Opinion
CIVIL ACTION NO. 4:09-CV-4039
04-14-2015
QUANTLAB TECHNOLOGIES LTD. (BVI), et al, Plaintiffs, v. VITALIY GODLEVSKY, et al, Defendants.
MEMORANDUM & ORDER
Pending before the Court are two summary judgment motions on Plaintiffs' claims under the Computer Fraud and Abuse Act (CFAA). Defendants Andriy Kuharsky and Anna Maravina have jointly moved for partial summary judgment on some of the CFAA claims against them. (Doc. No. 548.) Quantlab has moved for summary judgment as to liability on all of the CFAA claims against Kuharsky. (Doc. No. 627.) At a hearing on March 24, 2015, the Court heard argument on these motions and invited further briefing from the parties. Having now reviewed all the submissions of the parties and the applicable law, the Court DENIES both motions.
Except where it is necessary to distinguish the two entities, the Court will use the term "Quantlab" to refer jointly to Plaintiffs Quantlab Technologies Ltd. and Quantlab Financial, LLC.
I. BACKGROUND
The facts of this complex trade secrets case have been laid out in detail in this Court's prior orders. See, e.g., Mem. & Order (Feb. 19, 2014), Dkt. No. 490 at 2-9. This order concerns only Quantlab's CFAA claims against Defendants Kuharsky and Maravina.
The CFAA claims against Andriy Kuharsky arise from his alleged unauthorized access to Quantlab's network after he was terminated from the company in 2007. After he was fired, Kuharsky allegedly obtained the network credentials of his friend and former Quantlab coworker, Andriy Andreev. Eames Decl., Doc. No. 561-2 at ¶ 3. He then used those credentials to access Quantlab's network. Id. Anna Maravina was still a current Quantlab employee when she committed the alleged intrusions that are the basis of Quantlab's CFAA claims against her. According to Quantlab, she stole copies of Quantlab files on four separate occasions in March, April, June and August 2007.
For the purposes of her motion, Maravina assumes that Quantlab can raise a fact issue as to whether these incidents constituted "unauthorized access."
Quantlab contends that, after discovering these intrusions, it used both its own personnel and external contractors to investigate the scope of Defendants' intrusions. See Eames Decl., Doc. No. 561-2; Kersh Decl., Doc. No. 561-4.
II. LEGAL STANDARD
Summary judgment is appropriate if no genuine issue of material fact exists and the moving party is entitled to judgment as a matter of law. Fed. R. Civ. P. 56(c). "The movant bears the burden of identifying those portions of the record it believes demonstrate the absence of a genuine issue of material fact." Triple Tee Golf, Inc. v. Nike, Inc., 485 F.3d 253, 261 (5th Cir. 2007) (citing Celotex Corp. v. Catrett, 477 U.S. 317, 322-25, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986)). "A fact is 'material' if its resolution in favor of one party might affect the outcome of the lawsuit under governing law." Sossamon v. Lone Star State of Texas, 560 F.3d 316, 326 (5th Cir. 2009) (quotation omitted).
If the burden of proof at trial lies with the nonmoving party, the movant may satisfy its initial burden by showing that there is an absence of evidence to support the nonmoving party's case. See Celotex, 477 U.S. at 325. When the moving party has met its Rule 56(c) burden, the nonmoving party cannot survive a summary judgment motion by resting on the allegations in its pleadings. The nonmovant must identify specific evidence in the record and articulate how that evidence supports that party's claim. Baranowski v. Hart, 486 F.3d 112, 119 (5th Cir. 2007). "This burden will not be satisfied by some metaphysical doubt as to the material facts, by conclusory allegations, by unsubstantiated assertions, or by only a scintilla of evidence." Boudreaux v. Swift Transp. Co., Inc., 402 F.3d 536, 540 (5th Cir. 2005) (internal quotation omitted). In deciding a summary judgment motion, the court draws all reasonable inferences in the light most favorable to the nonmoving party. Connors v. Graves, 538 F.3d 373, 376 (5th Cir. 2008).
III. ANALYSIS
The CFAA prohibits, inter alia, unauthorized access to a "protected computer" for the purposes of obtaining information, causing damage, or perpetrating fraud. 18 U.S.C. § 1030(a)(2), (a)(4), (a)(5). Although the CFAA is a criminal statute, subsection (g) provides a private right of action when one of five factors is present. 18 U.S.C. § 1030(g). Quantlab contends that it has incurred "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value" with respect to intrusions by Kuharsky and Maravina. 18 U.S.C. § 1030(c)(4)(A)(i)(I).
A. CFAA Claims Against Andriy Kuharsky
1) Statute of Limitations
Kuharsky seeks to dismiss the CFAA claims against him as barred by the statute of limitations. Because the statute of limitations is an affirmative defense for which Defendants have the burden of proof, to be entitled to summary judgment on this basis, Kuharsky and Maravina must "prove that defense conclusively." Janvey v. Democratic Senatorial Campaign Comm., Inc., 712 F.3d 185, 193 (5th Cir. 2013).
A civil claim under the CFAA must be brought within two years after the computer owner discovers the unauthorized access. 18 U.S.C. § 1030(g) ("No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage."). Although the statute refers to the "discovery of the damage," this means the discovery of the unauthorized access or intrusion, not the discovery of actual damages. See 18 U.S.C. 1030(e)(8) ("the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information"). A CFAA claim accrues as soon as the plaintiff knows of the unauthorized access, even if the identity of the perpetrator is not yet known. See Higgins v. NMI Enterprises, Inc., 969 F. Supp. 2d 628, 640-41 (E.D. La. 2013).
Kuharsky argues that Quantlab discovered his access to the Quantlab computers in September 2007, when Kuharsky was deposed in a separate lawsuit in Texas state court. In that deposition, Kuharsky was asked whether any Quantlab employees had used his computer to access Quantlab's servers after Kuharsky left Quantlab. At that time, Kuharsky testified that Andreev had logged in from his computer approximately twice to ask questions about the work that Kuharsky had done for Quantlab. See Kuharsky 2007 Dep., Doc. No. 690-1 at 44:13-17; 44-46:24-7.
Kuharsky points to confusing testimony by Bruce Eames, Quantlab's CEO, as support for his position that Quantlab learned of Kuharsky's access from the 2007 deposition. In the deposition, Kuharsky's counsel asked Eames when he learned that Andreev had allowed Kuharsky to access the Quantlab network after Kuharsky's departure from the company. Eames Dep., Doc. No. 691-2 at 87:18-20. Eames testified that he learned of the access at the 2007 Kuharsky deposition. Id. But after a short break, Eames clarified his testimony, stating that "what I learned in my conversation with Andriy Andreev and/or Kuharsky's deposition in September 2007 specifically was that Andriy Andreev had accessed the Quantlab network from Andrew Kuharsky's home on Andrew Kuharsky's computer." Id. at 92:12-20. That is, Eames emphasized that he did not know in September 2007 that it was actually Kuharsky — and not Andreev at all — accessing the VPN using Andreev's credentials from Kuharsky's home. This is consistent with Kuharsky's 2007 deposition testimony. At that time, Kuharsky acknowledged that Andreev had accessed the VPN from his home, Kuharsky Dep. at 44-45:24-2, but denied that he himself accessed the network after his termination, id. at 41-42:15-10. While Eames's seemingly conflicting testimony does muddy the waters, the Court is confident that, read together with the 2007 deposition, the Eames deposition is not evidence that Quantlab knew of Kuharsky's own access to the VPN prior to January 2008.
The issue for the Court to decide, then, is whether Quantlab's learning that Andreev accessed the VPN from Kuharsky's home triggered the CFAA statute of limitations. Kuharsky urges the Court that this case is similar to Higgins, where the court found that the statute of limitations began to run as soon as the plaintiff learned of unauthorized access, even though the plaintiff did not yet know who had accessed its network. Higgins, 969 F. Supp. 2d at 640-41. Quantlab takes the position that Andreev, as a current employee, was an authorized user of the network, and thus Quantlab was not on notice of unauthorized access until it learned in early 2008 that it was actually Kuharsky using Andreev's credentials to access the network.
This turns on whether Andreev's use of the VPN from Kuharsky's home was itself "unauthorized access" under Quantlab's VPN policy. If so, then the statute of limitations began to run as of the September 2007 deposition. But if Andreev was permitted under the policy to use the VPN from Kuharsky's home, then the statute of limitations did not begin to run until Kuharsky's alleged falsehoods were uncovered in early 2008, at which time Quantlab learned that it was actually Kuharsky — not Andreev — using the VPN credentials. But the record is silent on the question of what was permitted under Quantlab's VPN usage policy. Accordingly, the Court is unable to grant summary judgment to Kuharsky on the basis of the statute of limitations. The same question of material fact also precludes a finding of summary judgment for Quantlab, as Kuharsky will not be liable for CFAA violations if he can prove at trial that the claims are time-barred.
2) CFAA "Losses" and Damages
In the alternative, Kuharsky moves for summary judgment on the basis that Quantlab cannot raise a question of material fact as to whether it has incurred qualifying CFAA losses of more than $5,000 stemming from his intrusions.
Quantlab has a private right of action under the CFAA only if it can show qualifying losses of more than $5,000 in one year. 18 U.S.C. § 1030(c)(4)(A)(i)(I). A CFAA-qualifying loss is "any reasonable cost ... including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense." 18 U.S.C. § 1030(e)(11). Qualifying losses include fees for forensic analysis of relevant computers and other electronic storage devices by outside analysts. See Frees, Inc. v. McMillian, No. 05-1979, 2007 WL 2264457, at *3 (W.D. La. Aug. 6, 2007). A plaintiff's internal investigation costs are also included. See SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 980 (N.D. Cal. 2008) (finding "loss" element satisfied by evidence that the plaintiff engaged in internal investigation taking "many hours of valuable time away from day-to-day activities" of its own personnel).
Quantlab has never claimed a right to sue as a result of any of the other four factors listed in 18 U.S.C. § 1030(c)(4)(A)(i).
--------
Quantlab asserts that it has met the $5,000 threshold with evidence of costs of its internal investigation and its external forensic analysis. It offers two sources of "losses" directly related to the Andreev incident: First, Quantlab directed employee James Robertson to do his own investigation of the company's VPN logs. Robertson Decl., Doc. No. 561-3 at ¶ 3. This effort took 10-12 hours, for a total cost to Quantlab of $2,500 to $3,000. Id. at ¶ 5. Second, Quantlab engaged Gray Hat Research, a network security consulting firm, to determine whether the company's network could be subject to an ongoing network breach caused by Kuharsky. Id. at ¶ 4; Eames Decl., Doc. No. 561-2 at ¶ 3. Gray Hat billed the company $13,437.50 for that network data capture analysis and VPN log analysis in January and March 2008. Gray Hat Transaction Records, Doc. No. 561-2 at 9. In addition, Quantlab contends that losses associated with Maravina's unauthorized access should also count towards the $5,000 minimum because they were a series of related intrusions. In Fiber Systems Int'l v. Roehrs, the Fifth Circuit concluded that the $5,000 requirement was met when the plaintiff spent $36,000 in response to three defendants' multiple violations of the CFAA. 470 F.3d 1150, 1155 (5th Cir. 2006). In that case, the court looked at the total amount of losses incurred, without considering whether the plaintiff had incurred at least $5,000 from each individual defendant's intrusions. This supports Quantlab's contention that it need only show $5,000 of expenses in response to all of Defendants' alleged intrusions.
Here, Quantlab has raised a question of fact as to whether it incurred $5,000 in qualifying losses from Kuharsky's intrusions alone. Kuharsky does not seriously contend that Robertson's own internal investigation is not a qualifying CFAA loss, but his work was not, on its own, valued at more than $5,000. The parties' dispute concerns whether the Gray Hat Research costs were actually related to Kuharsky's unauthorized access. Kuharsky believes that Robertson's deposition testimony proves that Gray Hat's spring 2008 work was not actually related to Kuharsky's access. However, the deposition is not the "smoking gun" that Kuharsky believes it to be. Robertson testified that Gray Hat was hired in 2008 because of concerns about "illegal connections being made to Quantlab to steal software." Robertson Dep., Doc. No. 688 at 19:10-14. Robertson also testified that he did not recall whether he was told who was suspected of making the illegal connections. Id. at 19:15-17. Later, he testified that Gray Hat was not able to reach any conclusions regarding Dr. Kuharsky. Id. at 28:8-12. None of these statements in any way undermines the sworn declaration of Bruce Eames that Quantlab hired Gray Hat in response to the Kuharsky intrusions. Eames Decl., Doc. No. 561-2 at ¶ 3. It is reasonable that Quantlab's investigation would go beyond what they already knew Kuharsky had done — access Quantlab's network via VPN — to determine whether he had caused further damage, for instance by installing an application allowing him continued unauthorized access into the network. Robertson Dep. at 21:12-17. Furthermore, the fact that the investigation did not ultimately uncover any further wrongdoing by Kuharsky does not preclude it from being a qualifying CFAA loss. Because the total cost of the Robertson and Gray Hat investigations is more than $5,000, the Court need not reach the question of whether losses related to other intrusions can be used to reach the $5,000 minimum. Kuharsky is not entitled to summary judgment on the basis that Quantlab cannot prove that it incurred $5,000 in CFAA losses in a single year.
For the foregoing reasons, the Court DENIES Kuharsky's motion for summary judgment as to the CFAA claims against him. In addition, because there remains a question of material fact as to Kuharsky's statute of limitations defense, the Court DENIES Quantlab's motion for summary judgment on liability.
B. CFAA Claims Against Anna Maravina
Maravina has also moved for summary judgment on some of the CFAA claims against her. Quantlab's CFAA claims against her include claims related to access to the Quantlab network between March and August 2007, and claims related to a December 2007 incident. This motion addresses only the March to August period.
1) Statute of Limitations
Like Kuharsky, Maravina seeks summary judgment on the basis of the statute of limitations. As discussed above, she has the burden of proving "conclusively" that the CFAA claim was brought more than two years after Quantlab discovered the unauthorized access.
It is undisputed that Quantlab did not introduce a CFAA claim against Maravina in this litigation until the filing of its Third Amended Complaint in 2014. Because the claim is based on events that took place in 2007, it would ordinarily be barred by the CFAA's two-year statute of limitations. Nonetheless, Quantlab argues that the claim relates back to allegations in the original, December 2009 complaint. Rule 15(c) of the Federal Rules allows relation back when the claim asserted in the amended pleading arises "out of the conduct, transaction, or occurrence set forth or attempted to be set forth in the original pleading." Fed. R. Civ. P. 15(c)(1)(B). The rationale for Rule 15(c) " 'is that, once litigation involving a particular transaction has been instituted, the parties should not be protected [by the statute of limitations] from later asserted claims that arose out of the same conduct set forth in the original pleadings.' " Murthy v. Abbott Labs., 847 F. Supp. 2d 958, 980 (S.D. Tex. 2012) (citing Flores v. Cameron County, Tex., 92 F.3d 258, 272 (5th Cir. 1996)).
Quantlab contends that, because its first complaint described Maravina's participation in the conspiracy to steal proprietary Quantlab information, including electronic files, the CFAA claim should relate back even though Maravina was not originally named as a defendant to the CFAA claim. The CFAA section of the complaint specifically stated that "Maravina access[ed] Quantlab's computer systems without authorization ... to steal trade secrets and confidential information that were maintained on those computer systems." Compl., Doc. No. 1 at ¶ 89. In addition, the Complaint described Maravina as a "sleeper mole" within Quantlab who was able to steal proprietary information from Quantlab for her co-Defendants. Id. at ¶ 47. Quantlab argues that the CFAA claim based on that conduct relates back to these allegations in the initial complaint.
Under the circumstances, these allegations were sufficient to put Maravina on notice that the lawsuit concerned the same conduct that now underpins the CFAA claim against her. The fact that the complaint specifically refers to December 2007 conduct does not preclude Quantlab from bringing a CFAA claim based on earlier conduct, when most of the Complaint's allegations against Maravina are not limited to a particular month in 2007. The CFAA claim against Maravina is not time-barred.
2) CFAA "Losses" and Damages
Maravina also attacks Quantlab's proof of CFAA losses. As with the claim against Kuharsky, to maintain a civil CFAA claim, Quantlab must show that it incurred at least $5,000 of "losses" flowing from the unauthorized access. The specific losses that Quantlab ties to Maravina's own acts of unauthorized access include the costs of investigative analysis of those intrusions. In addition, Quantlab argues that the more than $15,000 of costs associated with Kuharsky's intrusions should also count as losses for the CFAA claims against Maravina.
Quantlab's evidence shows that it hired Pathway Forensics to investigate four distinct incidents of unauthorized access by Maravina between March and August 2007. See Kersh Decl., Doc. No. 561-4 at ¶ 3. For each incident, Pathway investigated how certain files were accessed, copied and transferred by Maravina and third parties. Id. at ¶¶ 5-8. The total cost of investigating the four incidents was more than $31,904. Id.
Maravina objects that these costs were actually incurred for the purpose of this litigation, and thus they cannot be costs of "responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense," as is required by the statute. See 18 U.S.C. § 1030(e)(11). Pathway Forensics has also been employed by Quantlab for many litigation-related tasks, including the preparation of expert reports related to each of the Defendants' electronic devices. All of the investigative analysis described in the Kersh Declaration occurred after the filing of the lawsuit.
Numerous courts have held that the costs of hiring an expert to assist in litigation are not CFAA-qualifying losses. See Brooks v. AM Resorts, LLC, 954 F. Supp. 2d 331, 338-39 (E.D. Pa. 2013) (litigation costs such as hiring court reporters and videographers and obtaining deposition transcripts are not CFAA losses); Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Intern. Inc., 616 F. Supp. 2d 805, 812-13 (N.D. Ill. 2009); Thurmond v. Compaq Computer Corp., 171 F. Supp. 2d 667, 682-83 (E.D. Tex. 2001). On the other hand, the costs of hiring an expert to investigate and assess the unauthorized access are recoverable. See Frees, Inc. v. McMillian, No. 05-cv-1979, 2007 WL 2264457, at *3 (W.D. La. 2007) (collecting cases).
The puzzle facing this Court is how to draw a line between investigative and litigation-related tasks, when Quantlab has hired the same expert for investigation and litigation. In Brooks, the court looked to a number of factors to determine that costs were primarily litigation-related, not investigative: 1) the delay between the intrusion and the investigation, 2) the nature of the investigation, 3) the types of work being billed, and 4) the fact that invoices were addressed to plaintiff's counsel, not to plaintiff himself. The Brooks court concluded that the plaintiff had not established more than $5,000 in CFAA losses because more than $3,000 of the total billings of $7,225 were attributable to litigation expenses such as depositions, declarations, and forwarding documents to opposing counsel.
Here, the uncontroverted testimony of Noel Kersh, a partner at Pathway Forensics, is that all litigation expenses — such as developing expert opinions, preparing affidavits, communicating with counsel and attending hearings — have been excluded from the $31,904 figure. Kersh Decl. at ¶ 4. That is only a fraction of the more than $1 million in total fees paid by Quantlab to Pathway since May 2010. Id. While there was a years-long delay between the intrusions and the investigation, the Fifth Circuit has made it clear that the CFAA loss need not be incurred within one year of the CFAA violation to be actionable. Fiber Sys. Int'l, 470 F.3d at 1159.
It is safe to say that most CFAA violations that result in civil litigation begin with an investigation. Indeed, in this case, the Pathway investigation may have contributed to Quantlab's decision to add a CFAA claim against Maravina to its 2014 Third Amended Complaint. And the statute itself makes no distinction between litigation-related and other investigatory costs. See 18 U.S.C. § 1030(e)(11). Accordingly, the Court will not conclude that the costs of investigation are not qualifying "losses" under the CFAA solely because they were incurred by an expert who also represents Quantlab in litigation. Maravina has not established that she is entitled to summary judgment on the basis of the CFAA loss requirement.
For the foregoing reasons, the Court DENIES Defendants' Motion for Partial Summary Judgment on CFAA Claim. (Doc. No. 547.) The Court also DENIES Quantlab's Motion for Partial Summary Judgment on its Computer Fraud and Abuse Act Claim Against Andriy Kuharsky. (Doc. No. 627.)
IT IS SO ORDERED.
SIGNED at Houston, Texas, on the 14th of April, 2015.
/s/_________
KEITH P. ELLISON
UNITED STATES DISTRICT JUDGE