From Casetext: Smarter Legal Research

Enhanced Recovery Co. v. Frady

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA JACKSONVILLE DIVISION
Mar 31, 2015
Case No.: 3:13-cv-1262-J-34JBT (M.D. Fla. Mar. 31, 2015)

Summary

adopting narrow approach " ‘so that Congress will not unintentionally turn ordinary citizens into criminals.’ " (citing Nosal , 676 F.3d at 863 )

Summary of this case from AlixPartners, LLP v. Benichou

Opinion

Case No.: 3:13-cv-1262-J-34JBT

03-31-2015

ENHANCED RECOVERY COMPANY, LLC, a Delaware limited liability company, Plaintiff, v. RACHEL FRADY, LIZA AKLEY, and STELLAR RECOVERY, INC., Defendants.


ORDER

This cause is before the Court on the Report and Recommendation (Doc. 89; Report), entered by the Honorable Joel B. Toomey, United States Magistrate Judge, on January 20, 2015. Plaintiff Enhanced Recovery Company ("ERC") filed an eight-count complaint against Rachel Frady (a former employee of ERC), Stellar Recovery, Inc. ("Stellar"), her subsequent employer, and Stellar's Chief Operating Officer, Liza Akley, alleging that before Frady left ERC to work for Stellar, she misappropriated ERC's trade secrets and shared them with Akley. See generally Plaintiff's Third Amended Complaint for Injunctive Relief and Damages (Doc. 55; Complaint). In the Complaint ERC asserts three causes of action against Frady: breach of contract under state law (Count I), breach of duty of loyalty under state law (Count II), violation of the Stored Communications Act (Count III); as well as five additional claims against all Defendants: misappropriation of trade secrets under state law (Count IV), violation of the federal Computer Fraud and Abuse Act (CFAA) (Count V), conversion under state law (Count VI), violation of the Florida Deceptive and Unfair Trade Practices Act (Count VII), and civil conspiracy under state law (Count VIII). Defendants filed motions to dismiss the Complaint pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim. See Defendant Frady's Motion to Dismiss Plaintiff's Third Amended Complaint and for the Court to Decline Supplemental Jurisdiction on any Remaining State Law Claims and Memorandum of Law (Doc. 58; Frady Motion); Defendants Stellar and Akley Joint Motion to Dismiss Plaintiff's Third Amended Complaint and for the Court to Decline Supplemental Jurisdiction on any Remaining State Law Claims and Memorandum of Law (Doc. 66; Akley Stellar Motion) (collectively "Motions"), and ERC responded, see Plaintiff's Response to Defendant's Motion to Dismiss Plaintiff's Third Amended Complaint and Decline Supplemental Jurisdiction (Doc. 61; ERC's Frady Response); Plaintiff's Response to Defendants Stellar and Akley Joint Motion to Dismiss Plaintiff's Third Amended Complaint and Decline Supplemental Jurisdiction (Doc. 67; ERC's Akley Stellar Response). On December 4, 2014, the Court referred the Motions to the assigned magistrate judge for preparation of a report and recommendation. See Order (Doc. 83).

In the Report, the magistrate judge recommends that the Court grant the Motions in part and deny them in part. Specifically, the magistrate judge recommends that the Court grant the Motions with respect to Count II (breach of duty of loyalty), Count III (violation of the Stored Communications Act), Count VI (conversion), Count VII (violation of the Florida Deceptive and Unfair Trade Practices Act), and Count VIII (civil conspiracy) of ERC's Complaint, and dismiss those claims without prejudice. Report at 2. With respect to Count I (breach of contract), Count IV (misappropriation of trade secrets), and Count V (exceeding authorized access under the CFAA), the magistrate judge recommends that the Motions to dismiss be denied. Id. ERC did not file objections to the Report and Recommendation. However, Defendants Rachel Frady, Liza Akley, and Stellar did. See Defendants' Joint Objections to Doc. 89, Magistrates Report and Recommendations (Doc. 91; Objections). ERC thereafter filed a response to Defendants' objections, see Plaintiff's Response to Defendants' Joint Objections (Doc. 94; Response), and the matter is ripe for the Court's consideration.

Foremost among Defendants' objections is their challenge to the recommendation that the Motions be denied as to ERC's CFAA claim. See Objections at 3-10. Defendants argue, as they did in the Motions, that because ERC admits that Frady was authorized to access ERC's confidential information, the fact that Frady later shared that information with Stellar is insufficient as a matter of law to state a claim for "exceeding authorized access" under the CFAA. In turn, because the Complaint only raised two federal questions - and ERC does not object to the Report's recommendation that the other federal claim, violation of the Stored Communications Act, be dismissed - Defendants contend that the Court should decline to exercise supplemental jurisdiction over the remaining state law claims if it dismisses the CFAA claim. See id. at 14. Defendants raise other objections as well, including that Stellar and Akley should not be held vicariously liable under the CFAA for Frady's actions, id. at 12, and that ERC should not be given the opportunity to file a fourth amended complaint, and thus dismissal of its insufficiently pled claims should be "with prejudice" rather than "without prejudice," id. at 14-16.

The Court "may accept, reject, or modify, in whole or in part, the findings or recommendations made by the magistrate judge." 28 U.S.C. § 636(b). If no specific objections to findings of facts are filed, the district court is not required to conduct a de novo review of those findings. See Garvey v. Vaughn, 993 F.2d 776, 779 n.9 (11th Cir. 1993); see also 28 U.S.C. § 636(b)(1). However, the district court must review legal conclusions de novo. See Cooper-Houston v. Southern Ry. Co., 37 F.3d 603, 604 (11th Cir. 1994); United States v. Rice, No. 2:07-mc-8-FtM-29SPC, 2007 WL 1428615, at *1 (M.D. Fla. May 14, 2007).

The resolution of Defendants' Motions with respect to ERC's claim in Count V turns on the meaning of the words "exceeds authorized access" as used in the CFAA. This question is one on which reasonable jurists consistently disagree. Indeed, while the analysis in the Report is thoughtful and well-reasoned, the undersigned like many other jurists is not persuaded that the CFAA reaches conduct such as that alleged in this action. Upon an independent review of the law and the record, the Court agrees with the analysis of the majority of the district courts within the Eleventh Circuit, who have held that the CFAA's definition of "exceeds authorized access" does not reach an employee who has permission to access proprietary information, but subsequently uses it in violation of company policy. See, e.g., Power Equipment Maintenance, Inc. v. AIRCO Power Services, Inc., 953 F.Supp.2d 1290 (S.D. Ga. 2013); Trademotion, LLC v. Marketcliq, Inc., 857 F.Supp.2d 1285 (M.D. Fla. 2012); Clarity Services, Inc. v. Barney, 698 F.Supp.2d 1309 (M.D. Fla. 2010). But see Aquent LLC v. Stapleton, ___ F.Supp.3d ___, 2014 WL 5780293 (M.D. Fla. 2014). Thus, the Court respectfully declines to adopt the Report's recommendation that the Motions be denied as to ERC's CFAA claim, and this claim is due to be dismissed. ERC has not objected to the recommendation in the Report that the Court dismiss ERC's Stored Communications Act claim, and on independent review the Court agrees. As such, it appears that all of ERC's federal claims are due to be dismissed. In light of that determination, the Court will decline to exercise supplemental jurisdiction over ERC's remaining state law claims and thus need not reach Defendants' objections as to those claims.

I. Background

The factual and procedural background of this case are well-known to the parties and accurately recited in the Report and Recommendation. Accordingly, the Court limits its discussion to the basic facts relevant to the analysis of ERC's CFAA claim.

ERC is a limited liability company that provides debt collection services to third parties. The company "places great emphasis on developing on-going customer relations by providing quality debt collection services specifically tailored to focus on the individual needs of each client." Complaint at ¶ 12. According to ERC, it has invested significant time and resources in developing what it considers proprietary information, much of which relates to policies and procedures, state-by-state legal information on debt collection practices, and client information. Id. at ¶ 13.

Frady began working for ERC in 2005 as an administrative assistant. After several promotions, in 2013 ERC promoted Frady to the position of "Quality Manager." Complaint at ¶ 17. ERC acknowledges that during this time, it provided Frady with access to its sensitive, proprietary information. Id. at ¶ 23. When Frady accepted a promotion in 2006, she signed an employment agreement that contained two provisions regarding the confidentiality of proprietary information. See id. at ¶¶ 19-21. The two provisions require that an employee not share confidential information with a third party or use it for the employee's personal benefit or that of another, and that the employee return all confidential information to the company once the employment ends. Id. at ¶¶ 20-21. During Frady's employment, ERC also had an "Information Security Policy," one paragraph of which stated:

Removing account information or files from the office, or disclosing account Information to a third party without the consent of Senior Management is prohibited. All policies, procedures, files and manuals are the sole property of Enhanced Recovery Company, LLC and may contain specific trade secrets. No employee shall disclose any of this material to a third party while they are employed, or thereafter. In the event that you leave employment of ERC for any reason, you are required to return all company materials in your possession. Company, client and consumer information is not to be discussed with any non-ERC employees.
Id. at ¶ 26. The policy echoes the provisions of the employment agreement concerning the non-disclosure and return of confidential information. The focus of ERC's confidentiality policies is maintaining the secrecy of proprietary information, but they do not specify what information an employee is authorized or not authorized to access.

ERC's Information Security Policy also forbade employees from using the internet "during business hours on company equipment for non-business purposes." Id. at ¶ 25. However, this policy says nothing about Frady's authorization to access the trade secrets at issue in the case, which ERC does not allege was stored exclusively on the internet (as opposed to the much more common practice of storing information in hard drives and hard copies).

On October 14, 2013, Frady resigned from her employment with ERC. Id. at ¶ 30. ERC alleges that before Frady resigned, between July 2013 and October 2013, she was in steady contact with Stellar COO Liza Akley. Id. at ¶ 29. During that time, ERC alleges that Frady emailed confidential information from her work email to her personal email, and from there forwarded information to Akley's personal email. Id. at ¶¶ 31-32. ERC also alleges that Akley forwarded the confidential information from her personal email account to her work email account at Stellar. Id. at ¶ 33. ERC terminated Frady's computer access only on her final day of employment, which was October 16, 2013. Id. at ¶¶ 27, 31. Frady now works for Stellar as its director of quality assurance. Id. at ¶ 34.

In the Complaint, ERC alleges that Frady violated two provisions of the CFAA, 18 U.S.C. §§ 1030(a)(2)(C) and 1030(a)(4), by misusing her access to ERC's confidential information to share it with a competitor. ERC claims that Frady "exceeded authorized access" because she did not have a "legitimate business purpose" at the time she obtained the information that she transmitted to Akley. Complaint at ¶ 31. Because "[s]uch action was contrary to ERC's narrow policy limiting the use and disclosure of its confidential information to business purposes only," Frady allegedly exceeded authorized access, as that term is defined under the CFAA. Id. at ¶ 84. Defendants contend that ERC has failed to state a claim, as a matter of law, because ERC admittedly authorized Frady to access the confidential information that she shared. See Frady Motion to Dismiss at 8-9.

ERC claims that Akley and Stellar violated the CFAA as well by prompting Frady to share ERC's confidential information with them. See Complaint at ¶¶ 87-91.

II. Motion to Dismiss Standard

In ruling on a motion to dismiss, the Court must accept the factual allegations set forth in the complaint as true. See Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009); Swierkiewicz v. Sorema N.A., 534 U.S. 506, 508 n.1 (2002); see also Lotierzo v. Woman's World Med. Ctr., Inc., 278 F.3d 1180, 1182 (11th Cir. 2002). In addition, all reasonable inferences should be drawn in favor of the plaintiff. See Omar ex. rel. Cannon v. Lindsey, 334 F.3d 1246, 1247 (11th Cir. 2003) (per curiam). Nonetheless, the plaintiff must still meet some minimal pleading requirements. Jackson v. Bellsouth Telecomm., 372 F.3d 1250, 1262-63 (11th Cir. 2004) (citations omitted). Indeed, while "[s]pecific facts are not necessary[,]" the complaint should "'give the defendant fair notice of what the . . . claim is and the grounds upon which it rests.'" Erickson v. Pardus, 551 U.S. 89, 93 (2007) (per curiam) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007)). Further, the plaintiff must allege "enough facts to state a claim that is plausible on its face." Twombly, 550 U.S. at 570. "A claim has facial plausibility when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 129 S. Ct. at 1949 (citing Twombly, 550 U.S. at 556). A "plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do[.]" Twombly, 550 U.S. at 555 (internal quotations omitted); see also Jackson, 372 F.3d at 1262 (explaining that "conclusory allegations, unwarranted deductions of facts or legal conclusions masquerading as facts will not prevent dismissal") (internal citation and quotations omitted). Indeed, "the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions[,]" which simply "are not entitled to [an] assumption of truth." See Iqbal, 129 S. Ct. at 1949, 1951. Thus, in ruling on a motion to dismiss, the Court must determine whether the complaint contains "sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face[.]'" Id. at 1949 (quoting Twombly, 550 U.S. at 570). In considering a motion to dismiss, a court should "1) eliminate any allegations in the complaint that are merely legal conclusions; and 2) where there are well-pleaded factual allegations, 'assume their veracity and then determine whether they plausibly give rise to an entitlement to relief.'" Amer. Dental Ass'n v. Cigna Corp., 605 F.3d 1283, 1290 (11th Cir. 2010) (quoting Iqbal, 556. U.S. at 679)).

III. Discussion

A. The CFAA

Congress enacted the CFAA in 1984 to

enhance the government's ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to "access and control high technology processes vital to our everyday lives...."
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir. 2009) (quoting H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984)). Under § 1030(a)(2)(C) of the CFAA, whoever "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains... information from any protected computer" commits an offense. In a similar vein, § 1030(a)(4) provides that whoever "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value" also commits an offense. Of import to this action, one "who suffers damage or loss by reason of a violation of [§ 1030(a)]" may bring a civil action under the CFAA if the loss is one of five types of harm identified in the statute. 18 U.S.C. §§ 1030(g), 1030(c)(4)(A)(i)(I-V).

Section 1030(a)(4) provides a limited exception to culpability which is not applicable here.

1. The meaning of "exceeds authorized access"

The CFAA defines the term "exceeds authorized access" as follows:

[T]he term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
18 U.S.C. § 1030(e)(6). Nevertheless, application of this term and its definition have bedeviled the courts. Some have interpreted the definition broadly, reading into it a theory of agency, such that an employee's authorization is revoked, and thus she "exceeds authorized access," whenever she obtains information with a subjective intent that is unlawful or contrary to her employer's interests, even though the employee actually had authorization to access the information. See, e.g., United States v. John, 597 F.3d 263, 271-72 (5th Cir. 2010) ("authorization" as used in the CFAA "may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system" if the use is in furtherance of a crime); Int'l Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (employee's authorization to access a computer ended, for purposes of 18 U.S.C. § 1030(a)(5), once the employee breached his duty of loyalty to the employer); Aquent LLC, 2014 WL 5780293, at *4-5 (employee exceeded authorized access by abusing access to confidential information to share it with a competitor). Under this theory, where an employee accesses confidential information for personal purposes inconsistent with the employer's interests, that employee has exceeded her authorized access to the information. This is the interpretation that ERC urges.

Other courts, including the majority of district courts in this Circuit that have considered the question, have adopted a narrower definition of "exceeds authorized access." As one put it, "[q]uite simply, without authorization means exactly that: the employee was not granted access by his employer. Similarly, exceeds authorized access simply means that, while an employee's initial access was permitted, the employee accessed information for which the employer had not provided permission." AIRCO, 953 F.Supp.2d at 1296; see also, e.g., Clarity Services, Inc., 698 F.Supp.2d at 1315; Trademotion, 857 F.Supp.2d at 1289-91; Diamond Power Int'l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D. Ga. 2007). Many courts outside of the Eleventh Circuit have also adopted this narrower interpretation. E.g., WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 203-07 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 968 (D.Ariz. 2008). Under the narrow interpretation, an employee who has actually been granted access to information does not "exceed authorized access" by virtue of the employee's subjective intent or by subsequently violating company policies on the use of the information. AIRCO, 953 F.Supp.2d at 1296; WEC Carolina, 687 F.3d at 206-07; Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267, 1272 (M.D. Ala. 2010) ("'Exceeds authorized access' should not be confused with exceeds authorized use.") (citing Diamond Power Int'l, 540 F.Supp.2d at 1343). Nor does an employee "exceed authorized access" by obtaining information that she is permitted to access, but "in a manner" that is not authorized. WEC Carolina, 687 F.3d at 205-07; Nosal, 676 F.3d at 856-63. Rather, an individual "exceeds authorized access" by gaining access to specific information that her employer simply did not give her permission to access. Diamond Power Int'l, 540 F.Supp.2d at 1343. This is the theory that Defendants urge.

The Court finds the reasoning in favor of the narrow interpretation significantly more persuasive. The plain text, legislative history, and purpose of the CFAA support the conclusion that "exceeds authorized access" means to have initial access to a computer, but to access certain information or files that one does not have authorization to access. See 18 U.S.C. § 1030(e)(6). "[T]he proper inquiry," then, "is whether an employer had, at the time, both authorized the employee to access a computer and authorized that employee to access specific information on that computer." AIRCO, 953 F.Supp.2d at 1295. This analysis focuses on the actions of the employer rather than the subjective motivation of the employee, because "it is the employer's decision as to what the employee can access that determines whether an employee exceeded his authorized access." Id. at 1296. Looking first to the text of the CFAA, the Court agrees with the discussion in AIRCO that:

[t]he language of the CFAA simply prohibits accessing information either without authorization or in excess of authorized access. 18 U.S.C. § 1030. It does not confer upon employers the ability to sue their employees in federal court for violations of company policy regarding computer usage.... [T]he language of the CFAA does not speak to employees who properly accessed information, but subsequently used it to the detriment of their employers: either one has been granted access or has not. Employers cannot use the CFAA to grant access to information and then sue an employee who uses that information in a manner undesired by the employer.

Id.

Additionally, the legislative history of the CFAA supports the narrower view. As noted by one court:

[I]n 1986 Congress amended the CFAA to substitute the phrase "exceeds authorized access" for the phrase "or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend." S.Rep.No. 99-432, at 9, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2486. By enacting this amendment, and providing an express definition for "exceeds authorized access," the intent was to "eliminate coverage for authorized access that aims at 'purposes to which such authorization does not extend,' " thereby "remov[ing] from the sweep of the statute one of the murkier grounds of liability, under which a [person's] access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly
distinguishable) circumstances that might be held to exceed his authorization." S.Rep.No. 99-432, at 21, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2494-95.
Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 499 n.12 (D.Md. 2005). Thus, it appears that in amending the CFAA, Congress repudiated the very theory ERC advances, which is that an employee "exceeds authorized access" whenever she "uses the opportunity such access provides for purposes to which such authorization does not extend." S.Rep.No. 99-432, at 9, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2486. To do so, Congress repealed the language making it a violation to "use[ ] the opportunity such access provides for purposes to which such authorization does not extend," and replaced it with "exceeds authorized access," which it defines as having access to a computer, but obtaining information to which one is not authorized to access. See 18 U.S.C. § 1030(e)(6). In amending the statute, Congress's express aim was to remove "from the sweep of the statute one of the murkier grounds of liability," i.e., situations where an employee has authorization to access information, but does so for an improper "purpose." S.Rep.No. 99-432, at 21, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2494-95. Yet, that is precisely the theory ERC advances here, that because Frady abused her authorization to access confidential information in the form of trade secrets by accessing that information for the purpose of sharing it with a competitor, she exceeded her authorized access. The CFAA's history is not consistent with this theory.

Moreover, applying the CFAA to an employee, like Frady, who divulges trade secrets that she was actually permitted to access, or who violates computer usage policies, takes the CFAA far beyond its original purpose of targeting computer hackers. See Brekka, 581 F.3d at 1130 (quoting H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984)). Indeed, the interpretation of "exceeds authorized access" that ERC urges, in which an employee's authorization to access particular information turns on her subjective intent at the moment of access or her subsequent use of information, not only lacks textual support, but threatens to transform the CFAA into a sweeping misappropriation of "confidential" information statute. See Nosal, 676 F.3d at 863. Such an interpretation would provide a federal cause of action for conduct that even exceeds the current state law remedies provided for misappropriation of trade secrets. Under ERC's theory, the CFAA would be violated any time an employee accesses information that the employer deems to be "confidential" for an improper purpose regardless of whether such information qualifies for protection as a trade secret. Given that in the digital age confidential information is much more likely to be stored on computers than in file cabinets, any employee who downloads, copies, or emails company information (that she had objective permission to access) in violation of a confidentiality agreement or company policy would be deemed to have exceeded authorized access under the CFAA. In turn, such an employee would be subject not only to a federal civil action, the employee could become a felon, subject to as much as five years' imprisonment if deemed to have committed the act for financial gain. See 18 U.S.C. § 1030(c)(2)(B)(i). Such a broad reading of § 1030(e)(6)

creates a nebulous area where the same action can fall on either side of the CFAA based on the highly subjective intentions of the employee. For example, routinely checking personal email at work may violate the CFAA if an employer has a policy prohibiting any computer access for non-business related reasons. Further, accessing files prior to deciding to depart for a competitor may retroactively be deemed as exceeding authority should the employee make use of that information to the benefit of his new employer. Such outcomes place employees in the precarious position of
almost any access possibly being construed as exceeding authorized access, potentially resulting in civil [or criminal] liability under the CFAA.
AIRCO, 953 F.Supp.2d at 1296; see also WEC Carolina, 687 F.3d at 206; Nosal, 676 F.3d at 860-62 (discussing problematic hypotheticals that would arise from finding a violation of computer usage policies to constitute exceeding authorized access under the CFAA). In this vein, the Court observes that if violating a computer usage policy equates with exceeding authorized access, the worker who accesses an internet site devoted to political satire or even an internet dating website could unwittingly find herself a federal criminal if her employer has a policy against using the internet for a "nonbusiness purpose," whatever that may mean. While that is not the situation here, the Court must be aware that its interpretation of "exceeds authorized access" today has implications for tomorrow. As such, the Court will construe statutes such as this with a criminal application "narrowly so that Congress will not unintentionally turn ordinary citizens into criminals." Nosal, 676 F.3d at 863.

The Court is also concerned that if violating an office policy regarding computer usage necessarily equates with exceeding authorized access, employers could use the threat of a CFAA prosecution to silence employees who believe their employer has violated state or federal law with respect to the terms or conditions of their employment. That concern is not speculative. In Lee v. PMSI, Inc., 2011 WL 1742028 (M.D. Fla. May 6, 2011), at *1, a case out of this very district, an employee sued her former employer for pregnancy discrimination, and the employer counterclaimed that the employee violated the CFAA by checking her Facebook and personal email accounts at work in violation of office policy.

In consideration of the foregoing, the Court concludes that "[u]nder the more reasoned view, a violation for accessing 'without authorization' occurs only where initial access is not permitted. And a violation for 'exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted." Diamond Power Int'l, 540 F.Supp.2d at 1343. "The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper 'access' of computer information. It does not prohibit misuse or misappropriation." Id. In this regard, the narrower interpretation is a "sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking - the circumvention of technological access barriers - not misappropriation of trade secrets - a subject Congress has dealt with elsewhere." Nosal, 676 F.3d at 863. As such, in this Court's view, the CFAA's definition of "exceeds authorized access" does not reach an employee who has actually been granted access to confidential information, but who accesses that information for the improper purpose of removing or disclosing the employer's information.

2. United States v. Rodriguez

In reaching this conclusion, the Court is mindful of the decision of the Eleventh Circuit Court of Appeals in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). ERC cites this decision for the proposition that Frady exceeded authorized access under the CFAA by accessing confidential information, emailing it to herself, and subsequently disclosing it to a competitor in violation of non-removal and confidentiality policies. Upon careful consideration, the Court is of the view that the facts of Rodriguez are significantly distinguishable such that it's holding is not applicable to the case at bar.

In Rodriguez, the defendant was a TeleService representative for the Social Security Administration (SSA), and in that capacity he answered questions from the general public about social security benefits over the telephone. Id. at 1260. As a TeleService representative, he was authorized access to individuals' sensitive personal information only for business reasons. Id. Indeed, the SSA had a well-advertised established policy that explicitly conditioned authorization to access a particular individual's file based on whether it was done within the scope of business. Id. The SSA went to great lengths to give its employees fair notice of the policy:

The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases.
Id. Despite the warnings, Rodriguez "admitted that he accessed information for nonbusiness reasons when he obtained personal identifying information, such as birth dates and home addresses, of 17 persons he knew or their relatives." Id. The Eleventh Circuit upheld Rodriguez's conviction for exceeding authorized access under § 1030(a)(2)(B), explaining that
[t]he policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons. Rodriguez conceded at trial that his access of the victims' personal information was not in furtherance of his duties as a TeleService representative and that "he did access things that were unauthorized." In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.
Id. at 1263 (emphasis added). Notably, the Eleventh Circuit distinguished, but did not reject, the Ninth Circuit's decision in Brekka, 581 F.3d 1127, where the Ninth Circuit held that an employee did not exceed authorized access under the CFAA by misappropriating trade secrets that his employer admittedly authorized him to access. Rodriguez, 628 F.3d at 1263. In doing so, the Eleventh Circuit observed that "there was no dispute that Brekka had been authorized to obtain the documents or to send the emails [containing confidential information to his personal email account] while he was employed." Id. (citing Brekka, 581 F.3d at 1129). The court concluded that "Brekka is distinguishable because the Administration told Rodriguez that he was not authorized to obtain personal information for nonbusiness reasons." Rodriguez, 628 F.3d at 1263.

ERC's reliance on Rodriguez is misplaced because there are meaningful points of distinction between this case and Rodriguez. In Rodriguez, the SSA had well-advertised policies that were framed so as to govern not an employee's use or disclosure of information, but their very authorization to access information in the first instance. Rodriguez, 628 F.3d at 1260. The SSA explicitly conditioned an employee's authorization to access a particular person's information on the employee's need to do so for a business reason. Id. Thus, Rodriguez's very authorization to access an individual's social security file was limited by the employer, and it depended, from the outset, on whether he was doing so within the scope of assisting an individual. Section 1030(a) reached Rodriguez's conduct because, under the SSA's articulated policies, he had no authorization to access the victims' social security files. Indeed, the Rodriguez court emphasized the defendant's admission that "he did access things that were unauthorized." Id. at 1263. Rodriguez did not involve an employee who, like Frady, had broad authorization to access confidential information but did so on a few particular occasions for non-business purposes, and in doing so violated non-removal and non-disclosure policies. While ERC's policies limited the use and disclosure of information, unlike the SSA's policies they did not limit Frady's access to the confidential information she is alleged to have accessed.

The parties dispute whether this case is distinguishable from Rodriguez on the point that this is a civil matter, whereas Rodriguez was a criminal matter, or that this case involved a private computer, whereas Rodriguez involved a government computer. See Objections at 4-5; Response at 3-5. ERC is correct that these are not meaningful points of distinction. Indeed, the Supreme Court has instructed that where a statute has both criminal and civil applications, courts should interpret the statute the same in both contexts. Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004). Thus, the criminal-civil distinction is unhelpful. Moreover, the CFAA does not accord less protection to private computers than government computers. See 18 U.S.C. § 1030(a)(2)(A-C). Therefore, the Court declines to distinguish the instant case from Rodriguez on either of those points.

Conspicuously absent from Rodriguez is any reliance on Citrin, 440 F.3d 418, supra, the Seventh Circuit's seminal "exceeds authorized access" case, in which it embraced a broad, "agency-theory" interpretation of § 1030(e)(6). Moreover, the Eleventh Circuit does not appear to have embraced the theory that whether an employee "exceeds authorized access" turns on their subsequent use or misuse of the information. See Rodriguez, 628 F.3d at 1263. Rodriguez relied on the Fifth Circuit's decision in United States v. John, 597 F.3d 263, supra, to argue that because his use of the information was not criminal, he could not be convicted. In John, the Fifth Circuit upheld the conviction of a Citigroup employee for violating § 1030(a)(2)(A) by using customer information to incur fraudulent charges, even though she was authorized to use her employer's computers and view account information. John, 597 F.3d at 269. The Fifth Circuit held that "authorization" as used in the CFAA "may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system" if the use is in furtherance of a crime. Id. at 271-72 (internal quotation marks omitted) (emphasis in original). The Eleventh Circuit rejected Rodriguez's argument, based on John, as "erroneous." Rodriguez, 628 F.3d at 1263. The court explained that "[t]he problem with Rodriguez's argument is that his use of information is irrelevant if he obtained the information without authorization or as a result of exceeding authorized access." Id. (citing 18 U.S.C. § 1030(a)(2)(B)) (emphasis added).

At least two other district courts in the Eleventh Circuit have also found employee misappropriation-of-trade-secrets cases, like this one, distinguishable from Rodriguez. See AIRCO, 953 F.Supp.2d at 1297-98; Lee, 2011 WL 1742028, at *2. Two more post-Rodriguez decisions reached the same conclusion about the meaning of "exceeds authorized access" that the Court reaches today, but without acknowledging Rodriguez. See Maintenx Management, Inc. v. Lenkowski, 2015 WL 310543 (M.D. Fla. Jan. 26, 2015); Trademotion, 857 F.Supp.2d 1285 (M.D. Fla. 2012).
By contrast, another court found Rodriguez to be binding, and held that an employee may be held liable for exceeding authorized access under the CFAA for violating a nondisclosure agreement. Aquent, ___ F.Supp.3d ___, 2014 WL 5780293, at *45 (M.D. Fla. 2014). This Court respectfully disagrees with Aquent's conclusion that Rodriguez compels a finding that an employee "exceeds authorized access" under the CFAA by violating the employer's nondisclosure policies.

3. Applying the narrow definition

ERC admits that it provided Frady with access to its computer system and the confidential information in question. See e.g., Complaint at ¶¶ 23, 31, 61. ERC does not allege that Frady lacked authorization to access any of the specific items of proprietary information that she allegedly misappropriated. See id. at ¶¶ 10, 31, 84 (listing what ERC considered its proprietary information). Instead, ERC relies on its confidentiality and internet usage policies to bring Frady within the reach of the CFAA (and Rodriguez), arguing that access to its system was limited to "business purposes only." E.g., id. at ¶¶ 23, 84. That may have been ERC's intent, as it is likely the intent of any employer. The inescapable problem is that none of this changes the fact that ERC actually authorized Frady to access the precise confidential information and trade secrets at issue. The CFAA imposes liability on those who access data that they do not have permission to obtain or alter; it does not target those who misappropriate confidential information or trade secrets they were authorized to learn about, read, or otherwise obtain, or those who misappropriate computer files they were perfectly authorized to open, view, or otherwise access. "[B]ecause [ERC] permitted [Frady] to access the precise information at issue, [Frady] did not exceed authorized access. [Frady] fit[s] within the very group that Congress chose not to reach, i.e., those with access authorization." Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4-5 (M.D. Fla. Aug. 1, 2006).

Although the Court concludes that the CFAA provides no cause of action for Frady's alleged misconduct, ERC is not left without a remedy. As evidenced by ERC's Complaint, various state statutory and common law causes of action are available to provide redress to employers damaged by an employee's misappropriation of confidential information or trade secrets. The CFAA, however, is not the proper vehicle through which to seek such redress.

B. Whether Akley and Stellar may be liable for violating the CFAA

ERC also contends that Stellar and its COO, Liza Akley, are liable for violating the CFAA because Akley allegedly directed Frady to access and misappropriate ERC's proprietary information. See Complaint at ¶¶ 87-91. Akley and Stellar argue that they cannot be held liable for Frady's actions because ERC did not adequately plead whether it was pursuing a theory of direct liability or vicarious liability against them, and in any event that the CFAA does not provide for indirect liability. See Akley Stellar Motion to Dismiss at 8-12. Preliminarily, the Court notes that because the Court has concluded that Frady herself did not violate the CFAA, Stellar and Akley, cannot be vicariously liable for her actions.

In the Report, the magistrate judge understandably concluded that Stellar and Akley could be held vicariously liable, assuming that ERC sufficiently pled that Frady violated the CFAA. Report at 13-15. The Court does not necessarily disagree with the proposition that a third party could be held vicariously liable for directing a person to exceed authorized access to a protected computer. However, because the Court concludes that Frady herself did not exceed authorized access under the CFAA, it also concludes that Stellar and Akley are not vicariously liable for her actions.
--------

In the alternative, ERC appears to contend that Stellar and Akley themselves violated the CFAA because it is undisputed that Stellar and Akley did not have permission to access ERC's computers or confidential information. However, this claim also fails. Neither Stellar nor Akley are alleged to have accessed ERC's computers or exceeded their authorized access to ERC's computers. Rather, ERC alleges that they caused Frady to do so. Notably, none of the forms of conduct listed in § 1030(a)(1-7) suggests that a person who does not access a plaintiff's computer, and who does not access any information on the plaintiff's computer, commits the offense. Moreover, the statute appears to create only a limited private right of action "against the violator," i.e., the person who violates the statute with the requisite criminal intent. 18 U.S.C. § 1030(g); see also AIRCO, 953 F.Supp.2d at 1297 ("Clearly, the CFAA requires that the individual actually access the information, not merely receive it from a third party."). Because Stellar and Akley themselves did not access ERC's computers or any information therein, the Court is disinclined to read the CFAA so broadly as to find that Stellar and Akley directly violated the statute. Nevertheless, the Court need not determine whether absent a finding of vicarious liability the CFAA would ever reach a person other than the specific individual who accessed a computer without authorization, or exceeded authorized access, because the Court is convinced that the facts alleged here would support no such liability. Stellar and Akley are alleged to have caused Frady to take actions, which may well be tortious and may well violate other laws. However, the Court has determined that Frady's actions do not violate the CFAA. Stellar and Akley then cannot be held directly liable under the CFAA for causing a person to act in a manner that itself does not violate the CFAA.

In consideration of the foregoing, the Court determines that ERC's CFAA claim is due to be dismissed. The Court cautions, however, that the dismissal of ERC's claim should not be viewed as condoning the actions in which the Defendants are alleged to have engaged. Rather, the Court simply determines that whatever legal remedy there may be for those actions, it is not found in the CFAA.

C. The Court declines to exercise supplemental jurisdiction

In its Complaint, ERC alleged two claims arising under federal law, both of which are due to be dismissed. Counts I, II, IV, VI, VII, and VIII of the Complaint present claims for relief arising exclusively under state law. See Complaint at 11-13, 16-19, 22-27. Thus, the Court next considers whether to continue to exercise supplemental jurisdiction over ERC's state law claims. "The decision to exercise supplemental jurisdiction over pend[e]nt state claims rests within the discretion of the district court." Raney v. Allstate Ins. Co., 370 F.3d 1086, 1088-89 (11th Cir. 2004). Pursuant to 28 U.S.C. § 1376(c), the Court may decline to exercise jurisdiction over a state claim if:

(1) the claim raises a novel or complex issue of State law:


(2) the claim substantially predominates over the claim or claims over which the district court has original jurisdiction;


(3) the district court has dismissed all claims over which it has original jurisdiction, or
(4) in exceptional circumstances, there are other compelling reasons for declining jurisdiction.
28 U.S.C. § 1367(c). Notably, "[a]ny one of the section 1367(c) factors is sufficient to give the district court discretion to dismiss a case's supplemental state law claims. Parker v. Scrap Metal Processors, Inc., 468 F.3d 733, 743 (11th Cir. 2006). However, upon determining that it has the discretion under § 1367(c) to decline jurisdiction, "[a district court] should consider the traditional rationales for pendent jurisdiction, including judicial economy and convenience in deciding whether or not to exercise that jurisdiction." Palmer v. Hosp. Auth. of Randolph Cnty., 22 F.3d 1559, 1569 (11th Cir. 1994). Upon due consideration, the Court finds that judicial economy and convenience would not be served by retaining jurisdiction over the Plaintiff's state law claims. Thus, the Court declines to exercise its supplemental jurisdiction over these claims.

For the reasons set forth above, the Court has determined that each of the federal claims in Counts III and V of the Complaint, over which ERC contends that the Court has federal question jurisdiction, is due to be dismissed. What remains are uniquely state law claims that are best addressed by the state courts. Moreover, the procedural posture of this case weighs in favor of declining jurisdiction in order to allow the case to proceed fully in state court. Indeed, where, as here, the federal claims are dismissed prior to trial, the Eleventh Circuit has "encouraged district courts to dismiss any remaining state claims." Raney, 370 F.3d at 1089; see also Carnegie-Mellon Univ. v. Cohill, 484 U.S. 343, 350 n.7 (1988) ("[I]n the usual case in which all federal-law claims are eliminated before trial, the balance of factors to be considered under the pendent jurisdiction doctrine - judicial economy, convenience, fairness, and comity - will point toward declining to exercise jurisdiction over the remaining state-law claims.").

Upon consideration of the § 1367(c) factors and the "traditional rationales for pendent jurisdiction, including judicial economy and convenience," see Palmer, 22 F.3d at 1569, the Court declines to exercise supplemental jurisdiction over the remaining state law claims alleged in the Complaint. Accordingly, Counts I, II, IV, VI, VII, and VIII of the Complaint are due to be dismissed without prejudice to refiling in the appropriate state court.

Upon due consideration, it is hereby

ORDERED:

1. Defendants' Joint Objections to Doc. 89, Magistrate's Report and Recommendations and Alternative Motion for Certification of Interlocutory Appeal Pursuant to 28 U.S.C. § 1292(b) on Controlling Question of Law as to CFAA and SCA Interpretation (Doc. 91) is sustained as to Plaintiff Enhanced Recovery Company's claim under the CFAA.


2. The Report and Recommendation (Doc. 89) is ADOPTED as the opinion of the Court with respect to the resolution of Plaintiff Enhanced Recovery Company's claim in Count III that Frady violated the Stored Communications Act. In all other respects, the Court declines to adopt the Report and Recommendation.


3. Defendant Frady's Motion to Dismiss (Doc. 58), and Defendants Liza Akley's and Stellar Recovery, Inc.'s Motion to Dismiss (Doc. 66), are GRANTED IN PART, and DENIED IN PART.


a. The Motions are GRANTED to the extent that Counts III and V of Plaintiff Enhanced Recovery Company's Third Amended Complaint (Doc. 55) are DISMISSED for failure to state a claim upon which relief can be granted.
b. Defendants' Motions (Doc. 58; Doc. 66) are further GRANTED to the extent that the Court declines to exercise jurisdiction over Plaintiff Enhanced Recovery Company's state law claims. Thus, Counts I, II, IV, VI, VII, and VIII are DISMISSED WITHOUT PREJUDICE.


c. In all other respects, the Motions are DENIED as MOOT.


4. The Clerk of the Court is directed to terminate all pending motions and close the file.

DONE AND ORDERED in Jacksonville, Florida, this 31st day of March, 2015.

/s/_________

MARCIA MORALES HOWARD

United States District Judge
Lc 19
Copies to:
Counsel of record


Summaries of

Enhanced Recovery Co. v. Frady

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA JACKSONVILLE DIVISION
Mar 31, 2015
Case No.: 3:13-cv-1262-J-34JBT (M.D. Fla. Mar. 31, 2015)

adopting narrow approach " ‘so that Congress will not unintentionally turn ordinary citizens into criminals.’ " (citing Nosal , 676 F.3d at 863 )

Summary of this case from AlixPartners, LLP v. Benichou
Case details for

Enhanced Recovery Co. v. Frady

Case Details

Full title:ENHANCED RECOVERY COMPANY, LLC, a Delaware limited liability company…

Court:UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA JACKSONVILLE DIVISION

Date published: Mar 31, 2015

Citations

Case No.: 3:13-cv-1262-J-34JBT (M.D. Fla. Mar. 31, 2015)

Citing Cases

Sunil Gupta, M.D., LLC v. Franklin

The Court has reviewed the cases submitted by both parties, and Defendants are correct that several district…

M3 Accounting Servs., Inc. v. Dean

This is because, while Rodriguez concerned the definition of "exceeds authorized access" for a criminal…