1030(a)(4) makes it unlawful to knowingly and with the intent to defraud, access a protected computer without authorization (or exceeding such authorization), and by means of such conduct further an intended fraud and obtain anything of value. Defendants Rodriguez and APEX violated this section of the CFAA because Rodriguez, with the encouragement and assistance of Defendant APEX, accessed Plaintiff's protected computer, without authorization, knowingly and with the intent to defraud, committed acts furthering the intended fraud and obtained something of value. As alleged more fully herein, Rodriguez improperly deleted and altered client contact information, billing information, work orders and other important information. The work orders were doctored to show that the order had been paid by the client to Plaintiff, when, in fact, the money had been paid to Defendant APEX. ¶ 39.
• 18 U.S.C. § 1030(a)(5)(A) also makes it illegal for a person to "knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer." Unlike the claims under subsections (a)(2)(C) and (a)(4), subsection (a)(5) also requires
a showing of "damage" in addition to "loss." The statute defines damage as "any impairment to the integrity or availability of data, a program, a system, or information." § 1030(e)(8). In this context, "integrity" means some diminution in the completeness or usability of data or information on a computer system. Defendants Rodriguez and APEX violated this section when Rodriguez accessed Plaintiff's protected computer without authorization and after her employment with Plaintiff ended and actually changed the data, deleted data and account information, and otherwise knowingly caused a diminution in the completeness and usability of the data in Plaintiff's computer system. This is "damage" as defined by the CFAA. Plaintiff also suffered loss in excess of $5,000 as alleged more fully herein. Thus, Defendants Rodriguez and APEX are liable to Plaintiff under this section of the CFAA as well. ¶ 42.Doc. 27 at 11-13.
• As alleged more fully above, Defendant APEX is vicariously liable for Rodriguez' CFAA violations because it explicitly or implicitly took part in, encouraged, directed, induced and/or benefitted from Defendant Rodriguez' access of Plaintiff's protected computer systems. Additionally, Defendant Rodriguez and Defendant APEX are liable to Plaintiff under the conspiracy section of the CFAA contained in 18 U.S.C. § 1030(b), which creates a violation for conspiring to commit one of the offenses alleged above. Since Rodriguez conducted and performed these dishonest acts at the behest of and on the behalf of Defendant APEX, APEX is liable for Rodriguez' actions as alleged herein under both a vicarious liability theory and under the conspiracy section of the CFAA. Plaintiff further alleges that Defendant Velez was also directly involved in the conspiracy to violate the CFAA. He was a co-worker with Defendant Rodriguez while they worked for Plaintiff, left to work for Defendant APEX at the same time, and benefited from Defendant Rodriguez' illegal computer activities. Indeed, some of the work orders that Defendant Rodriguez changed and altered were for orders placed by Velez while he was still working for Plaintiff and when the clients thought they were doing business with (and were paying) Plaintiff. Thus, Velez is liable to Plaintiff under the conspiracy section of the CFAA. ¶ 43.
Apex's Motion to Dismiss
In its motion to dismiss, Apex asserted that the § 1030(a)(2)(C) violation should be dismissed because Rodriguez had access to Plaintiff's computer systems and thus did not "exceed authorized access" and also because Plaintiff's allegations are conclusory. Doc. 36 at 3-7. Apex asserted that the § 1030(b) conspiracy claim should be dismissed because the underlying tort claim cannot proceed and also because Plaintiff's allegations are conclusory. Doc. 36 at 7-8. As noted earlier, Apex made no motion to dismiss the aspects of Count III alleging violations of § 1030(a)(4) and § 1030(a)(5)(A).
In making its first argument, Apex relied almost entirely on a discussion of "the controlling precedent in both" Allied Portables, LLC. v. Youmans, 2015 WL 3720107 (MD. Fla. June 15, 2015) and Enhanced Recovery Co., LLC v. Frady, 2015 WL 1470852 (M.D. Fla. March 31, 2015). Doc. 36 at 3-7. Apex asserted that, pursuant to those decisions, Rodriguez cannot be liable for exceeding authorized access because Plaintiff had previously granted her access to its computer systems. Id. Further, Apex claimed that, even if Rodriguez violated the CFAA, the decision in Enhanced Recovery would bar Apex from being vicariously liable for Rodriguez's violation of the CFAA. Id. at 5. Apex then asserted, without citation to authority, that Plaintiff's allegations are conclusory and fail to satisfy the special pleading requirements of Federal Rule of Civil Procedure 9(b). Doc. 36 at 7. As to the § 1030(b) conspiracy violation, Apex asserted that that violation should be dismissed because the underlying tort claim cannot proceed, and because Plaintiff's allegations in relation to the conspiracy are conclusory. Doc. 36 at 7-8.
Plaintiff responded that it appropriately alleged violations of the CFAA. Doc. 41. Specifically, Plaintiff asserted that the decisions in Allied Portables and Enhanced Recovery are completely inapposite because those cases involved employees who "exceeded authorized access" whilst still employed - unlike here, where it was alleged that Rodriguez accessed Plaintiff's computer systems after she was no longer employed by Plaintiff and after Plaintiff explicitly told her that she did not have authorization to access Plaintiff's systems. Id. at 7-8. Further, Plaintiff asserted that vicarious liability is allowable under the CFAA and disputed Apex's assertion that the decision in Enhanced Recovery would bar vicarious liability, pointing the Court to the actual language of that decision. Id. at 9-11. Plaintiff also asserted that it alleged facts sufficient to support its conspiracy claim under § 1030(b). Id. at 11.
Plaintiff's response is also titled as a "Motion to Strike", although the response itself does not include argument requesting such relief. Further, it is not appropriate to request affirmative relief via a motion embedded within a response. To the extent that the response incorporates a motion or request for affirmative relief, Plaintiff has failed to comply with Local Rule 3.01(g) and it is recommended that such relief be denied.
The Individual Defendants' Motion to Dismiss
In their motion to dismiss, the Individual Defendants made a generalized argument pursuant to Rule 12(b)(6), while also citing to Rule 9(b), that the CFAA violations within the Amended Complaint should be dismissed. Doc. 42 at 5-14. At one point in the motion, the Individual Defendants asserted that the sole federal claim is a "violation of 18 U.S.C. § 1030(a)(2)(C), (a)(4), and (a)(5)," without reference to the § 1030(b) conspiracy. Doc. 42 at 6. At another point, the Individual Defendants described the "one federal claim" in the Amended Complaint as an allegation that "Rodriguez, knowingly and with intent to defraud accessed [Plaintiff's] internal computer on July 20, 2016, for the benefit of" Velez and Apex - which, although not identified as such, is a reference to the elements of a violation of § 1030(a)(4). Id. at 7. But in yet another portion of the Individual Defendants' motion, they stated generally that the elements of the CFAA claim at issue are the elements of a violation of § 1030(a)(2)(C), although the elements identified by the Individual Defendants are not identified as such. Doc. 42 at 8. There is also a portion of the motion attacking the conspiracy allegation as insufficient. Id. at 12. The remainder of the motion attacked the plausibility of the allegations, and asserted that the allegations are not true. Id. at 8-14. Although § 1030(a)(5) was mentioned in passing at the outset of the Individual Defendants' motion, the Individual Defendants' motion does not contain any particular arguments attacking the sufficiency of the § 1030(a)(5)(A) allegations contained within Count III of the Amended Complaint.
Plaintiff responded that it appropriately alleged violations of the CFAA, and requested that the Court consider the arguments Plaintiff made in response to Apex's motion to dismiss. Doc. 43. In addition, Plaintiff requested that the Court not consider the Individual Defendants' factual challenges to the Amended Complaint, which, it was asserted, are best made at the summary judgment stage. Id. Finally, Plaintiff asserted that Rule 9(b) does not apply to pleading under the CFAA. Doc. 43.
The Rule 12(b)(6) Standard
In the considering a motion to dismiss, a court must view the challenged complaint in the light most favorable to the plaintiff. See, e.g., Jackson v. Okaloosa Cty., Fla., 21 F.3d 1531, 1534 (11th Cir. 1994). The court is limited in its consideration to the pleadings and any exhibits attached to those pleadings. Fed. R. Civ. P. 10(c); see also GSW, Inc. v. Long Cty., Ga., 999 F.2d 1508, 1510 (11th Cir. 1993). And the court will liberally construe a plaintiff's allegations in the complaint in the plaintiff's favor. Jenkins v. McKeithen, 395 U.S. 411, 421 (1969). But "conclusory allegations, unwarranted factual deductions or legal conclusions masquerading as facts will not prevent dismissal." Davila v. Delta Air Lines, Inc., 326 F.3d 1183, 1185 (11th Cir. 2003). As has recently been succinctly explained in this District:
In reviewing a complaint on a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), "courts must be mindful that the Federal Rules require only that the complaint contain 'a short and plain statement of the claim showing that the pleader is entitled to relief.'" U.S. v. Baxter Intern., Inc., 345 F.3d 866, 880 (11th Cir. 2003) (citing Fed. R. Civ. P. 8(a)). This is a liberal pleading requirement, one that does not require a plaintiff to plead with particularity every element of a cause of action. Roe v. Aware Woman Ctr. for Choice, Inc., 253 F.3d 678, 683 (11th Cir. 2001). However, a plaintiff's obligation to provide the grounds for his or her entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 554-55 (2007). The complaint's factual allegations "must be enough to raise a right
to relief above the speculative level," id. at 555, and cross "the line from conceivable to plausible." Ashcroft v. Iqbal, 556 U.S. 662, 680 (2009).Destra v. Demings, No. 6:15-cv-1143-Orl-31TBS, Doc. 46 at 3-4 (M.D. Fla. Nov. 10, 2015).
The CFAA
The CFAA was designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) (quoting H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984)). The CFAA is primarily a criminal statute, but also provides a private right of action to "[a]ny person who suffers damage or loss by reason of a violation of this section," who "may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. § 1030(g).
"The CFAA defines seven categories of conduct that can give rise to civil or criminal liability. . . ." Trademotion, LLC v. Marketcliq, Inc., 857 F. Supp. 2d 1285, 1289-90 (M.D. Fla. 2012) (citing 18 U.S.C. § 1030(a)(5)(C)). Those seven categories of conduct are contained within § 1030(a)(1) through (7). The first category of conduct relevant here is prohibited by the CFAA in § 1030(a)(2)(C), which provides that whoever "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer" commits an offense. Second, § 1030(a)(4) provides that whoever "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value" also commits an offense. Third, one who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage to a protected computer" commits an offense under § 1030(a)(5)(A). Finally, while a criminal defendant may be held liable for attempting or conspiring to commit a violation of one of those seven subsections, § 1030(b), it remains a somewhat unsettled question of law as to whether a civil defendant may be held liable for attempting or conspiring to violate the CFAA. See Agilysys, Inc. v. Hall, -- F. Supp. 3d --, 2017 WL 2903364, at *4 (N.D. Ga. May 25, 2017) (dismissing a § 1030(b) conspiracy violation in a civil complaint for a failure to state a claim, and also citing to authority suggesting that such a conspiracy may not be a viable claim in a civil action).
To establish civil liability under the CFAA, a plaintiff must make an additional showing: "A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(I)." 18 U.S.C. § 1030(g). As relevant here, in order to establish civil liability, a plaintiff must show that a defendant violated subsection (I) by causing "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i)(I). Such losses are limited to economic damages, 18 U.S.C. § 1030(g), and may include "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11).
Discussion
In the Amended Complaint, Plaintiff attempted to allege three substantive violations of the CFAA and one conspiracy violation. The undersigned will consider the substantive violations first, and then the conspiracy violation. Ultimately, the undersigned finds that Plaintiff has sufficiently alleged substantive violations of the CFAA, but that the conspiracy violation made pursuant to § 1030(b) is insufficient and should be dismissed.
The Substantive Violations
As to the substantive violations (i.e., the violations of 18 U.S.C. § 1030(a)(2)(C), (a)(4), and (a)(5)(A)), the undersigned finds that Plaintiff has made specific, detailed factual allegations that address each element of those violations. Indeed, the undersigned has taken the somewhat unusual step of block-quoting much of the Amended Complaint in this report for the simple reason that the factual allegations stand on their own, and state appropriately specific and detailed factual allegations to support the alleged violations. See supra (quoting Doc. 27 at 2-8, 11-13). And thus there is no basis for Defendants' arguments that the allegations within the Amended Complaint are conclusory or lack plausibility.
Specifically, as to Rodriguez (who it is alleged violated each substantive provision at issue in the Amended Complaint), it was alleged that Plaintiff maintained computer systems that housed valuable commercial information; that those computer systems were connected to the Internet and thus were protected computers under the CFAA; that Rodriguez had authorized access to those computer systems while she was employed by Plaintiff; that Rodriguez's employment with Plaintiff ended; that Rodriguez's authorized access to Plaintiff's computer systems was terminated when her employment ended; that Rodriguez knew she no longer had authorized access to Plaintiff's computer systems, both because she had enforced such a policy in the past on behalf of Plaintiff and because Plaintiff affirmatively told her so; that, thereafter, Rodriguez accessed Plaintiff's computer systems without authorization; and, in doing so, Plaintiff obtained something valued in excess of $5,000.00 (i.e., information), and intentionally caused in excess of $5,000.00 in damage to Plaintiff's computer systems. Doc. 27 at 2-8, 11-13. Finally, it is alleged that Rodriguez acted knowingly and with an intent to defraud. Id. at 11-13. Those factual allegations (concerning which the Amended Complaint has additional, factual elaboration) are sufficient to establish that Rodriguez violated each of 18 U.S.C. § 1030(a)(2)(C), (a)(4), and (a)(5)(A).
The Defendants also attacked Rodriguez's liability for the substantive violations on the basis that the decisions in Allied Portables and Enhanced Recovery, undercut Plaintiff's overall legal theory in the Amended Complaint. Defendants' reliance on those cases is entirely without merit for a number of reasons. First, the decisions in Allied Portables and Enhanced Recovery involved cases in which an employee used their authorized access - while employed - to obtain information for a nefarious, and otherwise "unauthorized," purpose. Allied Portables, 2015 WL 3720107, at *2; Enhanced Recovery, 2015 WL 1470852, at *1-2. The courts in those decisions made findings that such conduct did not fall within the purview of the CFAA; findings that are in line with the "narrow" interpretation of "exceeding authorized access" under the CFAA. Allied Portables, 2015 WL 3720107, at *3-7; Enhanced Recovery, 2015 WL 1470852, at *2. As noted by Plaintiff in its responses, the issue of a "broad" versus a "narrow" interpretation of "exceeding authorized access" under the CFAA is an ongoing debate and the subject of a split amongst federal courts, and the undersigned expresses no position on that issue at this time, because deciding that issue is not necessary to determining the motions before the Court. See Agilysys, Inc. v. Hall, -- F. Supp. 3d --, 2017 WL 2903364, at *4 (N.D. Ga. May 25, 2017) ("The Court recognizes the split in this District as well as across the Circuits regarding the broad and narrow views of the CFAA and the use of information versus the access to information.") (collecting cases); compare Enhanced Recovery, 2015 WL 1470852, at *2 (following the "narrow" interpretation), with Aquent LLC v. Stapleton, 65 F. Supp. 3d 1339, 1346 (M.D. Fla. 2014) (following the "broad" interpretation).
Here, the only substantive violations in the Amended Complaint that involve the "exceeding authorized access" language are the alleged violations of § 1030(a)(2)(C) and § 1030(a)(4). Doc. 27 at 11-12. However, a defendant can also violate those sections if the access at issue is simply "unauthorized." In the Amended Complaint, Plaintiff alleges that Rodriguez's accesses was "unauthorized" under the CFAA, and alleges specific facts in support of that allegation - specifically, that Rodriguez was terminated, knew she no longer had authorized access to Plaintiff's computer systems, and nevertheless knowingly, intentionally, and with intent to defraud accessed those computer systems to steal information and do damage. Doc. 27 at 2-8, 11-13. Thus, liability in this case, as alleged in the Amended Complaint, does not hinge on whether Rodriguez, while employed with Plaintiff, exceeded her authorized access. Therefore, Allied Portables and Enhanced Recovery are completely inapposite. Defendants do not address this distinction but, regardless, it is fatal to that aspect of their motions. While Defendants also argued in their motions that Rodriguez did have authorized access to Plaintiff's computer systems after she resigned as an employee of Plaintiff (and thus the allegations in the Amended Complaint are false), that is an issue of potentially disputed fact, more appropriate for summary judgment or trial.
Although Plaintiff also asserted within the body Count III that Rodriguez "exceeded authorized access" in relation to the alleged violations of § 1030(a)(2)(C) and § 1030(a)(4), the fact remains that the foregoing allegations state a claim that Rodriguez simply acted "without authorization," an alternative and sufficient means of violating those subsections of § 1030(a).
In addition, in reliance upon Enhanced Recovery, Apex asserted that it cannot be held vicariously liable for Rodriguez's violation of § 1030(a)(2)(C) of the CFAA. Doc. 36 at 5. Again, Plaintiff did not allege in the Amended Complaint that Apex violated § 1030(a)(2)(C) of the CFAA. Doc. 27 at 11-12. Nonetheless, the undersigned agrees with Plaintiff that Apex's reading of Enhanced Recovery is incorrect. Indeed, as explained by Plaintiff, the report and recommendation in Enhanced Recovery, which report ultimately was not adopted by the district judge, found that the CFAA supported a theory of vicarious liability. Enhanced Recovery Co., LLC v. Frady, No. 3:13-CV-1262-J-34JBT, 2015 WL 1470839, at *6 (M.D. Fla. Jan. 20, 2015), report and recommendation adopted in part, rejected in part, 2015 WL 1470852 (M.D. Fla. Mar. 31, 2015). When the district judge rejected the report and recommendation, the rejection was on the basis of the issue (already addressed supra) concerning the "broad" versus "narrow" interpretation of "exceeds authorized access." Enhanced Recovery, 2015 WL 1470852, at *6-11. The rejection had nothing to do with the magistrate judge's discussion of vicarious liability under the CFAA. Id. In fact, as the Plaintiff's note in their response, the district judge in Enhanced Recovery stated in a footnote that the court did "not necessarily disagree with the proposition that a third party could be held vicariously liable for directing a person to exceed authorized access to a protected computer." 2015 WL 1470852, at n.10. And in the report and recommendation in Enhanced Recovery, the magistrate judge noted several cases supporting such vicarious liability with which, as did the magistrate judge in that case, the undersigned agrees. Enhanced Recovery, 2015 WL 1470839, at *6 (citing Binary Semantics Ltd. v. Minitab, Inc., 2008 WL 763575, at *5 (M.D. Pa. Mar. 20, 2008) ("[T]he complaint sufficiently alleges that defendant Asha was acting at the direction of Minitab when she allegedly accessed plaintiff's protected computer and stole plaintiff's trade secrets. Therefore, we conclude that Minitab may be held liable for the CFAA violation.") and Se. Mech. Servs. v. Brody, 2008 WL 4613046, at *14 (M.D. Fla. Oct. 15, 2008) ("Where a new employer seeks a competitive edge through the wrongful use of information from the former employer's computer system, plaintiff will likely win on the merits of a CFAA claim.")); see also NetApp, Inc. v. Nimble Storage, Inc., 41 F. Supp. 3d 816, 835 (N.D. Cal. 2014) ("As to vicarious liability, courts have held that an employer can be vicariously liable for an employee's violations of the CFAA if those transgressions occur in the scope of employment or the employer directs the employee's conduct."); but see, e.g., Doe v. Dartmouth-Hitchcock Med. Ctr., 2001 WL 873063, at *5 (D.N.H. July 19, 2001) ("Expanding the private cause of action created by Congress to include one for vicarious liability against persons who did not act with criminal intent and cannot be said to have violated the statute . . . would be entirely inconsistent with the plain language of the statute.").
The undersigned notes that the issue discussed in cases like Doe v. Dartmouth-Hitchcock Med. Ctr., i.e., can there be civil liability for one not the "violator" as that term is used in § 1030(g), is an issue that, at best, was raised only tangentially by Defendants, and is not actually a basis upon which Defendants requested relief in the motions.
Here, Plaintiff alleged in the Amended Complaint that Apex is vicariously liable for Rodriguez's violations of the CFAA, stating explicitly that Apex is liable for Rodriguez's violations of § 1030(a)(4) and § 1030(a)(5)(A). Doc. 27 at 12-13. In support, Plaintiff alleged that "APEX is vicariously liable for Rodriguez' CFAA violations because it explicitly or implicitly took part in, encouraged, directed, induced and/or benefitted from Defendant Rodriguez' access of Plaintiff's protected computer systems." Id. at 13. Further, Plaintiff made factual allegations in various parts of the Amended Complaint that: Apex was a direct competitor of Plaintiff; Apex aggressively recruited Velez, who ended his employment with Plaintiff on July 11, 2016 and immediately began using Plaintiff's confidential information to benefit Apex; Rodriguez ended her employment with Plaintiff on July 11, 2016 and immediately began working for Apex as well; thereafter, Rodriguez accessed Plaintiff's computer systems and stole confidential information and caused damage in a way that would benefit Apex and harm Plaintiff, including by altering work orders and invoices that caused Plaintiff's clients to pay Velez on behalf of Apex, and altering and deleting data from Plaintiff's computer systems so that Apex would receive Plaintiff's customers' business; Rodriguez currently works for Apex; "APEX directly or indirectly took part in, encouraged, directed, induced and/or benefitted from both Rodriguez' and Velez' efforts to obtain Plaintiff's trade secrets, alter Plaintiff's computerized documents and data, and steal Plaintiff's money and clients"; and APEX continues to benefit financially from the wrongful use of Plaintiff's information. Doc. 27 at 2-8, 11-14. The undersigned finds that those allegations, taking the Amended Complaint as a whole, are sufficient to allege that Apex is vicariously liable for Rodriguez's violations of § 1030(a)(4) and § 1030(a)(5)(A), and that such vicarious liability is a viable theory under the CFAA.
Finally, as to the substantive violations of the CFAA, Defendants asserted, without legal support, that the alleged violations of the CFAA at issue here are subject to the heightened pleading standard of Rule 9(b). To the contrary, as identified by Plaintiff, the case law indicates that, despite the title "Computer Fraud and Abuse Act," Rule 9(b) does not apply to violations brought under the CFAA. Further, only one alleged violation at issue in the Amended Complaint even involves, as an element, an "intent to defraud" - the alleged violation of § 1030(a)(4). And even in regards to the § 1030(a)(4) violation, courts have found that Rule 9(b)'s heightened pleading standard does not apply. See NetApp, Inc. 41 F. Supp. 3d at 833 (distinguishing violations of § 1030(a)(2)(C) and § 1030(a)(5), which involve no element of an intent to defraud, from § 1030(a)(4) violations, which do involve an intent to defraud, but nonetheless finding that Rule 9(b) does not apply to any of those violations). Here, even if Rule 9(b) did apply, the undersigned finds that the allegations contained within the Amended Complaint "state with particularity the circumstances constituting fraud," understanding that "intent, knowledge, and other conditions of a person's mind may be alleged generally." Recently, a district court in this Circuit, faced with a similar issue, came to a similar conclusion:
Additionally, Defendants argue that Plaintiff's claim must fail because the heightened pleading standard of Fed. R. Civ. P. 9(b) applies to Plaintiff's claim under § 1030(a)(4) and that Plaintiff has failed to meet the 9(b) standards. While the Eleventh Circuit has not taken a position about whether § 1030(a)(4) requires a heightened pleading standard, there is a split among the courts. 1 Data Sec. & Privacy Law § 9:18, "Pleading requirements under the CFAA, (2016) ("There is a split in authority regarding whether Plaintiffs must allege a CFAA claim with particularity under Federal Rule of Civil Procedure 9(b)."); see Sprint Nextel Corp. v. Simple Cell, Inc., No. CIV. CCB-13-617, 2013 WL 3776933, at *6 (D. Md. July 17, 2013) ("The balance of authority, however, appears to support the view that Rule 9(b) does not apply to § 1030(a)(4)"); Motorola, Inc. v. Lemko Corp., 609 F.Supp.2d 760, 765 (N.D. Ill. 2009) ("Rule 9(b)'s requirement ... quite plainly applies to section 1030(a)(4)'s requirement that the defendant's acts further the intended fraud.").Agilysys, 2017 WL 2903364, at *5-6. Here, the specific factual allegations include details of the exact date of the alleged fraud, the alleged perpetrator, the nature of the information obtained, stolen and damaged, the allegedly fraudulent purpose for which the information was obtained, stolen and damaged (including the intent of the alleged perpetrator), the value of the information obtained, stolen and damaged, and the reason for its value, amongst other things. Doc. 27 at 2-8, 11-13. As alleged, the Amended Complaint satisfies Rule 9(b) and reasonably notifies Defendants of the alleged fraud. Thus, it is unnecessary for this Court to decide explicitly the issue of whether Rule 9(b) actually applies to the CFAA violations at issue in the Amended Complaint.
Nevertheless, the Eleventh Circuit has instructed that "[b]ecause fair notice is perhaps the most basic consideration underlying Rule 9(b), the plaintiff who pleads fraud must reasonably notify the defendants of their purported role in the scheme." Brooks v. Blue Cross & Blue Shield of Florida, Inc., 116 F.3d 1364, 1381 (11th Cir. 1997) (quotations and citation omitted). Plaintiff pleaded facts as to the time, place, and substance of Hall's allegedly fraudulent acts. After a review of the Amended Complaint, the Court finds that Plaintiff has sufficiently pled its § 1030(a)(4) claim to give Hall fair notice of the CFAA claim against him and reasonably notified him of his role in the fraud.
The Conspiracy Violation
In relation to the alleged conspiracy in violation of § 1030(b), the undersigned finds that the allegations contained within the Amended Complaint are insufficient. In the Amended Complaint, Plaintiff asserted that Apex, Rodriguez, and Velez were involved in a conspiracy on the basis of the following allegations:
Additionally, Defendant Rodriguez and Defendant APEX are liable to Plaintiff under the conspiracy section of the CFAA contained in 18 U.S.C. § 1030(b), which creates a violation for conspiring to commit one of the offenses alleged above. Since Rodriguez conducted and performed these dishonest acts at the behest of and on the behalf of Defendant APEX, APEX is liable for Rodriguez' actions as alleged herein under both a vicarious liability theory and under the conspiracy section of the CFAA. Plaintiff further alleges that Defendant Velez was also directly involved in the conspiracy to violate the CFAA. He was a co-worker with Defendant Rodriguez while they worked for Plaintiff, left to work for Defendant APEX at the same time, and benefited from Defendant Rodriguez' illegal computer activities. Indeed, some of the work orders that Defendant Rodriguez changed and altered were for orders placed by Velez while he was still working for Plaintiff and when the clients thought they were doing business with (and were paying) Plaintiff. Thus, Velez is liable to Plaintiff under the conspiracy section of the CFAA.Doc. 27 at 13-14. Thus, relying primarily upon its allegations of vicarious liability, Plaintiff asserted in the Amended Complaint that "since" Rodriguez acted "at the behest of" Apex, Apex is liable under the CFAA as a co-conspirator. Id. at 13. Plaintiff then alleged that "Velez was also directly involved in the conspiracy," and made factual allegations that Velez: was Rodriguez's co-worker; left for Apex at the same time as Rodriguez; and benefited from Rodriguez's illegal conduct. Id. 13-14.
Although some of these allegations were also made in the "Statement of the Case" portion of the Amended Complaint (Id. at 2-8), including some additional factual detail, the "Statement of the Case" portion of the Amended Complaint does not add to the foregoing allegations in any material way.
The crux of a conspiracy is an agreement to violate the law. See Agilysys, 2017 WL 2903364, at *6 (explaining that a "claim under section [1030](b) requires evidence of an agreement and common activities in furtherance of the unlawful act.") (quoting Welenco, Inc. v. Corbell, 126 F. Supp. 3d 1154, 1176 (E.D. Cal. 2015) (collecting various cases holding the same and citing Trademotion, 857 F. Supp. 2d at 1294). Here, Plaintiff has made an allegation that a conspiracy existed, but Plaintiff has not pled facts supporting that legal allegation, and specifically has not pled facts that allege an agreement to violate the law. Even assuming that the factual allegations set forth in the Amended Complaint are true, factual allegations that two co-workers (Rodriguez and Velez) left an employer at the same time, and one's illegal activity benefited another, are not sufficient to establish - or plead - the existence of a conspiracy.
In addition, the conspiracy allegation fails because the Amended Complaint does not state the object of the conspiracy. Where, as here, there are various, separate theories of § 1030(a) stated as substantive violations, a single, general § 1030(b) allegation of a conspiracy, without a reference to the objects of that conspiracy (by relevant factual allegations or even through citation), fails to put Defendants on notice of what it is that Plaintiff alleges they conspired to do.
Further, and also because there are no factual allegations supporting an agreement, there are no factual allegations concerning who agreed with whom and, more importantly, who at Apex agreed with Rodriguez, resulting in liability for Apex as a conspiring business entity. A corporation can only act through its employees and agents. Assuming - as the undersigned finds - that the factual allegations are insufficient to establish Velez as a co-conspirator of Rodriguez, Apex cannot be held to have conspired with Rodriguez if Rodriguez is the only individual conspirator and the one acting on behalf of Apex - one cannot conspire with themselves. See McAndrew v. Lockheed Martin Corp., 206 F.3d 1031, 1036 (11th Cir. 2000) (explaining, in the context of the intracorporate conspiracy doctrine, that "just as it is not legally possible for an individual person to conspire with himself, it is not possible for a single legal entity consisting of the corporation and its agents to conspire with itself").
Thus, for all of the foregoing reasons, the § 1030(b) violations fails the basic pleading standard of Rule 8(a) that requires Plaintiff make "a short, plain statement of the claim showing the pleader is entitled to relief." See Trademotion, 857 F. Supp. 2d at 1289-90 (recommending dismissal of § 1030(b) conspiracy due to insufficient factual allegations to establish a "knowing agreement with another to commit [an] unlawful act"). Accordingly, it is recommended that the Court dismiss Count III to the extent that it alleges a conspiracy in violation of § 1030(b). If this recommendation is adopted, it would result in there being no claim for relief under the CFAA against Velez, as he is only alleged to have violated the CFAA by conspiring to violate that statute.
State Law Claims
The only basis to dismiss the state law claims set forth in the motions to dismiss was the argument that, if the Court dismisses the CFAA claims as a whole, then the Court should decline to exercise supplemental jurisdiction over the remaining state law claims. Doc. 36 at 8-9; 42 at 14-15. If the undersigned's recommendation is adopted as to the CFAA claims, and the federal claims remain as to Apex and Rodriguez, then it is respectfully recommended that the Court retain supplemental jurisdiction over the remaining state law claims, including those against Velez.
If the recommendation is not adopted as to the CFAA claims, and the Court dismisses the CFAA claims in their entirety, then the undersigned respectfully recommends that the Court should decline to exercise jurisdiction over this case and dismiss without prejudice the remaining state law claims, such that Plaintiff can file its action in state court.
Conclusion
Accordingly, it is respectfully RECOMMENDED that:
1. Apex's motion to dismiss (Doc. 36) be GRANTED in part, in that the § 1030(b) conspiracy violation contained within Count III of the Amended Complaint be DISMISSED as it relates to Apex, and that the motion to dismiss be DENIED in all other respects;
2. The Individual Defendants' motion to dismiss (Doc. 42) be GRANTED in part, in that the § 1030(b) conspiracy violation contained within Count III of the Amended Complaint be DISMISSED as it relates to Rodriguez and Velez, and that the motion to dismiss be DENIED in all other respects; and
3. That, if the foregoing recommendations are accepted, Plaintiff be given 14 days from the date the Court enters it Order to file a second amended complaint, if it so chooses.
DONE AND ORDERED in Orlando, Florida on August 31, 2017.
/s/_________
DANIEL C. IRICK
UNITES STATES MAGISTRATE JUDGE Copies furnished to: Counsel of Record
Unrepresented Parties