Opinion
CIVIL ACTION NO. 15-2455
09-01-2016
MAGISTRATE JUDGE HORNSBY
MEMORANDUM RULING
Before the Court is a Motion for Partial Dismissal Pursuant to Rule 12(b)(6), filed by Defendants Donald McReynolds ("McReynolds") and ARKLATEX Wireline Service, LLC ("ArkLaTex"). Record Document 9. The motion asks the Court to either dismiss the Plaintiff's Computer Fraud and Abuse Act ("CFAA") claims pursuant to Federal Rule of Civil Procedure 12(b)(6) or require the Plaintiff to amend its complaint with a more definite statement pursuant to Rule 12(e). For the reasons announced below, the Court declines to dismiss the Plaintiff's CFAA claims but orders the Plaintiff to amend its complaint with a more definite statement concerning its claims under CFAA.
I. Allegations in the Complaint
Plaintiff Schlumberger Technology Corp. ("Schlumberger") alleges that McReynolds, while Schlumberger's employee, extracted confidential and proprietary data from Schlumberger computers for the benefit of Schlumberger's rival and McReynold's subsequent employer, ArkLaTex. Record Document 1. Based on this allegation, Schlumberger asserts claims under the CFAA, the Louisiana Unfair Trade Practices Act ("LUTPA"), and the common law duty of loyalty. Record Document 1.
According to the complaint, McReynolds was a Schlumberger employee working in Louisiana when the events that gave rise to this suit allegedly took place. As its employee, McReynolds allegedly owed Schlumberger "a fiduciary duty of loyalty to [Schlumberger] not to disclose to third persons without [Schlumberger's] prior written approval, on his own account or an account of others, [Schlumberger's] confidential and proprietary information that [McReynolds] accessed during the course of his employment with [Schlumberger]." Record Document 1, p. 3. Schlumberger alleges that while its headquarters are located in Texas, it provides services around the globe, including Louisiana. Record Document 1, p. 3.
The complaint alleges that at some point in the summer of 2015, McReynolds decided he would resign from Schlumberger and work for ArkLaTex. Before resigning from Schlumberger but after making the decision to change employers, McReynolds allegedly "accessed [Schlumberger's] company-issued computer and, without authorization and exceeding his authorized access, downloaded and removed confidential and proprietary electronic business records and/or information that was transferred to ArkLaTex and used by ArkLaTex." Record Document 1, p. 3. According to Schlumberger, McReynolds extracted information about its products, customer pricing information, customer quotes, and internal reports. Record Document 1, p. 4. Schlumberger further alleges that ArkLaTex "knowingly participated in McReynolds' violation of the Computer Fraud Abuse Act by either directly encouraging or ratifying his efforts to access and misappropriate [Schlumberger's] confidential and proprietary information for use by ArkLaTex in competing against [Schlumberger]." Record Document 1, p. 5-6.
Due to the conduct alleged above, Schlumberger has, according to the complaint, "incurred costs in excess of $5,000 . . . in responding to McReynolds' conduct, investigating McReynolds' conduct, conducting a damage assessment into McReynolds' conduct, and restoring the data or information to the same condition as prior to the offense." Record Document 1, p. 5.
II. Standards
To survive a challenge under Rule 12(b)(6), "a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Courts are required to accept the plaintiff's "well-pleaded" facts as true and construe the complaint in a light favorable to that plaintiff. In re Great Lakes Dredge & Dock Co., 624 F.3d 201, 210 (5th Cir. 2010) (citations omitted). Nonetheless, courts are not required to accept the veracity of legal conclusions framed as factual allegations. Iqbal, 556 U.S. at 678 (reasoning that under Rule 8, it is not sufficient to merely recite a cause of action's elements with supporting conclusory statements). Overall, determining when a complaint states a plausible claim is a context-specific task, requiring courts to rely on judicial experience and common sense to assess when a complaint crosses the line from conceivable to plausible. Id. at 678-80.
A claim is facially plausible when a plaintiff pleads factual content that permits the court to reasonably infer a defendant is liable for the alleged misconduct. Iqbal, 556 U.S. at 678-79. This plausibility standard is not a probability requirement, "but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. "Where a complaint pleads facts that are 'merely consistent with' a defendant's liability, it 'stops short of the line between possibility and plausibility of 'entitlement to relief.'" Id. (quoting Twombly, 550 U.S. at 557). On the other hand, as long as it raises a plausible right of recovery and puts the defendant on notice of the plaintiff's claim and the grounds upon which it rests, the complaint does not need to specify detailed factual allegations. See Twombly, 550 U.S. at 555.
Under Rule 12(e), "[a] party may move for a more definite statement of a pleading to which a responsive pleading is allowed but which is so vague or ambiguous that the party cannot reasonably prepare a response." Fed. R. Civ. P. 12(e). According to the Fifth Circuit, "If a complaint is ambiguous or does not contain sufficient information to allow a responsive pleading to be framed, the proper remedy is a motion for a more definite statement under Rule 12(e) F.R.C.P." In re McWilliams, 22 F.3d 1095 (5th Cir. 1994) (quoting Sisk v. Tex. Parks and Wildlife Dep't, 644 F.2d 1056, 1059 (5th Cir. Unit A 1981)).
III. Discussion
Although principally a criminal statute, the CFAA provides for civil liability where a person, inter alia:
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.18 U.S.C. § 1030(a)(4) (2012). To establish a civil claim under § 1030(a)(4), a plaintiff must prove the following five elements: (1) the defendant has accessed a protected computer; (2) the defendant has done so without authorization or by exceeding such authorization as was granted; (3) the defendant has done so knowingly and with intent to defraud; (4) in doing so the defendant has furthered the intended fraud and obtained anything of value; and (5) the plaintiff has incurred "loss . . . during any 1-year period . . . aggregating at least $5,000 in damages." See id. § 1030(a)(4), (c)(4)(A)(i)(I), (g); Associated Pump & Supply Co., LLC v. Dupre, No. CIV.A. 14-9, 2014 WL 1330196, at *5 (E.D. La. Apr. 3, 2014) (citing Bridal Expo, Inc. v. van Florestein, No. CIV.A. 4:08-CV-03777, 2009 WL 255862, at *8 (S.D. Tex. Feb. 3, 2009)). The Defendants argue that because the allegations made in Schlumberger's complaint are conclusory, it is not plausible that Schlumberger could prevail on the first, second, or fifth element of its CFAA claim against McReynolds. The Defendants also argue that even if the complaint states a plausible claim against McReynolds, Schlumberger's allegations concerning ArkLaTex are too vague to state a plausible CFAA claim against ArkLaTex under a theory of vicarious liability.
A. CFAA Claim Against McReynolds
i. Whether the Computer that McReynolds Accessed Is Protected
The computer that McReynolds allegedly accessed to take proprietary data from Schlumberger must be a "protected computer" as the CFAA defines that term. The CFAA defines a protected computer as "a computer . . . which is used in or affecting interstate or foreign commerce or communication." 18 U.S.C. § 1030(e)(2)(B). "Pleading specific facts that the defendant accessed a computer connected to the internet is sufficient to establish that the accessed computer was 'protected.'" Simmonds Equip., LLC v. GGR Int'l, Inc., 126 F. Supp. 3d 855, 863 (S.D. Tex. 2015) (citing Merritt Hawkins & Associates v. Gresham (Hawkins I), 948 F. Supp. 2d 671, 674 (N.D. Tex. 2013)). But even where a complaint fails to allege that the computer at issue is connected to the Internet, a court may reasonably infer that the computer was used in or affects interstate commerce from other specific facts alleged in the complaint. See Quantlab Techs. Ltd. (BVI) v. Godlevsky, 719 F. Supp. 2d 766, 775-76 (S.D. Tex. 2010). Specifically, courts have found they can reasonably infer a computer was used in interstate commerce where the complaint alleges that the plaintiff uses its computers to engage in global financial markets, id., sell products across state lines, Nordstrom Consulting, Inc. v. M & S Tech., Inc., No. 06 C 3234, 2008 WL 623660, at *12 (N.D. Ill. March 4, 2008), and communicate between offices across state lines, Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 318-19 (D. Conn. 2008). Although Schlumberger has not alleged that the computer from which McReynolds allegedly extracted proprietary information was connected to the Internet, it has alleged that it does business across the globe and that McReynolds worked in Louisiana even though Schlumberger's headquarters are in Texas. These allegations create a reasonable inference that at the very least, McReynolds used his computer to communicate with offices in other states. Accordingly, the Court finds that Schlumberger has sufficiently plead the first element of its CFAA claim against McReynolds. See id.
ii. Whether McReynolds' Access Was without Authorization or Exceeded His Authorization
The complaint must plausibly show that McReynolds was either without authorization or exceeded his authorization when he allegedly downloaded proprietary data from Schlumberger. Schlumberger argues that even though McReynolds was authorized to access the data he allegedly extracted, he nevertheless exceeded his authorization because he used that data in ways that violated his fiduciary duty to Schlumberger. The Defendants counter that neither the CFAA nor caselaw interpreting the CFAA can accommodate this expansive theory of exceeding authorization. Under § 1030(e)(6), "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). The CFAA does not further define "authorized" or "authorization" as § 1030(e)(6) uses those terms. Since the Fifth Circuit's decision in United States v. John, 597 F.3d 263 (5th Cir. 2010), however, district courts in the Fifth Circuit have held that "a user exceeds his authorization if he knows or reasonably should know that he has exceeded the purposes for which he was granted access." Merritt Hawkins & Associates, LLC v. Gresham (Hawkins II), 79 F. Supp. 3d 625, 634 (N.D. Tex. 2015) (citing John, 597 F.3d at 271-73). District courts have further held that a user knows or should know that he exceeds the purposes for which he was granted access when he is aware or should be aware that he is subject to a policy or agreement that prohibits his disclosure of proprietary data without his employer's consent and he nonetheless divulges that proprietary data to others without consent. See Hawkins II, 79 F. Supp. 3d at 629, 634-35; Associated Pump, 2014 WL 1330196, at *1, *6 ("[T]he Fifth Circuit may recognize a CFAA claim . . . where there is a broad confidentiality agreement to delineate the parameters of authorized access."); Beta Tech., Inc. v. Meyers, No. CIV.A. H-13-1282, 2013 WL 5602930, at *1, *3 (S.D. Tex. Oct. 10, 2013) ("Like the defendant in John, Meyers's authorization to use Plaintiff's computer system and the data contained therein was circumscribed by company policy.").
The Defendants argue that Schlumberger's complaint fails to plead that McReynolds exceeded his authorization because it does not allege that he was subject to any type of nondisclosure policy or agreement. In response, Schlumberger argues that McReynolds' fiduciary duty to Schlumberger was sufficient to put him on notice that he exceeded the purposes for which he was granted access to his computer when he downloaded proprietary information from that computer in order to share it with Schlumberger's competitor. While Schlumberger's argument is appealing, the fact that the CFAA creates both civil and criminal liability prevents the Court from expanding the definition of exceeding authorization under the CFAA beyond the bounds set by its sister courts in the Fifth Circuit. Where a court is interpreting a statute that gives rise to criminal liability, it must apply "the canon of strict construction of criminal statutes, or rule of lenity." United States v. Lanier, 520 U.S. 259, 266 (1997). This limiting construction also comports with John, in which the Fifth Circuit was careful to distinguish the facts before it, which involved access to a computer for the purpose of perpetuating a criminal fraud, from the facts before the Ninth Circuit in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which involved access to a computer for the purpose of breaching a common law duty of loyalty. 597 F.3d at 272-73. In Brekka, the Ninth Circuit held that a user does not exceed his authorization under the CFAA when he is authorized to access a computer but uses that computer for purposes that breach his duty of loyalty to his employer. 581 F.3d at 1134-35. The Ninth Circuit reasoned that its narrow construction of the statute was justified because "ambiguity concerning the ambit of criminal statues should be resolved in favor of lenity." Id. at 1134. Faced with this holding, the Fifth Circuit in John concluded that there were "no such concerns in the present case" because a user has reason to know that he is not authorized to access data in furtherance of a crime. 597 F.3d at 273. Brekka and the Fifth Circuit's reading of Brekka in John caution this Court against deciding that users know or should know that they exceed their authorization when they use a computer in ways that breach their duty of loyalty to their employer. The Court therefore declines to hold that a user exceeds his authorization under the CFAA when he uses a computer in breach of his fiduciary duty to his employer.
The question remaining is whether the Court may reasonably infer from the allegation that McReynolds owed Schlumberger a fiduciary duty that there was a policy or agreement preventing McReynolds from sharing proprietary data with third parties without Schlumberger's consent. This allegation is by itself an insufficient basis for the Court to reasonably infer that there was such a policy or agreement. However, the remedy for this defect in Schlumberger's complaint is not dismissal under Rule 12(b)(6) but, as the Defendants ask, a more definite statement pursuant to Rule 12(e). The Court therefore orders Schlumberger to amend its complaint to provide more specificity on how McReynolds exceeded his authorization when he extracted data from Schlumberger, including whether McReynolds breached a nondisclosure agreement or policy to which he was subject during his employment with Schlumberger.
iii. Whether Schlumberger Suffered at Least $5,000 in Loss that is Cognizable under the CFAA
The complaint must allege "loss . . . during any 1-year period . . . aggregating at least $5,000 in damages." See 18 U.S.C. § 1030 (c)(4)(A)(i)(I), (g). The statute defines loss as: "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11). The Court finds that Schlumberger's complaint has pled loss. Schlumberger alleges that it has "incurred costs in excess of $5,000 . . . in responding to McReynolds' conduct, investigating McReynolds' conduct, conducting a damage assessment into McReynolds' conduct, and restoring the data or information to the same condition as prior to the offense." Record Document 1, p. 5. While it is true that these allegations match the definition of loss found in the CFAA, that is because the definition of loss under the CFAA is more detailed and fact-intensive than definitions discussed elsewhere in this opinion, not (necessarily) because Schlumberger has made conclusory allegations. Other courts have sustained similarly generic allegations of loss. See Beta Tech., 2013 WL 5602930, at *4 (holding that plaintiff pled loss under the CFAA when it alleged that it "incurred, and continues to incur, significant expenses in assessing and recovering the data deleted from the computer"). Schlumberger has therefore sufficiently pled loss under the CFAA.
The Defendants also argue that Schlumberger has failed to sufficiently allege that it has suffered "damage" under the CFAA. The CFAA creates a private right of action for any person who, inter alia, "suffers damage or loss by reason of a violation of this section." 18 U.S.C. § 1030(g). Because of the inclusion of "or" in this precondition for a private suit, Schlumberger need not show damages if it has instead demonstrated loss. Therefore, because Schlumberger has pled loss, it does not need to plead damages under the CFAA.
B. CFAA Claim Against ArkLaTex
The Defendants argue that Schlumberger's allegations against ArkLaTex are too conclusory to plead a claim of vicarious liability under the CFAA. Although the question of whether the CFAA permits vicarious liability is unsettled, even those courts adopting a more expansive interpretation of CFAA liability require the plaintiff to allege that the vicariously liable party has encouraged, directed, or otherwise affirmatively acted in support of the party directly violating the statute. See Butera & Andrews v. Int'l Bus. Machines Corp., 456 F. Supp. 2d 104, 112 n.6 (D.D.C. 2006). For instance, in Charles Schwab & Co. v. Carter, a district court held that where a plaintiff alleges that a defendant directed the plaintiff's employee to email proprietary information to that defendant, the plaintiff pleads a viable claim of vicarious liability under the CFAA because the defendant "affirmatively urged" the employee "to access [the plaintiff's] computer system beyond his authorization for [the defendant's] benefit." No. 04 C 7071, 2005 WL 2369815, at *3, *7 (N.D. Ill. Sept. 27, 2005). For its part, Schlumberger alleges that ArkLaTex is vicariously liable for McReynolds' acts because it "knowingly participated in McReynolds' violation of the Computer Fraud Abuse Act by either directly encouraging or ratifying his efforts to access and misappropriate [Schlumberger's] confidential and proprietary information for use by ArkLaTex in competing against [Schlumberger]." Record Document 1, p. 5-6.
The Court assumes without deciding that the CFAA permits vicarious liability. The Fifth Circuit has provided no guidance on whether a party can be vicariously liable under the CFAA. Some district courts have held that because the CFAA's private right of action is analogous to a tort action, Congress "legislated against a legal background of ordinary tort-related vicarious liability rules and consequently intends its legislation to incorporate those rules." QVC, Inc. v. Resultly, LLC, Civil Action No. 14-6714, 2016 WL 521197, at *8 (E.D. Pa. Feb. 10, 2016) (quoting Meyer v. Holley, 537 U.S. 280, 285 (2003)); see also Charles Schwab & Co. v. Carter, No. 04 C 7071, 2005 WL 2369815, at *5-7 (N.D. Ill. Sept. 27, 2005) (holding that the CFAA allows for vicarious liability because it is analogous to a tort action and because "imposing vicarious liability would further the CFAA's purpose."). Other district courts, noting that the CFAA is principally a criminal statute and creates a private right of action only "against the violator," have held that the CFAA does not permit any form of vicarious liability. Doe v. Dartmouth-Hitchcock Med. Ctr., No. CIV. 00-100-M, 2001 WL 873063, at *5 (D.N.H. July 19, 2001). The Defendants, however, have not put this issue before the Court. The only basis that the Defendants assert for dismissing Schlumberger's claim against ArkLaTex is that the complaint "provides no substantive factual allegations" and is therefore too conclusory to survive Twombly. The Defendants have not argued that the CFAA, as a matter of law, does not permit vicarious liability. Thus, the Court assumes, without deciding, thatthe CFAA permits vicarious liability in order to address the Defendants' arguments that Schlumberger has not plead sufficient facts to state such a claim. --------
The Defendants argue that Schwab is distinguishable from Schlumberger's complaint because unlike the complaint in Schwab, Schlumberger's complaint provides no facts to explain how ArkLaTex directed McReynolds to extract proprietary information from Schlumberger, how ArkLaTex received that information, or even the name of a single person at ArkLaTex who communicated with McReynolds in furtherance of his alleged CFAA violation. The Court agrees. Schlumberger does not provide a single specific fact from which the Court could reasonably infer that ArkLaTex affirmatively encouraged McReynolds to extract proprietary information from Schlumberger. The best basis that Schlumberger provides in its complaint for the allegation that ArkLaTex either directly encouraged or ratified McReynolds' conduct is that McReynolds became ArkLaTex's employee shortly after he ended his employment with Schlumberger. This is insufficient to create a plausible claim that ArkLaTex affirmatively urged McReynolds to extract proprietary data from Schlumberger. But again the remedy for this defect is not dismissal under Rule 12(b)(6) but a more definite statement pursuant to Rule 12(e). The Court therefore orders Schlumberger to amend its complaint to provide more specificity on how ArkLaTex affirmatively encouraged McReynolds to extract proprietary data from Schlumberger.
IV. Conclusion
For the foregoing reasons,
IT IS ORDERED that the Motion for Partial Dismissal, filed by the Defendants, Record Document 9, is GRANTED IN PART and DENIED IN PART. The motion is granted insofar as it seeks a more definite statement under Rule 12(e) and denied insofar as it seeks to dismiss the Plaintiff's claims under the CFAA pursuant to Rule 12(b)(6).
IT IS FURTHER ORDERED that the Plaintiff file an amended complaint in accordance with this opinion by Monday, September 19, 2016. Pursuant to Rule 12(e), failure of the Plaintiff to file an amended complaint by the deadline above will result in the Court sua sponte dismissing the Plaintiff's CFAA claims with prejudice under Rule 12(b)(6).
THUS DONE AND SIGNED in Shreveport, Louisiana, on this 1st day of September, 2016.
/s/_________
Elizabeth E. Foote
United States District Judge