Summary
stating that "impairment to integrity" requires "some diminution in the completeness or usability of date or information on a computer system"
Summary of this case from United States v. ThomasOpinion
Case No. 6:11–cv–1011–Orl–36DAB.
2012-03-2
Allison Hunt, Jennifer S. Eden, Justin Luna, Orlando, FL, for Plaintiffs. David P. Lemoie, Genovese, Joblove & Battista, PA, Miami, FL, for Defendants.
Allison Hunt, Jennifer S. Eden, Justin Luna, Orlando, FL, for Plaintiffs. David P. Lemoie, Genovese, Joblove & Battista, PA, Miami, FL, for Defendants.
ORDER
CHARLENE EDWARDS HONEYWELL, District Judge.
THIS CAUSE comes before the Court upon the Report and Recommendation filed by United States Magistrate Judge David A. Baker, filed on February 14, 2012 (Doc. 63). Judge Baker recommends that the Court grant Defendant's Motion to Dismiss Plaintiffs' Second Amended Complaint (Doc. 54) for failure to state a claim. Neither party filed an objection to the Report and Recommendation, and the time to do so has expired.
Magistrate Judge Baker thoroughly analyzed Plaintiffs' claims in the Second Amended Complaint, which alleges violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”). Doc. 63, pp. 4–12. First, Judge Baker found that Plaintiffs' admission that W. Anderson had “full administrative access” to Plaintiffs' computer system (Doc. 51, ¶ 39) means that Anderson cannot be considered “without authorization” under the terms of the CFAA and thus Plaintiffs have failed to state a cause of action under any of the provisions of the Act that require unauthorized access. Doc. 63, p. 7. Second, even accepting a broad definition of the “loss” required by the CFAA, Plaintiffs' allegations do not show an adequate connection between the acts of the alleged violator (Anderson) and the actual Defendants in this suit to support a cause of action under § 1030(a)(5)(A). Id., p. 12. The Court is satisfied that the Plaintiffs have failed to state any plausible claim for relief under the CFAA against these Defendants, and will dismiss their Second Amended Complaint with prejudice. Therefore, after careful consideration of the Report and Recommendation of the Magistrate Judge in conjunction with an independent examination of the court file, the Court is of the opinion that the Magistrate Judge's Report and Recommendation should be adopted, confirmed, and approved in all respects.
ACCORDINGLY, it is hereby ORDERED and ADJUDGED as follows:
1) The Report and Recommendation of the Magistrate Judge (Doc. 63) is adopted, confirmed, and approved in all respects and is made a part of this order for all purposes, including appellate review.
2) The Defendants' Motion to Dismiss Plaintiffs' Second Amended Complaint (Doc. 54) is GRANTED for failure to state a claim upon which relief can be granted. As this was Plaintiffs' third attempt to state a claim upon which relief can be granted, the Second Amended Complaint is DISMISSED with prejudice.
3) The Clerk is directed to terminate all pending motions, enter judgment accordingly, and CLOSE this case.
Report And Recommendation
DAVID A. BAKER, United States Magistrate Judge.
TO THE UNITED STATES DISTRICT COURT
This cause came on for consideration without oral argument on the following motion filed herein:
+---------------------------------------+ ¦MOTION:¦MOTION TO DISMISS (Doc. No. 54)¦ +-------+-------------------------------¦ ¦ ¦ ¦ +-------+-------------------------------¦ ¦FILED: ¦September 30, 2011 ¦ +-------+-------------------------------¦ ¦ ¦ ¦ +-------+-------------------------------¦ ¦ ¦ ¦ +---------------------------------------+
+-----------------------------------------------------+ ¦THEREON it is RECOMMENDED that the motion be GRANTED.¦ +-----------------------------------------------------+
Background
In the initial Complaint, Plaintiffs pled a variety of state law claims against eleven defendants (Doc. No. 1). Following issuance of an Order to Show Cause why the complaint should not be dismissed for lack of a showing of diversity jurisdiction (Doc. No. 17), Plaintiff filed an Amended Complaint, which reiterated the state law claims and added two federal claims alleging violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (herein “CFAA” or “the Act”) (Doc. No. 21). Upon review, this Court issued a recommendation that the District Court decline to exercise supplemental jurisdiction over the numerous state law claims, and direct Plaintiff to file a second amended complaint asserting only the claims arising under federal law (Doc. No. 45). The District Court adopted that recommendation and granted Plaintiffs' Agreed Motion for leave to file a Second Amended Complaint (Doc. No. 50). Upon filing of the Second Amended Complaint (Doc. No. 51), Defendants filed the instant motion to dismiss. Plaintiffs responded to the motion (Doc. No. 58) and, on December 19, 2011, the District Court referred the matter to the undersigned. For the following reasons, it is respectfully recommended that the motion be granted, and the Second Amended Complaint be dismissed.
The Second Amended Complaint
As set forth more particularly below, Plaintiffs have filed a three count complaint against two Defendants—Marketcliq, Inc. and Russ Rogers—based on the alleged actions of Plaintiffs' former employee (and non-party) Walter Anderson (herein “Anderson”). Plaintiffs allege that they have an established business website—“Trademotion.com”—which builds electronic commerce web solutions for original equipment manufacturers and their franchises and authorized automobile dealerships to sell, track, advertise and manage parts (Doc. No. 51 at ¶ 23). As an important part of Plaintiffs' business, they provide Search Engine Optimization (“SEO”) services to its dealership customers, which allows dealership clients to attract higher numbers of customers through the use of internet marketing. Id. at ¶¶ 24–28. Plaintiffs also developed an application and accompanying source code for the content management and organization of an automotive parts catalog from proprietary information licensed to Plaintiffs. Id. at ¶ 29.
The Second Amended Complaint alleges that Marketcliq is a corporation formed on October 14, 2010 and Rogers “is the owner” (Doc. No. 51 at ¶ 9, 12). Plaintiffs assert that Marketcliq and Rogers violated the Act by causing Anderson, Plaintiffs' former Vice President of Internet Marketing, to delete files from Plaintiffs' computers without authorization and insert a code into Plaintiffs' online software which enabled lead emails from prospective customers to be diverted and trafficked to Marketcliq and Rogers. Id. at ¶¶ 82, 96. Plaintiffs allege they were required to expend in excess of $5,000 to track down the code issue, contact existing and prospective customers, negotiate with those customers for copies of records involving Marketcliq, Rogers and Anderson, and repair Plaintiffs' code. Id. at ¶¶ 83, 97. They seek actual and compensatory damages and injunctive relief against Defendants, under the Act (Counts I and II), and “injunctive relief under Fed.R.Civ.P. 65” (Count III).
Motion to Dismiss Standards of Law
In ruling on a motion to dismiss, a court views the complaint in the light most favorable to the plaintiff. Hunnings v. Texaco, Inc., 29 F.3d 1480, 1484 (11th Cir.1994). Although Plaintiffs contend in their brief that “dismissal is warranted ‘only if it is clear that no relief could be granted under any set of facts that could be proved consistent with the allegations,’ ” citing Swierkiewicz v. Sorema, N.A., 534 U.S. 506, 514, 122 S.Ct. 992, 152 L.Ed.2d 1 (2002), that standard has been explicitly overruled by more recent precedent. See Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 563, 127 S.Ct. 1955, 1969, 167 L.Ed.2d 929 (2007) (noting that the “no set of facts” phrase is “best forgotten as an incomplete, negative gloss on an accepted pleading standard.”) The correct standard, as summarized by the United States Supreme Court, provides:
To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to “state a claim to relief that is plausible on its face.” [Bell Atlantic Corp. v. Twombly, 550 U.S. 544] at 570, 127 S.Ct. 1955, [167 L.Ed.2d 929 (2007) ]. A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. Id., at 556, 127 S.Ct. 1955. The plausibility standard is not akin to a “probability requirement,” but it asks for more than a sheer possibility that a defendant has acted unlawfully. Ibid.
Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1949, 173 L.Ed.2d 868 (2009). This plausibility requirement “requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555, 127 S.Ct. 1955.
Analysis
Defendants contend that Plaintiffs' claims under the Act must be dismissed in that:
1) Plaintiffs have failed to sufficiently allege and cannot sufficiently allege that their computers were accessed by the Defendants “without authority” as required under the CFAA;
2) Plaintiffs have failed to sufficiently allege and cannot sufficiently allege that the CFAA violations caused any “impairment to the integrity of their computer systems” or otherwise caused any “interruption in service” as required by the CFAA; and
3) Because the Plaintiffs allege that Anderson was the only direct perpetrator of the CFAA criminal provisions, the Defendants are not “violators” as that term is defined by the statute, and are therefore not subject to civil liability. The Computer Fraud and Abuse Act
As observed by this Court in the prior Report (Doc. No. 45), the CFAA was designedto target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to “access and control high technology processes vital to our everyday lives.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130–31 (9th Cir.2009) (quoting H.R. Rep. 98–894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984)). The CFAA, although primarily a criminal statute, provides a private right of action to “[a]ny person who suffers damage or loss by reason of a violation of this section” who “may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g).
The CFAA defines seven categories of conduct that can give rise to civil or criminal liability, and intentionally accessing a protected computer without authorization, and as a result of such conduct, causing damage and loss, gives rise to criminal liability. 18 U.S.C. § 1030(a)(5)(C). Civil liability requires an additional showing: “A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(I).” 18 U.S.C. § 1030(g). In order to establish civil liability, a plaintiff must also show that defendants additionally violated subsection (I) by causing “loss to 1 or more persons during any 1–year period ... aggregating at least $5,000 in value” (or other damages not relevant here). 18 U.S.C. § 1030(c)(4)(A)(i)(I). Damages for a violation involving conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. 18 U.S.C. § 1030(g).
Applied here, the Second Amended Complaint does not specify which of the described violations were allegedly committed by these Defendants and which of the factors listed in § 1030(c)(4)(A)(i) were involved. Construing the allegations liberally, as detailed in their response brief (Doc. No. 58), it appears Plaintiffs are asserting that Anderson accessed a protected computer without (or in excess of his) authority to do so, with resulting damage. Thus, the Court assumes that Plaintiffs are alleging that Defendants violated subsections (a)(2)(C), (a)(4) and/or (a)(5) of 18 U.S.C. § 1030, which provide in relevant part that civil liability may be imposed upon whoever:
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains
(C) information from any protected computer; -or
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud; -or
(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
18 U.S.C. § 1030(a)(2), (a)(4), and (a)(5).
As observed by Defendants, all of these provisions (save for § 1030(a)(5)(A)) requires that access to the protected computer be obtained without authorization, or in excess of authorization initially granted. See18 U.S.C. § 1030(e)(6). In the applicable complaint, however, Plaintiffs allege that “W. Anderson had full administrative access to Plaintiff's proprietary back-end account management system and had full access to Plaintiffs' clients' front-end website code, in which he was able to edit and modify existing code and add new website code on behalf of Plaintiffs' clients for marketing purposes, as well as having access to Plaintiffs' confidential and highly valuable customer list ...” (Allegation 39, emphasis added). Thus, Anderson was fully authorized to access the computer and code, and, as such, his doing so cannot be “without authorization” under the Act. See LVRC Holdings LLC, supra, 581 F.3d at 1133 (“for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations.”)
The parties appear to concede for present purposes that Plaintiffs have adequately alleged that the computers in question were “protected computers” under the Act.
It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or “ ‘without authorization.’ ”; Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 968 (D.Ariz.2008) (where employee was authorized to initially access the computer he used and view the specific files he allegedly emailed to himself, employee did not access the information at issue “without authorization” or in a manner that “exceed[ed] authorized access” and employer failed to state a claim under CFAA; “[T]he legislative history confirms that the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.”); Clarity Services, Inc. v. Barney, 698 F.Supp.2d 1309, 1315 (M.D.Fla.2010) (adopting narrower definition as stated in Shamrock); Lockheed Martin Corp. v. Speed, No. 6:05–cv–1580–ORL31, 2006 WL 2683058, at *4–5 (M.D.Fla. Aug. 1, 2006) (“Because Lockheed permitted the employees to access the company computer, they were not without authorization. Further, because Lockheed permitted the employees to access the precise information at issue, the employees did not exceed authorized access. The employees fit within the very group that Congress chose not to reach, i.e., those with access authorization.”); cf. TEKsystems, Inc. v. Modis, Inc., 2008 WL 5155720, *6 (N.D.Ill. Dec. 5, 2008) (employer stated a claim where employee downloaded client information and provided it to competitor). The great weight of authority supports a finding that Plaintiffs have not stated a cause of action under any of the provisions of the Act that require unauthorized access (§§ 1030(a)(1), (a)(2), (a)(3), (a)(4), (a)(5)(B), (a)(5)(C)). Moreover, by affirmatively alleging that Anderson had full authorization to access the protected computer and code, the complaint cannot be amended to state such a cause of action under these sections.
Indeed, in their brief, Plaintiffs do not attempt to distinguish the relevant authority and fail to cite any cases on point.
With respect to the remaining possible claim under § 1030(a)(5)(A), Defendants contend that any such claim fails as Plaintiffs have not adequately alleged that Anderson caused “damage” or “loss” as defined by the Act. As noted above, under § 1030(a)(5)(A), a violator is one who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”
“Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8).
The use of term “integrity” in the statute to define damage requires “some diminution in the completeness or usability of data or information on a computer system.” Resdev v. Lot Builders, No. 6:04–CV–1374ORL31DAB, 2005 WL 1924743, at *5 (M.D.Fla. Aug. 10, 2005). Likewise, the use of word “availability” suggests that a party asserting a claim under subsection 1030(a) may prove damage by showing that defendant's actions somehow made certain data or program not readily obtainable.
Cheney v. IPD Analytics, L.L.C., No. 08–23188–CIV, 2009 WL 1298405, *6 (S.D.Fla. April 16, 2009), report and recommendation adopted,2009 WL 2096236 (S.D.Fla. May 8, 2009).
In the Second Amended Complaint, Plaintiffs allege that they suffered damages arising out of the fact that Plaintiffs were required to “expend substantial funds, in excess of five thousand dollars in order to track down the code issue, contact existing and prospective customers, negotiate with those customers for copies of records involving MARKETCLIQ [and Rogers] ... and repair Plaintiffs' code.” (Second Amended Complaint ¶¶ 83, 97). There is no allegation that the computer or information on it was not useable or obtainable as required under this definition; rather, it appears that Plaintiffs allege that Anderson copied its confidential information (which did not make it unavailable to Plaintiffs) and inserted a script that diverted future leads or potential customers. An argument could be made that these allegations are sufficient to show “damage .. to a protected computer” under the Act, yet Plaintiffs fail to make it.
Plaintiffs fail to adequately address this argument in their papers, asserting that “Plaintiffs do not need to allege or prove that it also suffered damages as defined by the CFAA” as the Act “only requires that the plaintiff suffer a root loss or damage, not both.” (Doc. No. 58, n. 1). Plaintiffs are incorrect. “A careful analysis of subsection 1030(c)(4)(A)(i)(I) in conjunction with subsection 1030(a)(5)(A) yields a conclusion that in order to state a claim under subsection 1030(a)(5)(A) a party must allege both “damage” and a “loss” aggregating at least $5,000 in value.” Cheney v. IPD Analytics, L.L.C., supra, 2009 WL 1298405, *6.
“Loss” is defined in the Act as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). The parties differ as to whether or not this provision requires all losses to be incurred due to an interruption of service. The case law notes a split of authority, and the Eleventh Circuit has not decided the issue. Cases from the Southern District of Florida favor interpreting the provision to require an interruption of service. See, e.g., Cheney, supra, 2009 WL 1298405, *7 (“Plain reading of the definition of “loss” under the statute suggests that any “loss” must be related to interruption of service.”); Cohen v. Gulfstream Training Acad., Inc., No. 07–60331–CIV, 2008 WL 961472, at *4 (S.D.Fla. Apr. 9, 2008) (noting lack of precedent on this issue from the Eleventh Circuit and acknowledging split among the courts on the issue whether any “loss” alleged under the CFAA must relate to “interruption of service”); Continental Group, Inc. v. KW Property Management, LLC, 622 F.Supp.2d 1357 (S.D.Fla.2009) (Company's costs for forensic investigation of computer system after employee, who allegedly acted as agent of competitor and downloaded proprietary information from company's computer system prior to leavingcompany for new job with competitor, did not result from interruption of service, and thus company failed to meet $5,000 jurisdictional limit; costs did not constitute “loss” under plain language of CFAA provision, which required that all loss must be result of interruption of service).
On the other hand, courts in the Middle District and other districts have interpreted the provision more broadly. See, e.g. Klein & Heuchan, Inc. v. Costar Realty Information, Inc., 8:08–cv1227–T–30EAJ, 2009 WL 963130, *3 (M.D.Fla. April 8, 2009) (“While the statute is less than clear, it is clear that the losses referred to in the last phrase relate to an interruption of service. Therefore, an interruption of service is necessary if the victim is claiming a loss from revenue lost, costs incurred, or other consequential damages”); Quantlab Techs. Ltd. v. Godlevsky, 719 F.Supp.2d 766, 776 (S.D.Tex.2010) (“[T]he term ‘loss' encompasses ... two types of harm: costs to investigate and respond to a computer intrusion, and costs associated with a service interruption”); Dice Corp. v. Bold Technologies, No. 11–13578, 2012 WL 263031,*1 (E.D.Mich. Jan. 30, 2012) (the drafters intended that “loss” should embrace two types of injury). While reasonable minds can (and have) differ(ed), the Court finds “loss” as used in the provision does not relate solely to losses incurred due to an interruption of service. As such, the complaint adequately pleads loss, for purposes of this argument.
In light of all of the above, the Court finds that a cause of action under § 1030(a)(5)(A) against Anderson could well be supported on these facts. Plaintiffs, however, have not sued Anderson in this pleading. At issue is whether these allegations are sufficient to state a cause of action against these Defendants. “The Violator”
Section 1030(g) states that “any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). (Emphasis supplied). As set forth above, there are no allegations that either Defendant committed any of the actions complained of here. Rather, Plaintiffs rely on 18 U.S.C. § 1030(b), which provides: “Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c)....” Subsection (c) of the Act sets forth a range of criminal penalties. Thus, Plaintiffs seek recognition of a civil action solely against Defendants who are not alleged to have committed any of the specific acts in question. Even if the Court were to construe this section as providing for a private cause of action against co-conspirators, the allegations of the operative complaint are insufficient to meet the Twombly plausibility standard.
As set forth above, the only possibly viable cause of action here is one relating to the insertion of a script to redirect leads. The allegations with respect to the actions of these Defendants, however, do not show a connection to the acts of the alleged violator (Anderson) sufficient to plead liability as a co-conspirator. While Plaintiffs conclusorily allege that “Unbeknown to Plaintiff, W. Anderson, R. Rogers, S. Anderson and MARKETCLIQ had conspired and hijacked Plaintiff's code and trade secret information to divert IAC customers and potential customers from IAC's customers' websites and IAC's websites to Defendants and W. Anderson for their personal benefit” and “W. Anderson, R. Rogers, MARKETCLIQ and S. Anderson conspired to steal and use Plaintiffs' trade secrets, including but not limited to, its Confidential Information, to help launch a competing company, MARKETCLIQ,” they allege no factual basis to support this claim, other than allegations that Anderson and Rogers spoke numerous times on the telephone and Anderson was involved in the formation of the competitor Defendant. There is no allegation that Rogers or Marketcliq, which was not in existence during some of the conduct complained of, assisted in altering the code; nor is there any allegation that Defendants knew of or were informed about Anderson's plans and encouraged or induced him to alter the script. See Flynn v. Liner Grode Stein Yankelevitz Sunshine Regenstreif & Taylor LLP, No. 3:09–cv–422–PMP–RAM, 2011 WL 2847712, *3 (D.Nev. July 15, 2011) (dismissing claim where a plaintiff alleged that defendants were recipients of hacked information and used the information knowing its illicit source, as “aiding and abetting civil liability does not exist under § 1030.”). While the term “conspires” is not defined here, its meaning in other criminal statutes implies a knowing agreement with another to commit the unlawful act. The instant complaint provides no facts sufficient to bring the claim from the possible to the plausible. As such, it should be dismissed.
There may be a vague claim that information was deleted by Anderson, but this claim is not set forth sufficiently to evaluate.
The complaint makes reference to numerous “attached” exhibits, but the pleading contains no such attachments.
Conclusion
For the reasons set forth above, the Court respectfully recommends that the motion be granted, and the Second Amended Complaint be dismissed for failure to state a claim.
Failure to file written objections to the proposed findings and recommendations contained in this report within fourteen (14) days from the date of its filing shall bar an aggrieved party from attacking the factual findings on appeal.