Opinion
19 Civ. 9233 (LLS)
04-07-2020
PROFESSIONAL BULL RIDERS, LLC, Plaintiff, v. INFRONT X, LLC a/k/a iX.co f/n/a OMNIGON COMMUNICATIONS LLC, Defendant.
OPINION & ORDER
The point to be decided on this motion to dismiss the complaint is very narrow. It does not call for appraisals of the merits of any of the claims. It seeks only the determination that because the terms of a federal criminal statute were not violated, there was no federal crime to support federal jurisdiction over a related civil claim. Since that claim is the only source of federal jurisdiction over the remaining common law claims of breach of contract, they should be dismissed without prejudice to their prosecution in a New York state court.
The Background Setting
Professional Bull Riders, LLC ("PBR") wished to redesign the architecture of its website which is a critical part of its business model, providing information, merchandise, video and event ticketing opportunities to tens of millions of fans of professional bull-riding (complaint ¶ 1). It entrusted access to its website to defendant iX, giving iX effective control, limited to implementing the agreed website design, id ¶¶ 2,3. That included only "open source" code elements, of a kind to be agreed, but not proprietary code. id ¶5. The parties agreed on an open source platform any web professional could maintain and upgrade, although iX's preference would have been its proprietary "Corebine" software platform. id ¶¶ 5-7. Nevertheless, iX in later phases of the project planted proprietary code in critical places within the website. id ¶ 4.
The project encountered more and more difficulties in completing the redesign, and missed its expected launch date by four months. Out of desperation, iX began using proprietary Corebine elements from previous projects as a shortcut. id ¶¶ 8, 9. iX's president assured PBR that these were not meaningful. id ¶ 10.
Despite the parties' efforts, the project's difficulties remained daunting. As the complaint describes:
Throughout 2019, PBR struggled with a wide array of bugs and substantive problems with the functioning of the website, many of which iX ultimately failed to resolve. As late as July 2019, despite ongoing work alongside iX (for which iX demanded more money), PBR was still maintaining a list of well over 100 problems and needs for the site, of which eight were critical (including severe disruptions to video playback), 64 were within iX's original scope, and 44 were clearly identified as "bugs." id. ¶ 12
In light of the specificity and narrow focus of the single law question presented, it would serve no purpose to elaborate on the claims generated by the project's tribulations. Its history is summarized in paragraphs 54-63 of the complaint: ¶ 54, 56-63
54. PBR did not sign up to be a Corebine customer. It contracted instead for a custom solution, independent of the Corebine system, built from "open source" code. (Id.) It only accepted the website in the end on the promise, explicitly
stated by iX's president, that the design was not reliant on off-the-shelf Corebine elements, as the websites of many of iX's other customers are.
56. Early on in the website project, the parties agreed on various parameters for the work, and in a number of meetings, conversations, and communications PBR explained what it needed the new custom website to look like and to do.
57. Among many other specifications, in a meeting on April 18, 2018 -- memorialized in writing at the time -- the parties "mutually agreed" pursuant to SOW [Statement of Work] ¶¶ 2(b)&(c) that the platform for the content management system would be "Drupal 8," a well-known open-source system that any future contractor would be able to work with and adapt.
58. Over the following year, PBR struggled to perform its basic obligations under the SOW, and the launch of the new website was delayed. Before and as it came online, it was riddled with errors that showed the haste and sloppiness of PBR's work.
59. In the course of assessing the problems with iX's deliverables in late 2018, PBR personnel noticed some oddities in the details of the code. Although they were focused on the functionality of the website, PBR personnel observed that there were references to the proprietary Corebine system deep in the underlying code.
60. Provided with the code only a few days before iX's proposed launch, PBR did not have the expertise or time to assess the significance of this issue, so it directly asked iX to confirm that there was compliance with the open-source obligations of the MSA and SOW.
61. On New Year's Eve, 2018, PBR personnel conducted a call with Omnigon
personnel, including its president. Omnigon's personnel gave PBR specific assurances that the observed mentions of Corebine and its elements were inconsequential to the overall site design, and a result of "code copying and pasting for efficiency."
62. iX's president specifically told PBR that these supposedly superficial Corebine references were not meaningful and did not mean the code was not open source. He said these minor references would not prevent PBR or its developers from making adjustments to the overall site.
63. Thus PBR was led to believe that the Corebine references were essentially meaningless. On that basis it was willing to move forward with attempting to salvage the deliverables and make them functional. It now understands that it was misled.
The Issue
The only basis for federal jurisdiction over what are otherwise State common-law claims is a federal criminal statute, the Computer Fraud and Abuse Act, 18 U.S. Code § 1030. Section 1030(g) creates a civil action against one who violates a section of that act. The complaint claims violations of subsections 4 and 5 of § 1030(a): (a) Whoever
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;shall be punished as provided in subsection (c) of this section.
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damages and loss.
. . . .
Each of those subsections stipulates that, to be a crime (and give rise to a federal civil action), the action must be taken "without authorization." As stated in U.S. v. Yucel, 97 F. Supp. 3d 413, 422 (S.D.N.Y. 2015), "A defendant thus causes damage without authorization when he has not been permitted by the victim to cause that damage." If the action was authorized, which means that the actor had permission to do the acts which caused the damages, then there is no federal crime and no federal jurisdiction over a private civil action such as this.
It is apparent from the complaint's presentation of the facts in this case, that iX had permission from the victim to take the actions which caused that damage. The permission may have been a mistake, it was grudging, it may have been given under misconceptions of the facts or induced by misrepresentations, or simply reflected desperation, but PBR permitted the work on the project to continue. The complaint summarizes in ¶ 21, "Only in recent days have new contractors found workarounds to enable, at great expense, a replacement of iX's design with something that will work and be administrable."
While perhaps regrettable in hindsight, one cannot say that iX proceeded without authorization.
Accordingly, the federal criminal statute does not apply, the Court lacks original federal statute jurisdiction over the case, and declines to exercise pendant jurisdiction over the remaining common-law claims. They are dismissed without prejudice.
That result is consistent with the Master Services Agreement, Exhibit A to the complaint, which provides in paragraph 23 ("Governing Law/Jurisdiction") that "This Agreement shall be construed in accordance with and governed by the laws of the state of New York applicable to contracts ...." - not by a federal criminal statute providing for up to five years imprisonment and fines for "Fraud and related activity in connection with computers" 18 U.S.C. § 1030.
Count Three of the complaint, violation of the Computer Fraud and Abuse Act ("CFAA") is dismissed for failure to state a claim upon which relief can be granted; the remainder of the complaint is dismissed without prejudice for lack of jurisdiction.
So Ordered. Dated: April 7, 2020
/s/_________
Louis L. Stanton
U.S.D.J