Opinion
Civil Action 1:21-cv-00361 (RDA/TCB)
03-04-2022
MEMORANDUM OPINION AND ORDER
Rossie D. Alston, Jr. United States District Judge
This matter comes before this Court on Accu-Trade, LLC and R. Hollenshead Auto Sales & Leasing, Inc.'s (“Defendants”) Motion to Dismiss for lack of subject matter jurisdiction and failure to state a claim (“Motion”). Dkt. Nos. 13; 23. This Court has dispensed with oral argument as it would not aid in the decisional process. Fed.R.Civ.P. 78(b); Local Civil Rule 7(J). This matter has been fully briefed and is now ripe for disposition. Considering Defendants' Memorandum in Support of its Motion (Dkt. 14), Plaintiff Carfax, Inc.'s (“Plaintiff”) Opposition (Dkt. 16), Defendants' Reply (Dkt. 17), Defendants Supplemental Memorandum in Support of its Motion (Dkt. 23); Plaintiff's Supplemental Opposition (Dkt. 26), and Defendants' Supplemental Reply (Dkt. 27), this Court DENIES the Motion to Dismiss for Lack of Jurisdiction and GRANTS IN PART and DENIES IN PART the Motion to Dismiss for Failure to State a Claim for the reasons that follow.
I. BACKGROUND
A. Factual Background
This matter arises from the Complaint Plaintiff filed before this Court alleging six counts against Defendants: (1) infringing the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”); (2) infringing the Virginia Computer Crimes Act, Va. Code Ann. § 18.2 - 152.1, et seq. (“VCCA”); (3) fraud; (4) unjust enrichment; (5) conversion; and (6) trespass to chattels. Plaintiff seeks equitable relief and damages, as well as punitive damages.
Plaintiff is a data company, incorporated under the laws of Pennsylvania and headquartered with its principal place of business in Centreville, Virginia. Defendant Accu-Trade, LLC (“Accu-Trade”), which is a valuation platform for auto dealers in calculating offers for potential trade-in vehicles, is part of Defendant R. Hollenshead Auto Sales & Leasing, Inc. (“Hollenshead”), which characterizes itself as a major automobile wholesaler in North America. Accu-Trade is organized under the laws of Delaware, with its principal place of business in Pennsylvania, while Hollenshead is incorporated under the laws of Florida, with its principal place of business in Pennsylvania.
Plaintiff manages vehicle history information for participants in the used car and light truck markets. As part of its information sharing technology, Plaintiff owns the QuickVIN® tool (“QV”) to allow its users to search Vehicle Identification Numbers (“VINs”) in Plaintiff's database and the associated vehicle's year, make, and model by simply searching a license plate state and number. As a result, the QV tool allows its users to efficiently identify VINs in connection with used car transactions at less cost.
The declaration of Donald Elliott, Director of Data Acquisition for Plaintiff, maintains that on August 5, 2016, Bob Hollenshead, founder and Manager of Accu-Trade and President of Hollenshead, and Jeff Zamora of Accu-Trade, visited Plaintiff's offices in Centreville, Virginia “to discuss a potential data sharing agreement between the parties.” Dkt. 16-1 ¶ 5. During that visit, Mr. Elliott submits that the parties “discussed the data that Accu-Trade and Hollenshead might be able to provide to [Plaintiff] in exchange for access to various [] tools [from Plaintiff] that might be of interest to Accu-Trade and Hollenshead, including the [QV] tool.” Id. The QV tool had the potential to allow Accu-Trade's users, such as dealers, to assess valuations of vehicles using license plate numbers rather than the VIN, “saving them time, money, and reducing data entry errors associated with entering a 17-character VIN.” Dkt. 1 ¶ 6. Nearly two years later, Plaintiff and Accu-Trade discussed a potential agreement whereby Plaintiff would provide Accu-Trade with access to the QV tool and its associated data in exchange for Accu-Trade's vehicle data. In May of 2018, Plaintiff provided Accu-Trade with access to a “QV test account for the limited purpose of testing the QV tool to ensure it could be integrated into [Accu-Trade's] valuation platform.” Id. ¶ 22. Later that month, Accu-Trade provided a “test set of data” to Plaintiff containing 561 records “for the limited purpose of allowing [Plaintiff] to test the usefulness of the data” for its systems. Id. ¶ 23.
The declaration of James Sibel, the Chief Financial Officer of Accu-Trade, submits that Accu-Trade “never visited to negotiate the QV tool contract” and that Accu-Trade and Plaintiff only communicated via email and telephone. Dkt. 14-1 ¶ 12. However, as required by the Fourth Circuit, the Court construes this fact in favor of the plaintiff for purposes of evaluating the Motion.
Mr. Elliott, on behalf of Plaintiff, communicated frequently with Mr. Zamora and Mr. Hollenshead as part of the negotiations between the parties. Dkt. 16-1 ¶ 8. After several months of the test run and negotiations, Plaintiff sent a “standard, unexecuted Data Transfer and License Agreement” subject to “the laws of the Commonwealth of Virginia, ” to Accu-Trade in the event the parties arrived at an agreement. Dkt. 1 ¶ 24; Dkt. 16-1 ¶ 10. Approximately three months later, on November 3, 2018, Mr. Zamora of Accu-Trade informed Plaintiff that Accu-Trade “would not be using the QV tool and no longer wished to enter into an agreement with [Plaintiff] to provide data to [Plaintiff] in exchange for access to and use of the QV tool.” Dkt. 1 ¶ 25. “Despite these representations, [Plaintiff] subsequently learned that Accu-Trade (and possibly Hollenshead or other entities) continued to access and use [QV] and its associated data without authorization.” Dkt. 16-1 ¶ 13. When Plaintiff confronted Accu-Trade's Chief Financial Officer about the alleged fraud, he “immediately signed and returned to [Plaintiff]” the contract Plaintiff had initially sent to Accu-Trade, which Plaintiff never executed previously or thereafter. Dkt. 1 ¶ 28. On March 24, 2019, Mr. Zamora confirmed to Plaintiff that Accu-Trade had been continuing to access and use the QV tool while also reselling the tool and its associated data to at least one third party, “who then allowed access to approximately 100 of its own customers.” Id. ¶ 29. In total, Plaintiff alleges that Accu-Trade “engaged in or facilitated the unauthorized access and use of the QV tool and its associated data approximately 112, 534 times.” Id. ¶ 27; Dkt. 16-1 ¶ 13.
Plaintiff's claims turn on the allegation that Defendants knowingly and intentionally accessed Plaintiff's computer systems and server without authorization or in excess of any authorization during the time of the test run of the QV tool integration-between May of 2018 and November 3, 2018-and continued to use the QV tool even after notifying Plaintiff they would not use the QV tool and no longer wished to continue negotiations.
B. Procedural Background
On March 24, 2021, Plaintiff filed the instant Complaint against Defendants. Dkt. 1. On April 8, 2021, Defendants filed a motion to extend the time to file an answer to the Complaint to May 14, 2021, which the Court granted the same day. Dkt. Nos. 7; 10. On May 14, 2021, Defendants filed the Rule 12(b)(2) Motion to Dismiss for lack of personal jurisdiction as to both Defendants as well as an accompanying supporting memorandum. Dkt. Nos. 13; 14. On May 28, 2021, Plaintiff filed its Opposition to the Motion and Defendants filed their Reply on June 3, 2021. Dkt. Nos. 16; 17. On July 8, 2021, Defendants filed a motion for leave to file a supplemental memorandum in support of the Motion to Dismiss after the United States Supreme Court issued its decision in Van Buren v. United States, 141 S.Ct. 1648 (2021) on June 3, 2021. And the Court granted that motion after the parties submitted separate briefs on the matter. See Dkt. Nos. 20-22. On July 28, 2021, Defendants filed a supplemental brief in support of the Motion, seeking to dismiss two counts of the Complaint in light of the Van Buren decision for failure to state a claim under Rule 12(b)(6). Dkt. 23. The Court then approved the parties' briefing schedule on August 23, 2021. Plaintiff timely filed its Opposition on September 15, 2021 and Defendants filed their Reply on September 30, 2021. Dkt. Nos. 25-27.
II. STANDARD OF REVIEW
A. Rule 12(b)(2) Standard
Federal Rule of Civil Procedure 12(b)(2) provides that a court may dismiss a case for lack of personal jurisdiction. Fed.R.Civ.P. 12(b)(2). When resolving a Rule 12(b)(2) motion, a court undertakes a two-step analysis. First, a court looks to whether personal jurisdiction is authorized by state law. Mitrano v. Hawes, 377 F.3d 402, 406 (4th Cir. 2004). Second, a court must find that the exercise of personal jurisdiction comports with the constitutional requirements of due process. Id. Virginia's long-arm statute extends personal jurisdiction to the constitutionally permissible limits of the Due Process Clause of the Fourteenth Amendment. ePlus Tech., Inc. v. Aboud, 313 F.3d 166, 176 (4th Cir. 2002). Accordingly, “[b]ecause Virginia's long-arm statute is intended to extend personal jurisdiction to the extent permissible under the due process clause, the statutory inquiry merges with the constitutional inquiry.” Consulting Eng'rs Corp. v. Geometric Ltd., 561 F.3d 273, 277 (4th Cir. 2009). At that point, as to each defendant, a court must find sufficient “minimum contacts [with the state] . . . such that the maintenance of the suit does not offend traditional notions of fair play and substantial justice.” Int'l Shoe Co. v. Washington, 326 U.S. 310, 316 (1945); see also Walden v. Fiore, 571 U.S. 277, 286 (2014) (“The requirements of International Shoe, however, must be met as to each defendant over whom a state court exercises jurisdiction.”). That inquiry involves exploring whether general or specific personal jurisdiction exists over any nonresident defendant. See Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408, 414-16 (1984). “If the defendant's contacts with the [s]tate are also the basis for the suit, those contacts may establish specific jurisdiction.” ALS Scan, Inc. v. Digital Serv. Consultants, Inc., 293 F.3d 707, 712 (4th Cir. 2002). But “if the defendant's contacts with the [s]tate are not also the basis for suit, then jurisdiction over the defendant must arise from the defendant's general, more persistent, but unrelated contacts with the [s]tate.” Id.
In making a personal jurisdiction determination, a district court “must accept as true the uncontroverted factual allegations in the plaintiff's complaint.” Companion Prop. & Cas. Ins. Co. v. Palermo, 723 F.3d 557, 559 (5th Cir. 2013). When a court does not conduct an evidentiary hearing on personal jurisdiction, a case may be dismissed for lack of personal jurisdiction if the plaintiff has failed to make a prima facie showing. See Grayson v. Anderson, 816 F.3d 262, 268 (4th Cir. 2016). If such a showing is made, the defendant must “present a compelling case that the presence of some other considerations would render jurisdiction [so] unreasonable, ” Burger King Corp. v. Rudzewicz, 471 U.S. 462, 477 (1985) as to “offend traditional notions of fair play and substantial justice, ” Int'l Shoe, 326 U.S. at 316. In evaluating the parties' requisite burdens, a court may rely on “motion papers, supporting legal memoranda, [] the allegations in the complaint, ” Consulting Eng'rs, 561 F.3d at 276, and “the contents of affidavits and any other relevant matter submitted by the parties to assist it in determining the jurisdictional facts, ” 5B Alan Wright & Arthur Miller, Fed. P. & Proc. § 1351, at 305 (3d ed. 2004).
B. Rule 12(b)(6) Standard
Additionally, in order to survive a motion to dismiss brought under Federal Rule of Civil Procedure 12(b)(6), a complaint must set forth “a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible “when the plaintiff pleaded factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). When reviewing a motion brought under Rule 12(b)(6), the Court “must accept as true all of the factual allegations contained in the complaint, ” drawing “all reasonable inferences” in the plaintiff's favor. E.I. du Pont de Nemours & Co. v. Kolon Indus., Inc., 637 F.3d 435, 440 (4th Cir. 2011) (citations omitted). “[T]he court ‘need not accept the [plaintiff's] legal conclusions drawn from the facts,' nor need it ‘accept as true unwarranted inferences, unreasonable conclusions, or arguments.'” Wahi v. Charleston Area Med. Ctr., Inc., 562 F.3d 599, 616 n.26 (4th Cir. 2009) (quoting Kloth v. Microsoft Corp., 444 F.3d 312, 319 (4th Cir. 2006)). Additionally, “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678 . Generally, courts may not look beyond the four corners of the complaint in evaluating a Rule 12(b)(6) motion. See Goldfarb v. Mayor & City Council of Baltimore, 791 F.3d 500, 508 (4th Cir. 2015).
III. ANALYSIS
The Court first assesses the personal jurisdiction issue and holds that exercising specific jurisdiction over each of the Defendants is proper. The Court then evaluates the sufficiency of the Complaint solely as to Counts I and II and holds that Plaintiff has, as a matter of law, sufficiently pleaded facts to state a plausible claim as to Count II, but not as to Count I.
A. Personal Jurisdiction
Plaintiff argues that this Court has specific personal jurisdiction over Defendants because the cause of action arises from tortious conduct occurring in Virginia. However, Defendants argue first that Plaintiff has not sufficiently alleged specific jurisdiction over Hollenshead “because it makes no factual allegations regarding Hollenshead, let alone allegations of contacts with Virginia connected with this dispute.” Dkt. 14 at 1. Defendants also argue that exercising specific jurisdiction over them would not comport with the Due Process Clause of the Fourteenth Amendment because they have not purposefully availed themselves of the privilege of conducting activities within Virginia; that the cause of action more likely arose outside the forum; and that exercising personal jurisdiction over Defendants would be unreasonable.
Plaintiff does not argue that this Court has general jurisdiction over Defendants as Defendants' contacts with Virginia are not “so constant and pervasive as to render [them] essentially at home” in Virginia. Daimler AG v. Bauman, 571 U.S. 117, 122 (2014) (internal quotation and citation omitted). This Court solely assesses whether Defendants have subjected themselves to specific jurisdiction.
1. Virginia's Long-Arm Statute
Courts resolve a challenge to personal jurisdiction involving non-resident defendants by engaging in a two-step inquiry: (1) “ascertaining whether the forum state's long-arm statute authorizes personal jurisdiction” and if so (2) “determining whether the reach of the statute” “comports with the Due Process Clause of the Fourteenth Amendment of the United States Constitution.” Aitken v. Comms. Workers of Am., 496 F.Supp.2d 653, 658-59 (E.D. Va. 2007); Verizon Online Servs., Inc. v. Ralsky, 203 F.Supp.2d 601, 609 (E.D. Va. 2003); see also Christian Sci. Bd. of Directors of First Church of Christ, Sci. v. Nolan, 259 F.3d 209, 215 (4th Cir. 2001).
Pursuant to Virginia law, “a court may exercise personal jurisdiction under Virginia's long-arm statute ‘over a [party], who acts directly or by an agent, as to a cause of action arising from . . . causing tortious injury by an act or omission in this Commonwealth.'” Verizon, 203 F.Supp.2d at 610 (quoting Va. Code Ann. § 8.01-328.1(A)(3)). Virginia's long-arm statute further provides that personal jurisdiction over a party is proper if that party (a) transacts in any business in Virginia, (b) causes tortious injury by “an act or omission in Virginia, ” or (c) causes tortious injury in Virginia by “an act or omission outside Virginia” when that party regularly conducts businesses or “derives substantial revenue” in connection with business it provides to Virginia. Va. Code Ann. § 8.01-328.1. Virginia's long-arm statute defines an “act . . . in this Commonwealth” to include “using a computer or computer network located in the Commonwealth.” Va. Code Ann. § 8.01-328.1(B). Here, Plaintiffs Complaint alleges that Accu-Trade obtained information from Plaintiffs “protected computer systems and server through the QV tool without authorization or in excess of authorization.” Dkt. 1 ¶¶ 39-40. Further, Plaintiff maintains that the affected server which hosts the QV tool data is physically located in Virginia and constitutes “property” within the meaning of Virginia Code § 18.2-152.2. Id. ¶ 45. As such, according to Plaintiff, Accu-Trade's alleged use of that server places it within the reaches of Virginia's long-arm statute.
Because Plaintiff alleges that Hollenshead provided its consent to Accu-Trade to engage in the alleged wrongful conduct in the Complaint, and is thus allegedly complicit in the conduct, the Virginia long-arm statute's reach also encompasses Hollenshead. Additionally, Accu-Trade's CFO, who also used a Hollenshead email address, signed the proposed agreement “which contemplated that Accu-Trade and Hollenshead would send Hollenshead data to Carfax in Virginia.” Dkt. 16-1 ¶¶ 11, 14. Lastly, construing the facts pleaded by Plaintiff in the light most favorable to Plaintiff, the founder of Hollenshead himself, met with Plaintiff's representatives in Virginia to kickstart talks between Plaintiff and Defendants regarding potential business synergies, including the QV tool that is the basis of this Complaint. Dkt. 16-1 ¶ 5. That the parties did not accelerate their negotiations until nearly two years later does not ipso facto make their initial interactions irrelevant for purposes of this Court's jurisdictional analysis. Ultimately, Plaintiff's pleadings paint a clear picture that Accu-Trade and Hollenshead worked in concert during their business dealings with Plaintiff. Together, these facts amount to a sufficient jurisdictional basis for exercising personal jurisdiction over Hollenshead pursuant to Virginia's long-arm statute.
This Court does not address Defendants' discussion of whether Hollenshead is an alter ego of Accu-Trade. The facts of the case make clear that Hollenshead provided value separate and apart from Accu-Trade in a potential agreement with Plaintiff. That engagement by Hollenshead in negotiations with Plaintiff regarding the QV tool, including affirmatively consenting to Accu-Trade's allegedly improper use of the QV tool, provides sufficient grounds for this Court to exercise personal jurisdiction over Hollenshead pursuant to the Virginia long-arm statute. The facts alleged by Plaintiff provide a plausible basis to believe that Accu-Trade needed Hollenshead's consent by virtue of Hollenshead's prior involvement in the negotiations and the fact that Accu-Trade is a subsidiary of Hollenshead. That allegation is not conclusory.
2. Due Process
Pivoting to the second step of the personal jurisdiction inquiry, the courts find that sufficient minimum contacts exist with the forum state if a federal court may exercise general or specific personal jurisdiction over the nonresident defendants. Helicopteros, 466 U.S. at 414-16. It is well-settled within the Fourth Circuit that courts apply a three-pronged test to evaluate whether specific personal jurisdiction is proper: (1) “did the defendants ‘purposefully avail' themselves of the privileges of conducting activities in the forum”; (2) “does the claim arise out of these activities”; and (3) “is the exercise of jurisdiction reasonable?” Aitken, 496 F.Supp.2d at 659 (citing Christian Science, 259 F.3d at 216); see also Verizon, 203 F.Supp.2d at 611.
i. Purposeful Availment
Jurisdictional cases involving the Internet involve two strands of potential purposeful availment analysis. The first adopts a “sliding-scale test” enunciated in Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119, 1124 (W.D. Pa. 1997), which is meant to assess the active versus passive nature of a defendant's access on a particular website. That heuristic tool allows courts to link the propriety of personal jurisdiction over a defendant with the “nature and qualify of commercial activity that [the defendant] conducts over the Internet.” Atlantech Distribution, Inc. v. Credit Gen. Ins. Co., 30 F.Supp.2d 534, 536-37 (D. Md. 1998) (citing Zippo Mfg., 952 F.Supp. at 1124). The second framework, termed the “effects test, ” is born of the United States Supreme Court's decision in Calder v. Jones, 465 U.S. 783 (1984). Courts in this Circuit have traditionally applied the “effects test” in tort cases involving internet activity. A plaintiff makes the requisite showing of the tort's sufficient effect in the forum to establish jurisdiction if: “(1) the defendant committed an intentional tort; (2) the plaintiff felt the brunt of the harm in the forum, such that the forum can be said to be the focal point of the harm; and (3) the defendant expressly aimed [the] tortious conduct at the forum, such that the forum can be said to be the focal point of the tortious activity.” Carefirst, 334 F.3d at 398 n.7; StratusLive, 2020 WL 6305875, at *3; Verizon, 203 F.Supp.2d at 614. Whether the defendant “expressly aimed” the tortious conduct at the forum depends on whether the defendant “knew or reasonably should have known” such conduct would occur in the forum. Aitken, 496 F.Supp.2d at 660; see also StratusLive, 2020 WL 6305875, at *4 (noting that courts do not require a defendant has actual knowledge of a server's location in order to be “construed as aiming its conduct at a specific forum”). The Supreme Court further refined the “effects test” in Walden to require that the necessary “minimum contacts” to establish jurisdiction over a non-resident defendant turns on the defendant's “contacts with the forum state itself, not . . . with the persons who reside there.” 571 U.S. at 285. Those contacts must also convey a rhyme and reason such that the “defendant's conduct connects [it] to the forum in a meaningful way” rather than be “random, fortuitous, or attenuated.” Id. at 285, 290.
Plaintiff argues that Defendants purposefully availed themselves of the laws of Virginia because they “were aware at the time of the [alleged] scheme that [Plaintiff] was located in Virginia and would feel the effects of their tortious conduct in Virginia” as a result of their alleged improper use of Plaintiff's QV tool and its associated data. Dkt. 1 ¶ 31; 33; see also Dkt. 16 at 14. Moreover, Plaintiff maintains, it was reasonable for Defendants to expect that their use of the QV tool involved making contacts with Plaintiff's servers in Virginia. Dkt. 16 at 13-14. From Plaintiff's vantage point, specific personal jurisdiction derives from the alleged tortious conduct of Defendants that “create[d] a substantial connection with the forum state.” Id. at 7 (citing Burger King, 471 U.S. at 475). In support of its position, Plaintiff cites this Court's reasoning in Verizon and Aitken to demonstrate that the presence of a server in the forum which constitutes the location of the tort is a sufficient minimum contact to exercise personal jurisdiction over a nonresident defendant.
Defendants contend that the only way this Court can arrive at exercising personal jurisdiction is by finding that Defendants “transacted business” in the forum. On that basis, Defendants submit that they never consummated the proposed contract, despite having executed it, and that Plaintiff initiated the discussions surrounding the contract. Defendants also note that the Fourth Circuit has described non-resident defendant contact with a web server within the forum as “de minimis” for purposes of establishing personal jurisdiction. Dkt. 14 at 14 (citing Carefirst of Md., Inc. v. Carefirst Pregnancy Ctrs., Inc., 334 F.3d 390, 402 (4th Cir. 2003)). Relying also on the recent decision in StratusLive, LLC v. Wimr Grp., LLC, No. 2:19-cv-623, 2020 WL 6305875, at *4 (E.D. Va. Oct. 14, 2020), Defendants highlight that Plaintiff did not allege Accu-Trade “knew” Plaintiff's servers managing the online traffic for the QV tool were located in Virginia. Id. Without that allegation, Defendants maintain that this Court has no specific personal jurisdiction over Defendants. Lastly, Defendants argue that Verizon and Aitken are inapposite because those cases involved actual damage to servers as a result of clogging server bandwidth with spam and that Verizon and Aitken both predated the United States Supreme Court decision in Walden, which emphasized that personal jurisdiction over a defendant requires that the “suit-related conduct . . . create a substantial connection with the forum state.” Dkt. 17 at 7-10 (citing Walden, 571 U.S. at 284).
Here, Defendants, are alleged to have acted in concert by virtue of their prior dealings together with Plaintiff and their organizational relationship, allegedly committed an intentional tort against Plaintiff by misappropriating the QV tool for pecuniary gain. According to Plaintiff's allegations, Accu-Trade “purposefully and deliberately, ” Verizon, 203 F.Supp.2d at 612, committed the intentional tort 112, 534 times with the consent of Hollenshead. Dkt. 1 ¶ 27; Dkt. 16-1 ¶ 13.
Second, Plaintiff argues that the brunt of that tortious conduct was felt by Plaintiff in Virginia, where both the QV tool server and Plaintiff's principal place of business were physically located.
After having met with Plaintiff's representatives in Virginia at Plaintiff's headquarters to explore potential business synergies between the parties, Defendants “knew or should have known” that Plaintiff “would likely suffer harm” in Virginia by committing the alleged tort. Verizon, 203 F.Supp.2d at 614. Additionally, Plaintiff's principal place of business, and the fact that it maintained its nerve center of operations in Virginia, are indicia of reliability to demonstrate that Defendants, at minimum, “should have known” their tortious conduct would cause harm to a plaintiff in the forum. Id. (citing Panavision Int'l, L.P. v. Toeppen, 141 F.3d 1316, 1321 (9th Cir. 1998)); see also Walden, 571 U.S. at 285 (“And although physical presence in the forum is not a prerequisite to jurisdiction, physical entry into the State-either by the defendant in person or through an agent . . .-is certainly a relevant contact.”) (internal citation omitted). Notably, when Defendants' representative unilaterally executed the proposed contract containing a Virginia choice-of-law provision, Defendants affirmed their comfort with the proposed contract's Virginia choice-of-law provision which would call them into the forum with respect to litigation arising from Plaintiff's QV tool. Dkt. 1 ¶ 28; Dkt. 16-1 ¶ 10; see also CompuServe v. Patterson, 89 F.3d 1257, 1262-63 (6th Cir. 1996) (finding that the defendant had purposefully availed himself of the forum state by entering into a contract governed by the law of the forum regarding the advertising and distribution of the plaintiff's software). At each stage of communication between the parties, Plaintiff headlined Virginia within the negotiations as “the focal point both of the story and of the harm suffered.” Calder, 465 U.S. at 789. Therefore, Defendants' “conduct and connection with [Virginia] are such that [they] should reasonably anticipate being haled into court there.” Verizon, 203 F.Supp.2d at 612.
Third, the location of the server used to commit the alleged tort is also probative of whether Defendants have purposefully availed themselves of personal jurisdiction because it speaks to Defendants directing their conduct at the forum. To be sure, the injury does not mirror the injury in a spammer case; but the reasoning in Verizon and Aitken remain instructive to this Court. While Defendants attempt to weaken the significance of this Court's prior decisions in Verizon and Aitken involving spam-related injuries on servers, this Court notes that these cases prove relevant not because of an alleged injury to a server but because the tort itself occurred by way of a server. See Aitken, 496 F.Supp.2d at 659-60 (“Those who commit torts via computer and the Internet know, or reasonably should know, that servers are either targets of their conduct or the means by which their tortious conduct is given effect.”) (emphasis added). Unlike the defendant in StratusLive, Defendants here had reason to know that the QV tool server would be located in Virginia, where Plaintiff was headquartered. StratusLive, 2020 WL 6305875, at *4 (“Here, [the defendant] did not know and had no reason to know the servers were in Virginia, demonstrating that he did not aim his conduct at Virginia.”); see also Fireclean LLC v. Tuohy, No. 1:16-cv-294, 2016 WL 4414845, at *7 (E.D. Va. Jun. 14, 2016) (“Plaintiff has no basis for believing the servers hosting Defendants' blog posts are located in Virginia, as opposed to California, Amsterdam, or elsewhere.”). That Defendants “did not know the precise location of [the] server is of no constitutional moment.” Aitken, 496 F.Supp.2d at 660.
Spammer cases are especially helpful in this Court's analysis because they involve making contact with servers. The “nature and quality” of those contacts determine a court's jurisdictional analysis. Verizon, 203 F.Supp.2d at 616.
Defendants argue that the Fourth Circuit considers the location of the server as “de minimis” in analyzing the “minimum contacts” of a case. However, Defendants mischaracterize the Fourth Circuit's opinion in Carefirst. For one, the “de minimis” language is at best dicta. As the Fourth Circuit identified in United States v. Batato, 833 F.3d 413, 424-25 (4th Cir. 2016), the “de minimis” language is “an unfortunate paraphrasing in our Carefirst opinion of a discussion contained in a footnote of [Christian Science] . . . [and] does not purport to state a rule of general application, nor could it given that the reference is contained in dicta.” Instead, while the Fourth Circuit has not addressed purposeful availment within the context of a “single server that happened to reside in the forum state, ” it has found purposeful availment where a collection of servers are “the central conduit by which the conspiracy was conducted.” Batato, 833 F.3d at 425. Here, without having accessed the QV tool server in Virginia, Defendants would not have been able to carry out the alleged misuse of Plaintiff's proprietary platform and data.
While the “effects test” places a burden on Plaintiff to demonstrate Defendants at least should have known the alleged tort would be felt in the forum when accessing the QV tool, courts are also sensitive to applying the test in such a way that does not create perverse incentives. For instance, this Court has repeatedly recognized that “simply pleading ignorance of where the[] servers were physically located” cannot empower a nonresident defendant to avoid personal jurisdiction and thus “constitute a manifest injustice to [the plaintiff] and Virginia.” Aitken, 496 F.Supp.2d at 660; Verizon, 203 F.Supp.2d at 620. Rather, courts look to the nature of the interaction by a nonresident defendant with the server. Verizon, 203 F.Supp.2d at 615 (discussing, in the context of e-mails, “the active as opposed to passive nature” of the internet communication as “weigh[ing] in favor of finding personal jurisdiction in the forum where the [electronic communication] was received”). When the defendant engages in the alleged tort for pecuniary gain, courts are especially exacting in their analysis. See Id. at 616 (“One of the key factors courts have focused on in finding purposeful availment of a forum state concerning conduct over the Internet is whether the activity was driven by pecuniary gain rather than personal purposes.”); Internet Doorway, Inc. v. Parks, 138 F.Supp.2d 773, 779-80 (S.D.Miss. 2000) (“By sending an e-mail solicitation to the far reaches of the earth for pecuniary gain, one does so at her own peril, and cannot then claim that it is not reasonably foreseeable that she will be haled into court in a distant jurisdiction to answer for the ramifications of that solicitation.”); Zippo Mfg., 952 F.Supp. at 1124 (noting the commercial nature of the exchange of data between the parties as a possible basis for exercising personal jurisdiction).
Here, in each of the alleged 112, 534 instances in which Plaintiff alleges Accu-Trade improperly accessed the QV tool, Accu-Trade actively retrieved Plaintiff's proprietary data by knocking and then opening the door of the server in an entirely non-“random, fortuitous, or attenuated” manner. Simply put, Accu-Trade's conduct “was not a ‘one-shot affair.'” Verizon, 203 F.Supp.2d at 617 (quoting CompuServe, 89 F.3d at 1265). Unlike in the case of spamming, where this Court has still found grounds to exercise personal jurisdiction in Verizon and Aitken, Plaintiff has alleged that Accu-Trade targeted the QV tool portal repeatedly to draw information from Plaintiff's server into Accu-Trade's platform rather than simply transmit information to the server. See, e.g., Amberson Holdings LLC v. Westside Story Newspaper, 110 F.Supp.2d 332, 336 (D.N.J. 2000) (refusing to find personal jurisdiction over a defendant involving an inter-computer transfer of information akin to “forwarding calls to a desired phone number through a switchboard.”). Moreover, Defendants' alleged misappropriation of the QV tool and the associated data by marketing it under their own platform and selling it to at least one third-party foreclosed Plaintiff from making additional transactions with other customers. Dkt. 1 ¶¶ 69, 74. This alleged harm to Plaintiff's business further accentuates the importance of preventing parties from improperly utilizing another party's server for pecuniary gain with impunity. Verizon, 203 F.Supp.2d at 620. In this case, Defendants are alleged to have “know[n] full well that their conduct harmed . . . [Plaintiff's] business.” Id.; see also Dkt. 1 ¶¶ 52, 61, 69.
Defendants highlight that Verizon and Aitken dealt with spammer cases where the harm was overloading the server and clogging the servers ability to function properly. However, this Court finds Defendants' argument unavailing considering that the injury in this matter is not to the server itself but rather to Plaintiff's business as a result of Defendants having repeatedly penetrated their server within the forum. The server in the forum acted as a conduit and not the target of the alleged injury.
Lastly, while Defendants argue that Walden recharacterizes the “effects test” so as to nullify this Court's reasoning in Verizon and Aitken, the Supreme Court made absolutely clear that its decision did not address “the very different questions whether and how a defendant's virtual ‘presence' and conduct translate into ‘contacts' with a particular state.” 571 U.S. at 290 n.9 (emphasis added). Thus, the emphasis on connection to the forum and not the plaintiff in Walden proves uninstructive for purposes of the jurisdictional question before this Court.
ii. Cause of Action's Relationship to Defendants' Activities in Virginia
As to the second step in establishing specific personal jurisdiction, a nonresident defendant's relationship to the forum “must arise out of contacts that ‘the defendant himself' creates with the forum.” Walden, 571 U.S. at 284 (quoting Burger King, 471 U.S. at 475). The “minimum contacts” analysis is defendant-centric in that “however significant the plaintiff's contacts with the forum may be, those contacts cannot be ‘decisive in determining whether the defendant's due process rights are violated.'” Id. at 285 (quoting Rush v. Savchuk, 444 U.S. 320, 332 (1980)). “If a defendant's contacts with the forum state are related to the operative facts of the controversy, then an action will be deemed to have arisen from those contacts.” Verizon, 203 F.Supp.2d at 620 (quoting CompuServe, 89 F.3d at 1267).
Plaintiff contends that, as in Verizon, “the connection to Virginia is the claim itself.” Dkt. 16 at 15 (quoting Verizon, 203 F.Supp.2d at 620). Plaintiff also disputes Defendants' claim that the Complaint did not allege that Accu-Trade acted with sufficient knowledge.
Defendants counter that the mere allegation of intentional harm against Plaintiff is insufficient because that would “impermissibly allow[] [P]laintiff's contacts with the defendant and forum to drive the jurisdictional analysis.” Dkt. 14 at 15 (citing Walden, 571 U.S. at 289). Furthermore, Defendants argue that they never entered into an enforceable contract with Plaintiff and that their contact with the forum solely related to those negotiations. Because Plaintiff did not allege that Accu-Trade “knowingly accessed Virginia-based web servers, ” Defendants maintain that the cause of action bears no significant relationship to Defendants' activities in Virginia. Id.
Here, for the same reasons described above, Defendants' alleged repeated and deliberate access of Plaintiff's QV tool server 112, 534 times in Virginia constituted much of the tortious conduct alleged by Plaintiff. But for Defendants' alleged improper access of Plaintiff's server, Plaintiff would not have suffered the alleged harm. See Panavision, 141 F.3d at 1321; Verizon, 203 F.Supp.2d at 621. As in Verizon and Aitken, Defendants had every reason to know that their access of the QV tool directly impacted Plaintiff's principal business in Virginia. And unlike in Verizon and Aitken, Defendants actively and intentionally drew from the proprietary data well that was Plaintiff's server physically located in Virginia to effect the tortious injury on Plaintiff. While Walden prohibits a court from resting personal jurisdiction predominantly on a plaintiff's contacts with the forum, the facts of this case do not trip the Walden wire. Defendants' actions in the forum drive the jurisdictional analysis and therefore, the second requirement of personal specific jurisdiction is satisfied.
To be clear, Plaintiff alleges that harm to have been the fact that:
Defendants wrongfully exercised dominion or control over the QV tool and its data by not only continuing to use it, but by reselling the QV tool and its associated data to at least one third party without Carfax's knowledge or consent, resulting in illicitly gained revenue and profits to Defendants . . . particularly insofar as it was sold to third parties without Carfax's knowledge or consent, and deprived Carfax of the ability to sell the tool and its associated data to those third parties itself.Dkt. 1 ¶¶ 67, 74.
Defendants also used Carfax's name and reputation to resell the QV tool and its associated data to third parties, thereby depriving Carfax of its property interest in its own name and reputation.Id. ¶ 69.
iii. Reasonableness of Exercising Personal Jurisdiction Over Defendants
The final prong of the due process analysis requires courts to evaluate whether a defendant's actions have a “substantial enough connection” with the plaintiff and the forum “to make the exercise of personal jurisdiction over [the defendants] constitutionally reasonable.” Verizon, 203 F.Supp.2d at 621 (citing Christian Science, 259 F.3d at 216). In determining whether exercising personal jurisdiction over a foreign defendant is constitutionally reasonable, courts in the Fourth Circuit consider “the burden on the defendant, the forum State's interest in adjudicating the dispute, the plaintiff's interest in obtaining convenient and effective relief, the interstate judicial system's interest in obtaining the most efficient resolution of controversies, and the shared interest of several States in furthering fundamental substantive social policies.” Christian Science, 259 F.3d at 217 (quoting Burger King, 471 U.S. at 477). Ultimately, the reasonableness analysis asks whether exercising jurisdiction over a defendant “make[s] litigation ‘so gravely difficult and inconvenient' that a party unfairly is at a ‘severe disadvantage' in comparison to his opponent.” Id. (quoting Burger King, 471 U.S. at 478).
Plaintiff argues that exercising personal jurisdiction over Defendants is constitutionally reasonable because Virginia has a “strong interest” in resolving the dispute that includes Virginia law claims that arise from the use of a server located in Virginia and involve a Virginia-headquartered business. Dkt. 16 at 18-19. Additionally, Plaintiff asserts that to expect Defendants to defend the suit in Virginia does not impose an unreasonable burden on Defendants.
Defendants submit that Accu-Trade is a small twelve-employee company in Pennsylvania with “[a]ll possible witnesses and documentary evidence” in Pennsylvania. Dkt. 14 at 16. Moreover, Defendants argue that Plaintiff's VCCA claim is “largely derivative” of its federal CFAA claim. Lastly, Defendants argue that Plaintiff's interest in obtaining “convenient and effective relief” is counterbalanced by Accu-Trade's equivalent interest and that the judicial system's interstate interest in efficiently resolving the dispute would not be furthered to a greater extent in Virginia than in Pennsylvania or elsewhere. Dkt. 14 at 17.
While Defendants note that “the ‘reasonableness' specific personal jurisdiction factors weigh slightly more in favor of Pennsylvania than Virginia, ” Dkt. 14 at 17, they do not demonstrate that exercising jurisdiction over them would be “extraordinary []or of constitutional magnitude.” Aitken, 496 F.Supp.2d at 661. First, Defendants' places of business are located in Manheim, Pennsylvania, approximately 130 miles from this Court. That distance is nearly half the distance spanning the Eastern District of Virginia. Second, this Court considers a number of factors that give Virginia a legitimate interest in adjudicating the dispute: (1) Plaintiff is headquartered and principally operating in Virginia; (2) the tort occurred via a server physically located in Virginia; (3) the contract negotiations related to this dispute began when Defendants physically traveled to Virginia to meet with Plaintiff; (4) the contract Defendants unilaterally signed contemplated a Virginia forum selection clause; and (5) five of the six claims alleged against Defendants arise or could arise under Virginia law. Third, as Defendants admit, while there are reasons why Defendants would prefer to litigate in another forum such as Pennsylvania, exercising personal jurisdiction over Defendants would not impede convenient and effective relief nor would it frustrate the interstate judicial system's interest in obtaining the most efficient resolution of controversies. In all, exercising specific personal jurisdiction over Defendants would not make this litigation “so gravely difficult and inconvenient” that Defendants are at a “severe disadvantage” in comparison to Plaintiff. Burger King, 471 U.S. at 478.
Lastly, the Fourth Circuit has advised that “‘where the jurisdictional facts are intertwined with the facts central to the merits of the dispute' deferring resolution of that factual dispute to a proceeding on the merits ‘is the better view.'” Grayson v. Anderson, 816 F.3d 262, 268 (4th Cir. 2016) (quoting Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)). Because Defendants' interaction with the forum via Plaintiff's server underlies the entire dispute as to whether Defendants acted unlawfully in the use of the QV tool and Plaintiff's associated data, the jurisdictional facts are “intertwined” with the merits of the dispute. As a result, it is reasonable for this Court to not put the cart before the horse since the factual dispute regarding the nature of Defendants' use of Plaintiff's Virginia servers undergirds the merits, and not just the jurisdiction, of the matter.
iv. Due Process Considerations of Hollenshead as a Defendant
As to due process concerns related to Hollenshead's ability to mount a defense, the Court has recognized that “personal jurisdiction can be imputed against a foreign co-conspirator when one co-conspirator has sufficient contacts with the forum such that due process would not be violated.” Knight v. Doe, No. 1:10-cv-887, 2011 WL 2471543, at *2 n.2 (E.D. Va. Jun 21, 2011) (citing Verizon, 203 F.Supp.2d at 622). Hollenshead's role in the alleged tort features the same role of a co-conspirator. Hollenshead not only allegedly provided Accu-Trade with informed consent to use the QV tool and associated data in the alleged improper manner, but it also played a prominent role in the negotiations with Plaintiff that gave rise to the alleged tortious conduct.Importantly, Hollenshead stood to benefit from the tortious conduct as it could leverage the data acquired by Accu-Trade to improve its function as an automobile wholesaler. This Court applies the same reasoning in Knight here and finds that, even if Hollenshead could not be brought into the forum based on its own contacts with the forum, its relationship with Accu-Trade makes exercising personal jurisdiction over it proper.
Hollenshead was to provide Plaintiff with auction data in return for Accu-Trade's access to the QV tool. Dkt. 16-1 ¶ 6.
For these reasons, this Court holds that there are sufficient minimum contacts with the forum to exercise personal jurisdiction over Defendants so as not to offend “traditional notions of fair play and substantial justice.” Int'l Shoe, 326 U.S. at 316 (quoting Milliken v. Meyer, 311 U.S. 457, 463 (1940)).
B. Sufficiency of the Complaint as to Counts I and II
Relying on the United States Supreme Court's recent opinion in Van Buren, Defendants also move this Court to dismiss Count I and Count II of the Complaint. For the reasons to follow, this Court finds that Plaintiff has pled a sufficient factual basis to consider the claims as to both Count I and Count II facially plausible.
1. Count I - CFAA
In 1984, Congress passed the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (“Act”) in its campaign against computer crime. Pub. L. No. 98-473, 98 Stat. 2190. Two years later, it expanded the reach of the Act with the CFAA, which the Fourth Circuit has characterizes as “primarily a criminal statute designed to combat hacking.” WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 201 (4th Cir. 2012) (citing A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 645 (4th Cir. 2009)). However the CFAA still provides private plaintiffs with a private right of action for any “damage or loss” suffered “by reason of a violation of [the statute].” 18 U.S.C. § 1030(g). The CFAA provides a number of grounds for civil liability, which include instances in which an actor:
[I]ntentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer; . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value; [or] . . . intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage[, ] or ... causes damage and loss.§§ 1030(a)(2)(C), (4), (5)(B)-(C).
On June 3, 2021, the Supreme Court published its opinion in Van Buren v. United States, 141 S.Ct. 1648 (2021) addressing a split among a number of circuit's interpretations of the CFAA, including the Fourth Circuit's decision in WEC. Van Buren, a police officer, was charged with having violated the CFAA after accepting a bribe to run a license plate search in a law enforcement computer database to which he was already authorized to use. As such, while the Court acknowledged Van Buren acted with an improper purpose, the Court ultimately held that Van Buren had not violated the CFAA because he did not “exceed[] authorized access” under § 1030 of the statute. The CFAA subjects to criminal or civil liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access” for the purpose of “obtain[ing] or alter[ing] information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(a)(2), (e)(6). Because Van Buren had already been granted access to the law enforcement computer database, the Court limited its ruling to whether Van Buren “exceed[ed] [his] authorized access.”
The Court adopted Van Buren's position stating that, on the one hand, the “without authorization” clause of the CFAA works to defend computers against “outside hackers-those who ‘acces[s] a computer without any permission at all.'” Van Buren, 141 S.Ct. at 1658 (quoting LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009)). On the other hand, the “exceeds authorized access” clause works to defend computers against “inside hackers-those who access a computer with permission, but then ‘exceed the parameters of authorized access by entering an area of the computer to which that authorization does not extend.'” Id. (quoting United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015). “Liability under both clauses stems from a gates-up-or-down inquiry-one either can or cannot access a computer system, and one either can or cannot access certain areas within that system.” Id. at 1658-59. Ultimately, the Court held that one “exceeds authorized access” “when he accesses a computer with authorization but then obtains information located in particular areas of the computer-such as files, folders, or databases-that are off limits to him.” Van Buren, 141 S.Ct. at 1662. That holding and the Court's reasoning align with the Fourth Circuit's view. See Id. at 1653 n.2 (collecting cases in accordance with the view adopted by the Court); WEC, 687 F.3d at 204 (concluding that “an employee ‘exceeds authorized access' when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access”). In WEC, the Fourth Circuit observed that the CFAA does not define “without authorization” and thus interpreted that term to describe when a person “accesses a computer without permission.” Id. at 206.
Defendants argue that Van Buren's bright-line “gates-up-or-gates-down” view of authorization under the CFAA makes Plaintiff's allegations as to Count I of no moment. To that end, Defendants contend that Plaintiff's allegation that Accu-Trade was not permitted to use the QV tool after allegedly rejecting Plaintiff's contract is “not enough.” Dkt. 23 at 10. As such Defendants contend that because Plaintiff did not allege it attempted to disable Accu-Trade's ability to access the QV tool or issue some clear message to Accu-Trade that their access to the QV tool was no more, the Complaint fails to assert that Accu-Trade accessed the QV tool without authorization. See Dkt. 27 at 8.
Plaintiff argues that Van Buren merely addressed the definition of “exceeds authorized access” under 18 U.S.C. § 1030(e)(6) of the CFAA. In doing so, according to Plaintiff, the Van Buren Court did not change the law in the Fourth Circuit surrounding the CFAA's bar on accessing a computer without authorization. Plaintiff does admit that it cannot state a claim on an “exceeds authorized access” theory pursuant to the CFAA after having made such an allegation in the Complaint as a basis for its CFAA claim. See Dkt. 1 ¶ 26. But that admission leads Plaintiff to emphasize that it has nonetheless stated a claim for access “without authorization” under the CFAA by alleging that “[a]ny authorization to access and use the QV tool ended [on November 3, 2018].” Id. ¶ 25; see also Id. ¶¶ 26, 46. Additionally, Plaintiff highlights several of its allegations which it argues supports the view that Accu-Trade was well aware it no longer had access to the QV tool at the point of ending contract negotiations. Notwithstanding Plaintiff's arguments in favor of its CFAA claim, Plaintiff also contends that the question of whether the gates were up or down after November 3, 2018 is a factual dispute unresolvable at the motion to dismiss stage.
Defendants respond by noting that Van Buren also makes the “without authorization” claim unpalatable based on Plaintiff's allegations. For one, Defendants submit that the “without authorization” liability under the CFAA is meant to target hackers and the “technological harms” they cause, which Defendants assert is not at issue here. Second, Defendants argue that although Van Buren did not abrogate the Fourth Circuit's reasoning in WEC, the Fourth Circuit still requires a showing that Accu-Trade was accessing the QV tool without permission. Third, Defendants maintain that the rule of lenity requires that CFAA claims be construed narrowly as an anti-hacking statute rather than an “expansive misappropriation statute” and that while Plaintiff “may have valid state law remedies against Accu-Trade[, ] . . . the CFAA does not supply those remedies.” Dkt. 27 at 5 (quoting United States v. Nosal, 676 F.3d 854, 856-57 (9th Cir. 2012) and KBS Pharm., Inc. v. Patel, No. 21-1339, 2021 WL 2351961, at *3 (E.D. Pa. Jun. 9, 2021)).
The fact that Van Buren buttresses the nearly decade-old holding in WEC and yet Defendants did not seek to dismiss Plaintiff's CFAA claim until after the Van Buren decision puzzles this Court.
This Court begins by noting, as do both parties, that Plaintiff's claims that Defendants “exceeded any authorization” provided by Plaintiff prior to November 3, 2018 cannot survive the holdings in WEC and now in Van Buren. See Dkt. Nos. 23 at 9-11; 26 at 3 n.1 (“[Plaintiff] acknowledges that pursuant to Van Buren, it cannot state a claim for “exceeds authorized access” pursuant to the CFAA.”). Van Buren makes clear that improper purpose alone is insufficient to bring an “exceeds authorized access” claim under the CFAA and instead requires that the information obtained via computer constitute information for which the user has not been granted access. See Van Buren, 141 S.Ct. at 1653 (holding that the “‘exceeds authorized access' clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have”); see also Id. at 1654-55 (rejecting the Government's interpretation of “exceeds authorized access” to include obtaining information in a particular improper manner or in improper circumstances). Here, prior to November 3, 2018, it is undisputed that Defendants are alleged solely to have misused the information to which Plaintiff granted them access. Plaintiff does not allege that Defendants improperly accessed an entirely different set of data not contemplated in the negotiations.
That leaves the Court with the question: Were the gates to the QV tool ever re-erected following Accu-Trade's representations to Plaintiff on November 3, 2018 so as to provide a plausible basis for Plaintiff's claim that Defendants continued to access the QV tool “without authorization”? Framed differently, the Court must determine, as a matter of law, whether an affirmative act by Plaintiff to re-raise the gates around the QV tool server is required to establish that Defendants had acted “without authorization.” Because this Court construes the issue as a question of law and not a disputed fact, resolution of this issue is required in making a plausibility assessment of Count I and is therefore a proper exercise at the motion to dismiss stage. See, e.g., WEC, 687 F.3d at 203 (affirming the district court's consideration of how to interpret “without authorization” at the motion to dismiss stage).
It is without question that Van Buren expressly did not consider the question of whether the “gates-up-or-gates-down” analysis “turns only on technological (or ‘code-based') limitations on access, or instead also looks to limits contained in contracts or policies.” 141 S.Ct. at 1659 n.8. Thus, this Court looks to controlling precedent in this circuit. In WEC, the Fourth Circuit ruled that an employee who allegedly downloaded his employer's proprietary information, resigned, and then used that information on behalf of a competitor did not access his employer's computer “without authorization” and thus found no liability under the CFAA. 687 F.3d at 207. In United States v. Steele, the Fourth Circuit did uphold a conviction of a defendant who surreptitiously and repeatedly accessed the email server of his former employer to filch proprietary information after having resigned. 595 Fed.Appx. at 211. Notwithstanding the “common sense, ” id., in holding a former employee liable for such conduct, the Fourth Circuit relied chiefly on three factors that supported the view that the gates were up at the time the information was accessed: (1) the former employee had accessed the information after having left the company; (2) the company “took steps to revoke [the defendant's] access to company information, including collecting [his] company-issued laptop, denying him physical access to the company's offices, and generally terminating his main system access;” and (3) the defendant “recognized that his resignation effectively terminated any authority he had to access the [plaintiff's] system thereafter, ” id.; see also United States v. Eddings, 2021 WL 2527966, at *5 (E.D. Pa. Jun. 21, 2021) (deciding “that mere possession of the means of access of a computer system in the form of a password necessarily equates to authorization to access that computer system is incompatible with common sense . . . .”).
Accepting each of Plaintiff's allegations as true and drawing “all reasonable inferences” in Plaintiff's favor, E.I. du Pont de Nemours & Co., 637 F.3d at 440, the factual conduct Plaintiff pleads does not “allow the court to draw the reasonable inference that the [Defendants] [are] liable for the misconduct alleged” under § 1030(a) of the CFAA. Iqbal, 556 U.S. at 678. Unlike the plaintiff in WEC, Plaintiff does include the requisite elements of a CFAA claim in the Complaint and alleges that those elements have been met, including the fact that Defendants acted “without authorization” and knew as much when they indicated to Plaintiff they would not be continuing negotiations around use of the QV tool. Compare Dkt. 1 ¶¶ 25, 26, 46-49 (explicitly alleging that Defendants acted “without authorization” or “without authority”) with WEC, 687 F.3d at 207 (“Notably, however, [plaintiff] fails to allege that [defendants] accessed a computer or information on a computer without authorization.) and with Federated It, Inc. v. Anthony, No. 1:18-cv-1484, 2020 WL 4747784, at *6 (E.D. Va. May 12, 2020) (dismissing a CFAA claim because there was “no specific allegation in the complaint that defendant [] did not have authorization to access th[e] information, only that she then misused certain information that she had access”). However, Plaintiff's allegations do not contain sufficient factual grounds to assert a plausible claim under the CFAA that comports with the Fourth Circuit's interpretation of “without authorization.”
Truth be told, because the CFAA does not define “without authorization, ” the concept of whether a defendant acted “without authorization” remains a matter of debate. In WEC, the Fourth Circuit considered two ways of viewing the “without authorization” language in the CFAA. 687 F.3d at 203, 206-07. The expansive view of the CFAA, adopted by the Seventh Circuit, holds that bad faith dealings alone may raise the gates and make any subsequent access “without authorization.” See Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (reasoning that an employee's “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship”). Rather conversely the Ninth Circuit interprets “without authorization” “literally and narrowly, ” reasoning that “the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.” Nosal, 676 F.3d at 863-64. Ultimately, the WEC court adopted the Ninth Circuit's “narrow reading of the term[] ‘without authorization.'” 687 F.3d at 206. In its analysis, the Fourth Circuit noted that the defendants retained access to the plaintiff's “intranet and computer servers and to numerous confidential and trade secret documents stored on these computer servers.” Id. at 207. As a result, the court determined that the plaintiff failed to allege that the defendants accessed a computer or information on a computer “without authorization.” Id. Despite the fact that the plaintiff in WEC alleged a CFAA claim under the statute's civil provision, the Fourth Circuit applied the rule of lenity to comply with the Supreme Court's counsel to construe criminal statutes strictly. Id. (citing United States v. Lanier, 520 U.S. 259, 266 (1997)). In doing so, the Court expressed its unwillingness to “contravene Congress' intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.” Id.
The Ninth Circuit's Facebook decision continued to build off of Nosal, which further clarifies the view embraced by the Fourth Circuit in WEC. In Facebook, the Ninth Circuit held that “without authorization” under the CFAA occurs only “when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066 (9th Cir. 2016); see also Domain Name Comm'n Ltd. v. DomainTools, LLC, 449 F.Supp.3d 1024, 1029 (W.D. Wash. 2020) (“Permission or authorization to access a computer does not evaporate simply because the user has violated a duty owed to the owner of the computer.”). The Ninth Circuit dismissed the CFAA claim because the plaintiff had sent the defendant a cease and desist letter. 844 F.3d at 1067-68. Moreover, the Facebook court found the cease and desist letter issued by the plaintiff sufficient reason to dismiss the CFAA claim because it put the defendant on unequivocal notice that they were no longer authorized to access the plaintiff's computers. See Id. at 1067. Another district court applied Facebook to hold that the CFAA “requires express revocation of previously granted authorization.” NW Monitoring LLC v. Hollander, No. C20-5572 RSM, 2021 WL 1424690, at *5 (W.D. Wash. Apr. 15, 2021) (emphasis in original) (citing Facebook, Inc., 844 F.3d at 1066).
Following Nosal, but prior to Facebook, two district court opinions in the Ninth Circuit held that “[p]revious Ninth Circuit authority (un-altered by Nosal) indicates that if a former employee accesses information without permission, even if his prior log-in information is still operative as a technical matter, such access would violate the CFAA.” See, e.g., Weingand v. Harland Fin. Solutions, Inc., No. C-11-3109 EMC, 2012 WL 2327660, at *9. At least one district court in this circuit has relied on that holding. GSP Fin. Servs., LLC v. Harrison, No. GJH-18-2307, 2021 WL 288172, at *4 (D. Md. Jan. 28, 2021) (upholding a CFAA claim involving a former employee who had been terminated and days later received a cease-and desist letter from their employer to end their continued access of the plaintiff's data). However, the court's opinion neglected to consider the Ninth Circuit's more recent Facebook authority, which does not support the rule in Weingand. That the GSP court, sitting outside the Ninth Circuit, is the only court to have cited that rule in the six years since Facebook is telling.
Defendants' relationship with Plaintiff arose from the negotiations and unwritten agreements related to the testing of Plaintiff's QV tool with Accu-Trade's platform and the testing of Accu-Trade's data with Plaintiff's platform. Focusing solely on Accu-Trade's use of the QV tool during the period prior to November 3, 2018, Accu-Trade's information access rights surrounding Plaintiff's proprietary QV data appear similar to those of an employee of Plaintiff who worked on the QV tool. Plaintiff had effectively provided actual authority to Accu-Trade as an agent of Plaintiff in licensing the use of its QV tool-at least on a temporary basis.
Because the Fourth Circuit adopted the reasoning of the Ninth Circuit, this Court interprets “without authorization” narrowly to mean that a party has accessed information that, although previously made available to that party, has since been rescinded by the information provider. Comparing the facts in Steele, where the Fourth Circuit upheld a CFAA claim involving a former employee, to those alleged in this case proves instructive. First, Plaintiff does allege that Accu-Trade admitted to accessing the QV tool repeatedly after November 3, 2018. Dkt. 1 ¶ 29. Second, Plaintiff does allege that Accu-Trade immediately signed the proposed contract when confronted by Plaintiff about its alleged behavior. Id. ¶ 28 (“When confronted by [Plaintiff] about its fraud, Accu-Trade . . . immediately signed and returned to Plaintiff the previously rejected and unsigned [proposed contract] in an attempt to cover up the company's illegal conduct.”). However third, and fatal to Plaintiff's claim, Plaintiff does not allege that it rescinded or even sought to rescind Accu-Trade's access to the QV tool during the time that Accu-Trade is alleged to have improperly accessed Plaintiff's QV tool. See Id. ¶ 26 (acknowledging that Plaintiff did not inform Accu-Trade that it was not allowed to continue to use the QV until after it became aware of the alleged misappropriation through one of its data providers-at which point the alleged harm had already occurred).
Plaintiff fails to allege that it took any affirmative act to revoke that access until after the alleged harm had been caused. And according to the Fourth Circuit, that is a critical component of determining whether an actor accessed information with or without authorization. To be sure, the Steele court did in fact reason that “[j]ust because [the plaintiff] neglected to change a password on [the defendant's] backdoor account does not mean [the plaintiff] intended for [the defendant] to have continued access to its information.” Id. However, the court also emphasized that the plaintiff “took steps to revoke [the defendant's] access to company information, including collecting [his] company-issued laptop, denying him physical access to the company's offices, and generally terminating his main system access.” 595 Fed.Appx. at 211. Because of that affirmative notice, the Fourth Circuit found grounds to uphold the CFAA claim. But such notice is conspicuously absent from Plaintiff's allegations.
This Court notes that although applying the Fourth Circuit's narrow construction of “without authorization” reveals Plaintiff has not met the requisite pleading standard, Plaintiff nonetheless “may have valid state law remedies against [Accu-Trade] . . . but the CFAA does not supply those remedies.” See KBS Pharm., Inc. v. Patel, No. 21-1339, 2021 WL 2351961, at *3 (E.D. Pa. June 9, 2021) (dismissing CFAA claim based on violation of a signed confidentiality agreement as well as an acknowledged set of policy guidelines contained in an employee handbook).
Therefore, this Court holds that Plaintiff has not sufficiently pleaded a facially plausible claim under the CFAA.
2. Count II - Virginia Computer Crimes Act
In Count II, Plaintiff alleges that Defendants violated the VCCA. To sufficiently plead a facially plausible claim under the VCCA, a plaintiff must demonstrate that the defendant “used a computer or computer network without authority . . . with the intent to obtain property or services by false pretenses, embezzle or commit larceny, or convert the property of another.” Space Systems/Loral, LLC v. Orbital ATK, Inc., 306 F.Supp.3d 845, 855 (E.D. Va. 2018) (citing Ford v. Torres, No. 1:08-cv-1153, 2009 WL 537563, at *7 (E.D. Va. Mar. 3, 2009). Under the VCCA, a person acts “without authority” when “he knows or reasonably should know that he has no right, agreement, or permission or acts in a manner knowingly exceeding such right, agreement, or permission.” Va. Code Ann. § 18.2-152.2.
Plaintiff argues that the VCCA stands on its own and therefore the Van Buren decision does not implicate the statute. For example, Plaintiff notes that the VCCA does not use the “entitled so to obtain” language that drove the Van Buren court's interpretative analysis of the CFAA. Instead, Plaintiff submits that the VCCA's “without authority” language is clearly defined and that the Complaint adequately pleads factual grounds to assert a cognizable claim under that statute.
Defendants rely on Shelton v. Commonwealth, 645 S.E.2d 914, 917-18 (Va. 2007) for the proposition that this Court must apply the rule of lenity to the VCCA in like manner as the Fourth Circuit has done in interpreting the CFAA. Defendants also cite Lester v. Allied Concrete Co., 80 Va. Cir. 454, 461 (2010), for the proposition that the interpretation of “without authority” under the VCCA is derivative of the CFAA. And because Defendants argue that there is no merit to the CFAA claim, they contend the VCCA claim should sink with it.
The terms of the VCCA make crystal clear that if an actor at least “reasonably should know that he has no right” to certain information, that actor may be subject to liability. Following Van Buren's lead, “[b]ecause the text . . . support[s] [this Court's] reading, ” the rule of lenity “is not in play.” 141 S.Ct. at 1661. Furthermore, the VCCA is not derivative of the CFAA. It predated the CFAA by two years. Nothing in Lester or any other case interpreting the VCCA suggests that “without authority” under the VCCA is interpreted in the same manner as “without authorization” under the CFAA. Cf., e.g., Vanderhye, 562 F.3d at 646-47 (Fourth Circuit overruling a district court's rejection of both a CFAA and a VCCA claim because the district court attempted to construe “any damages” under the VCCA in the same light as the CFAA). Here, the Complaint provides sufficient allegations for this Court to reasonably infer that Defendants, at minimum, should have known that they forfeited the right to continue to use the QV tool at the time they actively ended negotiations. Dkt. 1 ¶¶ 25, 28. That allegation meets the definition of “without authority” under the VCCA, which is separate and apart from the “without authorization” language used in the CFAA. It follows that Plaintiff has met the pleading standard and the VCCA claim thus survives Defendants' motion to dismiss.
IV. CONCLUSION
For the reasons articulated in this opinion, it is hereby ORDERED that Defendants' Motion to Dismiss for Lack of Jurisdiction (Dkt. 13) is DENIED; and it is
FURTHER ORDERED that Defendants' Motion to Dismiss for Failure to State a Claim (Dkt. 23) is GRANTED IN PART and DENIED IN PART. Count I of the Complaint is dismissed and Count II of the Complaint may proceed.
The Clerk is directed to forward copies of this Order to counsel of record.
It is SO ORDERED.