Opinion
CIVIL 1:20-CV-01577
06-24-2022
OSI SYSTEMS, INC., Plaintiff, v. KM-LOGIX, LLC, MAROS KMEC, LINDA KMEC, and ALIONA BEJENUTA Defendants.
MEMORANDUM OPINION
CLAUDE M. HILTON UNITED STATES DISTRICT JUDGE
THIS MATTER comes before the Court on Plaintiff OSI's Motion for Summary Judgment on Counterclaimant KM-Logix's three remaining causes of action pursuant to Federal Rule of Civil Procedure 56(a).
Plaintiff, OSI Systems, Inc. originally brought this federal trade secrets case against KM-Logix, LLC, Maros Kmec, Linda Kmec, and Aliona Bejenuta alleging Defendants misappropriated trade secrets to create a copycat website of OSI's in-house analytics tool. Counterclaimant KM-Logix filed counterclaims against OSI. This Court entered an order on October 1, 2021, granting summary judgment to Defendants and dismissing the entire case. Defendant KM-Logix filed a Motion to Amend the Judgment and voluntarily dismiss certain counterclaims on January 3, 2021. This Motion voluntarily dismissed five of the remaining counterclaims and asked the Court to proceed on the basis of three remaining counterclaims-Count I (Violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030), Count V (Breach of Contract), and VI (Trespass to Chattels). This Court granted the motion and reinstated the case on the trial docket as to KM-Logix's remaining Counterclaims on February 8, 2022. OSI filed a Motion for Summary Judgment on April 21, 2022 and Defendant KM-Logix responded in opposition.
The counterclaims arise from OSI employees visiting FARclause.com, KM-Logix's website for tracking compliance with the Federal Acquisition Regulations. FARclause.com includes premium areas that are accessible to registered users who also pay a subscription fee; as well as administrative pages that only KM-Logix and its developers can access. There is no evidence that any OSI employee ever accessed the premium areas or administrative pages of FARclause.com. Several OSI employees viewed the public areas of FARclause.com which are not password protected, do not require user registration, and do not require reading or assenting to any Terms of Use. In addition, two OSI employees created free user accounts with FARclause.com after receiving approval from KM-Logix. By creating an account with FARclause.com, the two employees were able to navigate portions of the website not publicly available. KM-Logix claims OSI violated the CFAA by obtaining these accounts through fraudulent means because OSI employee Christopher Cook created a user account with FARclause.com using the name "Chraul Net" and the email address chraulnet@gmail.com instead of creating an account with his own name. Once KM-Logix discovered that OSI employees were accessing FARclause.com, KM-Logix revoked access and sent a cease-and desist-letter to OSI. No OSI employee visited FARclause.com after receiving this letter.
Second, KM-Logix brings a claim against OSI for trespass to chattels under Virginia law alleging OSI intruded on FARclause.com. The final remaining counterclaim is for breach of contract under New York law alleging OSI violated FARclause.com's Terms of Use for registered users by creating an account under a false name. KM-Logix bases the damages for its counterclaims on the incurred loss related to OSI's alleged incursions. KM-Logix claims it incurred substantial costs to reconfigure FARclause.com to prevent similar trespasses. The Court finds there are no material facts in dispute and that this case is ripe for summary judgment.
The Terms of Use on which KM-Logix premises its counterclaim for breach of contract provides it "shall be governed by the laws of the State of New York without giving effect to any principles of conflicts of law."
Under Federal Rule of Civil Procedure 56, a court should grant summary judgment if the pleadings and evidence show that there is no genuine dispute as to any material fact and that the moving party is entitled to judgment as a matter of law. Fed. R. Civ. P.56(c); see Celotex Corp. v. Catrett, 411 U.S. 317, 322 (1986). In reviewing a motion for summary judgment, the court views the facts in the light most favorable to the non-moving party. See Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255 (1986). Once a motion for summary judgment is properly made, the opposing party has the burden to show that a genuine dispute of material fact exists. See Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 586-87 (1986).
KM-Logix presented no evidence to establish a CFAA violation. To obtain relief under the CFAA, the claimant must show the defendant accessed the complainant's computer system (e.g. files, folder, or databases) or portions thereof that were unauthorized to the defendant. See Van Buren v. United States, 141 S.Ct. 1648 (2021). Courts employ a "gates-up-gates-down" inquiry for CFAA claims focusing on whether the "gates" of the computer system were open such that the defendant was permitted access, or whether the "gates" were closed such that the defendant was not. Id. The CFAA also protects against those who access the computer system with permission but then "exceed the parameters of authorized access by entering an area of the computer to which that authorization does not extend." Id. at 1658.
Applying the Van Buren "gates-up-or-gates-down" inquiry, there is no evidence OSI accessed FARclause.com without authorization. First, the publicly available portions of FARclause.com were open to OSI employees. Since this portion is open to the public, the CFAA's concept of "without authorization" does not apply to these portions. Second, KM-Logix explicitly authorized the two OSI employee's access to the registration-only portion of FARclause.com. Third, no one from OSI accessed any portion of FARclause.com after KM-Logix rescinded OSI's access through a cease-and-desist letter. Finally, no OSI employees accessed any of the premium or administrative areas of OSI where access was never authorized.
KM-Logix claims OSI violated the CFAA because it received authorization in violation of its Terms of Use by Cook creating an account not under his name. However, this argument fails because the CFAA does not provide a remedy for violation of a use policy where the access is authorized. See WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 203 (4th Cir. 2012). The CFAA is intended to target hackers, not those who access the website with authorization "in bad faith, or who disregard a use policy." Id. at 207. Thus, whether Cook violated the Terms of Use in the registration process is irrelevant to whether OSI violated the CFAA. The only inquiry that matters is whether Cook's access was authorized. Cook's registration was approved by KM-Logix and he did not access any unauthorized content.
There is also no evidence OSI exceeded authorized access to FARclause.com. A cause of action under the "exceeds authorized access" clause "applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have." Van Buren, 141 S.Ct. at 1653. No OSI employee accessed any of the unauthorized areas of FARclause.com. The two employees who received further access by registering stayed within the scope of their authorization, so OSI employees never exceeded their authorized access.
KM-Logix claims that OSI exceeded authorization based on improper use of what OSI learned from accessing FARclause.com, but this is not sufficient to meet the CFAA's burden of proof. Improper purpose alone is not sufficient to bring an "exceeds authorized access" claim under the CFAA. Van Buren, 141 S.Ct. at 1654-55. Therefore, there is no genuine dispute as to any material fact on KM-Logix's CFAA claim under the "without authorization" or "exceeds authorized access" clauses.
KM-Logix also failed to demonstrate it met the CFAA's jurisdictional requirement for losses from the alleged CFAA violation. The CFAA requires that a plaintiff demonstrate a qualifying loss of more than $5,000, that the costs are reasonable, and that the loss was caused by a CFAA violation. 18 U.S.C. § 1030(e)(11); see also A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646(4th Cir. 2009). KM-Logix argues it spent approximately $17,080 reconfiguring FARclause.com as a direct consequence of OSI's alleged intrusion into FARclause.com. Yet, evidence of payment alone is insufficient to establish that any purported damages were necessary or related to a CFAA violation. See Glob. Pol'y Partners, LLC v. Yessin, 686 F.Supp.2d 642, 647-48 (E.D. Va. 2010). KM-Logix's claim lacks evidence that the reconfiguration was reasonable or necessitated by the actions of OSI or any CFAA violation. Even if KM-Logix needed to reconfigure its website, KM-Logix still would not meet the CFAA qualifying loss standard because the loss is not connected to a CFAA violation as OSI did not violate the CFAA. KM-Logix also asserts litigation expenses in its losses, but litigation costs are not recoverable under the CFAA.
KM-Logix's trespass to chattels claim also fails. Trespass to chattels occurs "when one party intentionally uses or intermeddles with personal property in rightful possession of another without authorization." Am. Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 451-52 (E.D. Va. 1998). Liability is created "if the chattel is impaired as to its condition, quality, or value." Id. (citing Restatement (Second) of Torts § 218(b)). When the chattel at issue is a website, for there to be trespass, the defendant's use must be without authorization. Id. at 451. KM-Logix's trespass to chattels claim fails to access the same reasons its CFAA claim fails, OSI's access to FARclause.com was authorized by KM-Logix. The OSI employees who accessed FARclause.com were implicitly authorized for the public portions of the website or explicitly authorized by registering to FARclause.com. OSI also did not access FARclause.com once KM-Logix revoked the authorization.
The trespass to chattels claim also fails because KM-Logix did not show how the chattel, FARclause.com, was impaired or damaged by OSI as to its value, condition, or quality. Trespass to chattels in the digital context requires that the "materials that were taken by the defendants were damaged or diminished in value." Securelnfo Corp. v. Telos Corp., 387 F.Supp.2d 593, 621 (E.D. Va. 2005) . KM-Logix has no evidence demonstrating that OSI deprived KM-Logix of a possessory interest in FARclause.com, took any materials or data therein, or that OSI damaged the website itself. KM-Logix alleges damage to FARclause.com based on OSI allegedly copying features for its own website. Yet, merely copying information from a website is insufficient to state a claim for trespass to chattels. See Securelnfo, 387 F.Supp.2d at 621. There is no evidence that any copying changed the value of FARclause.com. Thus, KM-Logix has not suffered any damages caused by OSI for a trespass to chattels claim.
Finally, KM-Logix's breach of contract claim fails because it cannot prove damages, as required under applicable New York law. See Legum v. Russo, 102 N.Y.S. 3d 705, 706 (N.Y.App.Div. 2019). KM-Logix's theory for damages rests on the costs of reconfiguring FARclause.com. However, the damages alleged are entirely speculative and without evidence connecting the damages with OSI's purported breach of the Terms of Use. KM-Logix claims it had to spend eight months redesigning the premium pages to prevent any future intrusions. However, OSI's interaction with FARclause.com could not have necessitated redesigning premium pages when OSI never accessed any of the premium portions of FARclause.com, much less caused any damages to the premium portions. KM-Logix also claims it had to spend two months investigating OSI's "bogus account" with FARclause.com. Yet, there is no evidence regarding why Cook's registration of an account without his name required a two-month investigation or required modification of FARclause.com. It appears all the changes KM-Logix made to FARclause.com were made voluntarily and have not been shown to result from OSI's alleged breach.
KM-Logix also premises its breach of contract damages on an alleged loss of traffic and loss of subscribers to FARclause.com. KM-Logix has not proffered evidence to support any decline in website traffic or subscribers that is connected to OSI's conduct. For instance, KM-Logix failed to offer any evidence regarding the number of visitors to FARclause.com prior to OSI visiting FARclause.com in comparison with evidence regarding number of visitors following OSI's visit. KM-Logix also failed to show how OSI's conduct impacted revenue derived from FARclause.com's subscribers. Even if KM-Logix could demonstrate a loss of web traffic, subscribers, or revenue, and that there was evidence attributing those declines to OSI's alleged actions, any such consequential damages would be compensable "only if it is determined that the special circumstances were within the contemplation of the parties to the contract." See Carnell Constr. Corp. v. Danville Redevelopment & Hous. Auth., 745 F.3d 703, 725 (4th Cir. 2014). As it was not reasonably foreseeable that KM-Logix would need to reconfigure its website when Cook agreed to KM-Logix's Terms of Use upon registering an account, KM-Logix cannot prove consequential damages. KM-Logix's breach of contract claim thus does not survive summary judgment.
For the foregoing reasons, this Court finds OSI's Motion for Summary Judgment on the all three remaining counterclaims should be granted.