Opinion
CIVIL 4:21-CV-147-SDJ
06-07-2024
MEMORANDUM OPINION AND ORDER
SEAN D. JORDAN UNITED STATES DISTRICT JUDGE
Before the Court is Defendant Kim Sheets-Sheffield's Amended Motion for Summary Judgment Against Providence Title Company. (Dkt. #219). Sheets-Sheffield argues that she is entitled to summary judgment on all of Providence's claims against her, as well as her counterclaims against Providence. In this order, the Court will only consider Sheets-Sheffield's counterclaims premised on federal law, specifically the Stored Communications Act (“SCA”), 18 U.S.C. § 2701, et seq., and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq. For the following reasons, the Court concludes that those counterclaims fail as a matter of law.
I. Background
The factual background of this case is detailed in the Court's order on Defendants' motions for summary judgment premised on Providence's federal Defend Trade Secrets Act (“DTSA”) claim, and the Court will only briefly summarize it here. (Dkt. #372). Plaintiff Providence and Defendant Truly Title Inc. are competitors in the Texas title insurance market. In April 2019, Truly and Providence commenced negotiating Truly's potential acquisition of Providence. However, the parties were unable to agree to terms and negotiations ceased in November 2019.
Shortly after the breakdown in the parties' negotiations, several Providence employees left Providence to join Truly, including Defendants Tracie Fleming, Mark Fleming, and Kim Sheets-Sheffield-who was a team lead at Providence. Providence alleged that these Defendants, along with Defendants Truly and Graham Hanks- Truly's President of Texas Operations-misappropriated its trade secrets in violation of the DTSA and the Texas Uniform Trade Secrets Act (“TUTSA”), breached numerous duties owed to Providence, and committed several torts. As to Sheets-Sheffield specifically, Providence brought claims for violations of the DTSA, TUTSA, breach of fiduciary duties, knowing participation, tortious interference with prospective contractual and customer relationships, and civil conspiracy. Sheets-Sheffield moves for summary judgment on all of these claims, as well as her counterclaims for Providence's alleged violations of the SCA, the CFAA, and the Texas Harmful Access by Computer Act (“THACA”), TEX. CIV. PRAC. & REM. CODE § 143.001.
The Court granted Sheets-Sheffield's motion for summary judgment as to Providence's DTSA claim, and it denied summary judgment as to her counterclaim for attorney's fees under the DTSA. (Dkt. #372).
Relevant to her SCA and CFAA claims, Sheets-Sheffield has shown that after she left Providence to join Truly, Providence's Chief Financial Officer, Daniel Foster Jr., accessed her Gmail and LinkedIn accounts via the laptop Providence had provided to Sheets-Sheffield during her employment. Sheets-Sheffield was still logged in to these accounts when she returned the laptop to Providence, which allowed Foster Jr. to easily access and view the emails on her Gmail account, as well as her LinkedIn messages. Providence contends that its review of Sheets-Sheffield's accounts was limited to searching for Providence's information that it believed Sheets-Sheffield had wrongfully shared with Truly. Sheets-Sheffield contests Providence's assertion, arguing that Foster Jr. examined her personal files, including family photos and financial information.
Sheets-Sheffield alleges that Providence's actions (through Foster Jr.) violated both the SCA and the CFAA. In a previous Memorandum Opinion and Order, the Court indicated its doubt that Sheets-Sheffield had viable claims under either statute, and it ordered the parties to file supplemental briefing explaining why the Court should not issue judgment in favor of Providence pursuant to Rule 56(f) and/or Rule 12(b)(6). (Dkt. #373). Having reviewed the parties' supplemental briefs and the evidence submitted with such filings, the Court now considers whether Sheets-Sheffield is entitled to summary judgment on her federal counterclaims, or whether those counterclaims should be dismissed.
II. Legal Standard
Under Rule 56(f), a district court may grant summary judgment sua sponte “[a]fter giving notice and a reasonable time to respond.” In re Deepwater Horizon, 2021 WL 3501651, at *2 (5th Cir. 2021) (quoting FED. R. CIV. P. 56(f)). Summary judgment is appropriate only when “there is no genuine dispute as to any material fact” and the record supports judgment as a matter of law on the claims at issue. See Shepherd ex rel. Est. of Shepherd v. City of Shreveport, 920 F.3d 278, 282-83 (5th Cir. 2019) (quoting FED. R. CIV. P. 56(a)). Because Federal Rule of Civil Procedure 56 requires that there be no “genuine issue of material fact” to grant summary judgment, “the mere existence of some alleged factual dispute” is insufficient to defeat” summary judgment. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 247-48, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986) (first emphasis omitted). A fact is “material” when, under the relevant substantive law, its resolution might govern the outcome of the suit. Id. at 248. “An issue is ‘genuine' if the evidence is sufficient for a reasonable jury to return a verdict for the [party contesting summary judgment].” Hamilton v. Segue Software Inc., 232 F.3d 473, 476 (5th Cir. 2000) (citing Anderson, 477 U.S. at 248).
Courts consider the evidence in the light most favorable to the party contesting summary judgment, but that party “may not rely on mere allegations in the pleading; rather, the [party contesting summary judgment] must respond . . . by setting forth particular facts indicating that there is a genuine issue for trial.” Int'l Ass'n of Machinists & Aerospace Workers v. Compania Mexicana de Aviacion, S.A. de C.V., 199 F.3d 796, 798 (5th Cir. 2000). If, when considering the entire record, no rational jury could find for the party contesting summary judgment, then summary judgment is warranted. Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986).
III. Discussion
Sheets-Sheffield argues that Providence, through Foster Jr., violated both the SCA and the CFAA by accessing her Gmail and LinkedIn accounts without her permission. Because both counterclaims fail as a matter of law, they will be dismissed.
A. Sheets-Sheffield's SCA Claim Fails Because the Electronic Communications Were Not in Electronic Storage.
“The SCA prohibits unauthorized access to wire and electronic communications in temporary and back-up storage and provides in relevant part:
[W]hoever
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished . . .”Garcia v. City of Laredo, 702 F.3d 788, 791 (5th Cir. 2012) (quoting 18 U.S.C. § 2701(a)). Thus, to establish liability under the SCA, a plaintiff must show that the defendant (1) “gained unauthorized access to a facility through which electronic communication services are provided (or the access must have exceeded the scope of authority given)” and that it thereby (2) “accessed electronic communications while in storage.” Id. Section 2707(a) grants a private right of action for “any . . . person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind ....”
“Electronic communication service” means “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15) (incorporated by reference in 18 U.S.C. § 2711(1) of the SCA). “Electronic Storage” means “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17).
Sheets-Sheffield argues that the relevant facilities are Gmail's and LinkedIn's servers, and that the communications found therein were in electronic storage. Even assuming arguendo that Sheets-Sheffield is correct that those servers are the relevant facilities, she failed to show that any of her emails or LinkedIn messages were in electronic storage.
First, as Sheets-Sheffield acknowledges, whether her emails fall within the first definition of “electronic storage” turns on whether they were unopened. (Dkt. #376 at 6); see also Cruz Lopez v. Pena, No. 2-12-CV-165, 2013 WL 819373, at *4 (N.D. Tex. Mar. 5, 2013) (“[W]hether an email has been retrieved or opened by the addressee (not whether it has made its way to an inbox) is the widely-recognized determinant of when it is no longer in ‘intermediate storage . . . incidental to the electronic transmission thereof.'”); see also Garcia, 702 F.3d at 793 (explaining that “information . . . stored temporarily pending delivery” would be protected (emphasis added)).
Here, Sheets-Sheffield has presented no evidence that any email was unopened. Instead, she argues that “there would have necessarily been many unopened emails in her account at the times Providence hacked it” because she “was having technical difficulties and could not access her Gmail account for weeks.” (Dkt. #376 at 6). But this assertion amounts to mere speculation, which is insufficient to support her claim at the summary judgment stage. See Brown v. City of Hous., 337 F.3d 539, 541 (5th Cir. 2003) (“Unsubstantiated assertions, improbable inferences, and unsupported speculation are not sufficient to defeat a motion for summary judgment.”).
Faced with this lack of evidence, Sheets-Sheffield urges the Court to find that the second definition of “electronic storage” applies, arguing that “the law is not settled on whether opened emails stored online . . . are in backup storage.” (Dkt. #380 at 2). Although there is no binding precedent on this issue, this Court agrees with the “clear majority of courts [that] have held that emails opened by the intended recipient (but kept on a web-based server like Gmail) do not meet the second definition of ‘electronic storage' either.” Sartori v. Schrodt, 424 F.Supp.3d 1121, 1132 (N.D. Fla. 2019) (collecting cases). As Professor Orin Kerr explained in his leading article on the SCA,
The traditional understanding has been that a copy of opened e-mail sitting on a server is protected by the [remote computing service] rules, not the [electronic communication service] rules. The thinking is that when an e-mail customer leaves a copy of an already-accessed e-mail stored on a server, that copy is no longer “incident to transmission” nor a backup copy of a file that is incident to transmission: rather, it is just in remote storage like any other file held by a[] [remote computing service].
A remote computing service is another type of provider that is contemplated in a different provision of the SCA. But Sheets-Sheffield's claim is premised on her communications being stored by an electronic communication service-not a remote computing service.
Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1216 (2004) (footnotes omitted); see also id. (explaining that an ISP storing an opened, undeleted e-mail is a “provider of [remote computing service] (and not [electronic communication service]) with respect to that copy of the email”).
And when a “remote computing service [is] the only place a user stores his messages . . ., the messages are not stored for backup purposes.” Theofel v. Farey-Jones, 359 F.3d 1066, 1070 (9th Cir. 2004). Here, there is no evidence that any email was unopened, and it is undisputed that all of the emails were stored on Gmail's webbased server. Therefore, the emails were not in temporary, intermediate storage incidental to transmission, nor were they stored for backup protection. Thus, they were not in electronic storage for purposes of the SCA.
Second, for the same reasons described above, Sheets-Sheffield also failed to show that her LinkedIn messages were in electronic storage. At the outset, Sheets-Sheffield does not argue-let alone provide any evidence-that any message was unopened. Instead, she argues that all of the LinkedIn messages have been stored for backup protection-and thus fall within the second definition of electronic storage- because LinkedIn stores messages indefinitely. (Dkt. #376 at 6). However, the Court fails to see any distinction between opened emails stored on Gmail's server and opened messages stored on LinkedIn's server. Both Gmail and LinkedIn are webbased servers, and, as explained above, simply leaving an opened message on such a server does not convert that message into a message stored for backup purposes. See Kerr, supra, at 1216; see also Jennings v. Jennings, 736 S.E.2d 242, 245 (S.C. 2012) (holding that the ordinary use of the word “backup” “necessarily presupposes the existence of another copy to which [the] e-mail would serve as a substitute or support,” and that merely “retaining an opened email [does not] constitute[] storing it for backup protection”).
Just as with her emails, the only place Sheets-Sheffield stored her LinkedIn messages was on LinkedIn's server-there were no copies. The same logic that applies to an opened, undeleted email applies equally to an opened, undeleted LinkedIn message, since both are merely communications found on web-based servers. As explained above, the “SCA doesn't reach and protect undeleted [communications] that have already been delivered and opened by the intended recipient,” even when those communications remain on the server. Sartori, 424 F.Supp.3d at 1134. Therefore, the LinkedIn messages were not in electronic storage.
In sum, Sheets-Sheffield has failed to show that there is any genuine issue of material fact that Providence “obtaine[ed], alter[ed], or prevent[ed] authorized access to” her emails or LinkedIn messages while they were in electronic storage. 18 U.S.C. § 2701(a). Therefore, her SCA claim fails, and the Court finds that summary judgment under Rule 56(f) should be entered in favor of Providence. See FED. R. CIV. P. 56(f).
B. Sheets-Sheffield Failed to Show that She Has a Claim Under the CFAA.
“The CFAA criminalizes various fraudulent or damaging activities related to the use of computers.” Fiber Sys. Int'l v. Roehrs, 470 F.3d 1150, 1156 (5th Cir. 2006). Section 1030(g) provides a civil cause of action for “[a]ny person who suffers damage or loss by reason of a violation of” the CFAA, but “only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 18 U.S.C. § 1030(g). Those enumerated factors are as follows:
(I) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety; [and]
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security[.]18 U.S.C. § 1030(c)(4)(A)(i)(I)-(V).
The Fifth Circuit has explained that Section 1030(g) does not limit civil actions to these five subclauses, but only requires that one of the enumerated factors in the subclauses be present in the civil action. Fiber Sys. Int'l, 470 F.3d at 1157. Here, only factor I plausibly applies. Thus, to succeed, Sheets-Sheffield must show that she suffered at least a $5,000 loss in a one-year period. “Loss” means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
As the Supreme Court has explained,
The term “loss” . . . relates to costs caused by harm to computer data, programs, systems, or information services. The statutory definitions of “damage” and “loss” thus focus on technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequences of hacking.”Van Buren v. United States, 593 U.S. 374, 391-92, 141 S.Ct. 1648, 210 L.Ed.2d 26 (2021) (citation omitted) (quoting Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 760 (6th Cir. 2020)). Lower courts generally agree that “qualifying losses include fees for forensic analysis of relevant computers and other electronic storage devices by outside analysts, as well as a plaintiff's internal investigation costs.” Centennial Bank v. Holmes, No. 5:23-CV-044, 2024 WL 733649, at *13 (N.D. Tex. Feb. 20, 2024) (cleaned up). However, attorney's fees and litigation costs aimed at prosecuting a CFAA claim-not at remedying damage to the technology-do not count towards the $5,000 threshold. See Turner W. Branch, P.A. v. Osborn, No. 1300110, 2014 WL 12593991, at *18 (D.N.M. Mar. 26, 2014) (“[Attorneys' fees and litigation costs incurred in investigating and prosecuting a CFAA claim are not a statutorily covered ‘loss.'”); see also, e.g., Welter v. Med. Pros. Mut. Ins. Co., No. 22-CV-11047, 2023 WL 2988627, at *10 (D. Mass. Feb. 23, 2023); Brooks v. AM Resorts, LLC, 954 F.Supp.2d 331, 338 (E.D. Pa. 2013); Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Int'l Inc., 616 F.Supp.2d 805, 812 (N.D. Ill. 2009).
Sheets-Sheffield supplemented her Motion for Summary Judgment by providing evidence that she incurred the following costs: $587.67 to Digital Discovery/Cobra Legal Solutions for imaging of the laptop; $2,787.75 to Digital Works for expert forensic investigation of the laptop; and $4,880 to McDonald Sanders for legal services. However, even if the payments to Digital Discovery/Cobra Legal Solutions and Digital Works counted towards the loss requirement, Sheets-Sheffield still failed to show that she incurred $5,000 in losses because the payments to McDonald Sanders for legal services do not count.
Sheets-Sheffield contends that the payments to McDonald Sanders “were incurred directly in investigating the actual hacking of the computer (including discovery targeted at learning what Providence did) and whether any remedial measures were needed.” (Dkt. #376 at 8). But the invoices show that the fees were for her attorney preparing and attending depositions, corresponding with experts, and serving expert disclosures. (Dkt. #376-1). These actions were aimed at “prosecuting a CFAA action,” not “responding to the actual CFAA violation to place the plaintiff in their ex ante position.” NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042, 1065-66 (S.D. Iowa 2009). Sheets-Sheffield has not shown that any of these legal expenses were incurred to repair whatever harm there was to her accounts. Accordingly, the $4,880 in payments to McDonald Sanders do not count towards the $5,000 threshold. See id. At most, Sheets-Sheffield incurred $3,375.42 in CFAA losses, and thus she falls short of the $5,000 loss requirement.
Sheets-Sheffield also asserted that she suffered emotional damages from Providence's actions, but she failed to establish that these harms fit within the definition of “loss.” And, in any event, she failed to proffer any evidence demonstrating that these harms resulted in any monetary loss that could count towards the $5,000 threshold.
Under Rule 56(f), a district court may grant summary judgment sua sponte “[a]fter giving notice and a reasonable time to respond.” In re Deepwater Horizon, 2021 WL 3501651, at *2 (quoting FED. R. CIV. P. 56(f)). The Court has given Sheets-Sheffield notice and an opportunity to be heard. (Dkt. #373). Since Sheets-Sheffield failed to show that factor I is present here, and she does not suggest that another factor is present, she has failed to establish that she may bring a civil action under the CFAA. See 18 U.S.C. § 1030(g) (“A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors.”). Therefore, Sheets-Sheffield's CFAA claim must be dismissed.
IV. Conclusion
For the foregoing reasons, it is ORDERED that Kim Sheets-Sheffield's Amended Motion for Summary Judgment, (Dkt. #219), is DENIED in part. Specifically, it is DENIED with respect to Sheets-Sheffield's SCA and CFAA counterclaims, and those counterclaims are DISMISSED.
So ORDERED