Opinion
No. 3:19-cv-1634-VLB
03-29-2021
MEMORANDUM OF DECISION DENYING MOTIONS TO DISMISS [DKTS. 82, 83]
Plaintiffs—Dr. Barry D. Stein ("Dr. Stein"), Barry D. Stein, MD, LLC ("Stein LLC"), and Fairfield Anesthesia Associates LLC ("FAA") (collectively "Plaintiffs")—brought the amended complaint against Defendants—Melissa J. Needle ("Attorney Needle"), Needle Cuba Law Firm ("Cuba Firm"), Law Offices of Melissa Needle, LLC ("Needle LLC"), Jessica Calise ("Ms. Calise") (collectively "Needle Defendants") and Jennifer Stein ("Mrs. Stein")—alleging violations of the Computer Fraud and Abuse Act ("CFAA") under 18 U.S.C. § 1030, violations of Connecticut's Computer Crime Law ("CCL") under Conn. Gen. Stat. § 53-452, negligence and negligent supervision against the Needle Defendants. [Dkt. 73 (Am. Compl.)]. Currently before the Court are the Needle Defendants and Mrs. Stein's substantially similar motions to dismiss requesting the Court dismiss this action under the abstention doctrine, or alternatively stay the proceedings pending resolution of the pending state court divorce proceedings, dismiss the CFAA and CCL claims for failure to state a claim upon which relief can be granted, and upon dismissal of the CFAA claim, decline supplemental jurisdiction over the remaining state law claims. [Dkts. 82 (Needle Mot.) and 83 (Stein Mot.)]. The Plaintiffs filed an opposition. [Dkt. 103 (Opp.)]. To which the Defendants replied to. [Dkts. 111 (Needle Reply) and 112 (Stein Reply)].
For the following reasons, the motion to dismiss is granted in part and denied in part.
The factual allegations contained within this section are based on the specific factual allegations made in the amended complaint—which the Court will treat as true for the purpose of this decision—and documents the Court can take judicial notice of.
Dr. Stein is an anesthesiologist and sole member of Stein LLC. [Am. Compl. at p.2]. Between November 2000 and February 2019, Dr. Stein through Stein, LLC provided anesthesiologist services to his patients while an owner and managing member of FAA. [Id. at ¶ 12]. Dr. Stein is licensed to practice medicine and surgery in the state of Connecticut. [Id. at ¶ 13]. As a "provider," Dr. Stein has statutory and regulatory mandates that impose a duty to retain and furnish a patient's medical records. [Id. at ¶¶ 13-14 (citing to Conn. Gen. Stat. §§ 20-7c and 20-7d, Conn. Agencies Regs. § 19a-14-42, Health Insurance Portability and Accountability Act ("HIPPA") Pub. L. 104-191, 110 Stat. 1936 (1996), Health Information Technology for Economic and Clinical Health ("HITECH") Act, Pub. L. 111-5, 123 Stat. 228 (2009))]. At all relevant times, FAA utilized an electronic medical record ("EMR") keeping system through which patient data is securely stored on Microsoft's OneDrive servers. [Id. at ¶ 15]. While working at FAA, Dr. Stein utilized this system. [Id. at ¶ 16].
Between approximately 2015 and November 2018, Stein LLC owned and maintained a computer on behalf of FAA at Dr. Stein's marital home that he shared with Mrs. Stein. [Id. at ¶ 17]. The subject computer was separated into two distinct, password-protected sub accounts: one for Dr. Stein and one for Mrs. Stein. [Id. at ¶ 18]. To access the FAA EMR system from this computer, the user must be on Dr. Stein's password-protected subaccount and the user must then click on a link to the FAA computer network accessible only from that subaccount. [Id. at ¶¶ 21-23].
On April 16, 2018, Mrs. Stein filed for divorce against Dr. Stein in the Connecticut Superior Court. See Stein v. Stein, Conn. Super. Ct. FST-FA18-6035933-S. Mrs. Stein is represented by Attorney Needle and the Needle firm in this the divorce case. As of March 25, 2021, the divorce case is still ingoing. Id.
The Court takes judicial notice of the docket sheet from the Connecticut Family Court. Mangiafico v. Blumenthal, 471 F.3d 391, 398 (2d Cir. 2006) ("docket sheets are public records of which the court could take judicial notice.").
In or about April 2018, Mrs. Stein and Ms. Calise, a paralegal at the Needle Firm, accessed Dr. Stein's password-protected subaccount and copied an estimated nine (9) gigabytes of FAA business data, including the patient data, onto an external storage device. [Id. at ¶ 25]. Plaintiffs allege that Ms. Calise downloaded the patient data from the OneDrive account onto an external flash drive. [Id. at ¶ 25]. This unauthorized download of the protected health information ("PHI") of approximately 800 FAA patients was discovered in July of 2019 during the parties' divorce proceedings. [Id. at ¶¶ 25,39]. Plaintiffs did not give Mrs. Stein the password to Dr. Stein's subaccount, nor did they authorize Mrs. Stein to access Dr. Stein's subaccount for this or any other purpose. [Id. at ¶ 19].
Mrs. Stein provided the external storage device containing the patient data to the Needle Defendants, where the information was copied to and stored in the computer system maintained by Needle LLC. [Id. at ¶ 26]. Plaintiffs believe that this PHI was then uploaded in an unencrypted format to the Needle Defendants' computer network, and then again to a Dropbox folder that the Needle Defendants maintained. [Id. at ¶¶ 29-30]. On April 4, 2019, Attorney Needle and the Needle Cuba Firm emailed a link to an unsecured, unencrypted Dropbox folder that contained the copied patient data. [Id. at ¶ 30]. Thereafter, Plaintiffs commenced an investigation of the data appropriated, with the assistance of a retained outside cyber-forensic and cybersecurity firm, to identify the nature and extent of the appropriation and the status of the copied data. [Id. at ¶¶ 31-32].
On August 1, 2019, Attorney Needle issued a letter assuring that "the information downloaded from the family computer was transferred by [Calise] into [Mrs. Stein's] filed on [Attorney Needle or Needle Cuba Firms] office computer system. There are no hard copies of the information to return to you nor is the information contained on any hard drive, thumb drive or memory stick." [Id. at ¶ 24 (emphasis in original)]. The letter also states that "[t]he information has remained on my office system." [Id.].
Plaintiffs allege that Defendants (1) violated the Computer Fraud and Abuse Act 18 U.S.C. § 1030 et seq., (2) violated the Connecticut statutes §§ 53-451 and -452, and (3) were negligent. Plaintiffs also allege a claim of negligent supervision against Attorney Needle, the Needle Cuba Firm and Needle, LLC. II. LEGAL STANDARD
The Defendants argue that dismissal is appropriate under Rules 12(b)(1) and 12(b)(6) of the Federal Rules of Civil Procedure.
Rule 12(b)(1) authorizes a party to assert a defense of lack of subject matter jurisdiction by motion. A 12(b)(1) motion may be either facial of fact-based. Carter v. HealthPort Technologies, LLC, 822 F.3d 47, 56-57 (2d Cir. 2016). When the motion is facial, it is based solely on the allegations in the complaint and attached exhibits. Id. When the motion is fact-based, it is based on proffered evidence in the pleadings that controvert allegations in the complaint or that reveal a factual problem in subject matter jurisdiction. Id. Though the plaintiff has the burden of proving by a preponderance of the evidence that subject matter jurisdiction exists, the Court must construe all ambiguities and draw all inferences in the plaintiff's favor. Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000). When the subject matter jurisdiction challenge is premised on a lack of standing argument, as here, the plaintiff "must allege facts that affirmatively and plausibly suggest that it has standing to sue." Amidax Trading Group v. S.W.I.F.T. SCRL, 671 F.3d 140, 145 (2d Cir. 2011).
Rule 12(b)(6) authorizes a party to assert in a motion the defense for "failure to state a claim upon which relief can be granted." A complaint survives a 12(b)(6) motion to dismiss only if it "states a claim to relief that is plausible on its face." Bell Atl. Corp v. Twombly, 550 U.S. 544, 570 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). "The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. (internal quotations omitted). "When determining the sufficiency of plaintiffs' claim for Rule 12(b)(6) purposes, consideration is limited to the factual allegations in plaintiffs' amended complaint, which are accepted as true, to documents attached to the complaint as an exhibit or incorporated in it by reference, to matters of which judicial notice may be taken, or to documents either in plaintiffs' possession or of which plaintiffs had knowledge and relied on in bringing suit." Brass v. Am. Film Techs., Inc., 987 F.2d 142, 150 (2d Cir. 1993). III. DISCUSSION
A. Abstention and Stay
Defendants argue that the Court should decline jurisdiction and dismiss the action pursuant to the Younger, Colorado River, and/or the "domestic relations" abstention doctrines. Defendants' specifically argue that Plaintiffs' claims can and should be addressed in the ongoing state court divorce proceedings. Plaintiffs object, arguing that abstention is generally disfavored by federal courts and the circumstances of this case do not satisfy the doctrines' criteria.
1. Domestic Relations Abstention
Defendants argue that the Court should decline jurisdiction under the "domestic relations" abstention doctrine because factual issues relating to Mrs. Stein's authority can and should be addressed first in the state divorce action. Plaintiffs argue that the domestic relations abstention doctrine is not appropriate here because none of the factual issues are matrimonial issues, nor are the factual issues inextricable from the divorce proceedings.
Generally speaking, "[a]bstention from the exercise of federal jurisdiction is the exception, not the rule." Colorado River Water Conservation Dist. v. United States, 424 U.S. 800, 813 (1976).
The doctrine of abstention, under which a District Court may decline to exercise or postpone the exercise of its jurisdiction, is an extraordinary and narrow exception to the duty of a District Court to adjudicate a controversy properly before it. Abdication of the obligation to decide cases can be justified under this doctrine only in the exceptional circumstances where the order to the parties to repair to the state court would clearly serve an important countervailing interest.Id.
Specific to the domestic relations abstention doctrine, "[a] federal court presented with matrimonial issues or issues 'on the verge' of being matrimonial in nature should abstain from exercising jurisdiction so long as there is no obstacle to their full and fair determination in state courts." Am. Airlines, Inc. v. Block, 905 F.2d 12, 14 (2d Cir. 1990). As such, the Court must determine if the issues raised in this case (1) are matrimonial issues or issues on the verge of being matrimonial in nature and (2) whether there is an obstacle to their full and fair determination in state court.
Here, the claims in the amended complaint are not matrimonial issues or issues on the verge of being matrimonial in nature. The only factual issues that the Defendants allege are intertwined between the divorce action and this action are: (1) whether the computer was matrimonial property, (2) whether the password was known to Mrs. Stein or otherwise shared among family members, and (3) whether the data was deliberately and inadvertently copied. Whether these "factual issues" are issues relevant to this litigation requires consideration of the claims raised in the complaint. Of particular importance for this analysis are the first two counts under the CFAA and CCL.
The first inquiry is whether the factual issues that will necessarily be decided in adjudicating the CFAA claim are matrimonial issues or issues on the verge of becoming matrimonial in nature. The CFAA, in relevant part, authorizes a civil action against "(a) [w]hoever— . . . (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-- . . . (C) information from any protected computer" if the conduct involves "(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceedings brought by the United States only, loss resulting from a related course of conduct affecting or more protected computers) aggregating at least $5,000 in value; (II) the modification or impairment, or potential modification or impairment, of medical examination, diagnosis, treatment, or care of 1 or more individuals; . . . ." 18 U.S.C. § 1030(a)(2)(C), (c)(4)(A), (g). A "protected computer" means, inter alia, "a computer-- . . . (B) which is used in or affecting interstate or foreign commerce or communications, including a computer not exclusively located outside of the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States . . . ." 18 U.S.C. § 1030(e)(2). The only arguable matrimonial issue that could be necessary for adjudicating the CFAA claim is whether the computer was owned by Mrs. Stein as marital property. Assuming the computer still exists, the state family court will likely need to decide if the computer is "marital property" and if so, which party should be entitled to it in the asset distribution. Assuming for the sake of this decision it matters that the computer was or was not marital property, whether the computer is marital property at the time of the dissolution of marriage would not matter here. If the computer being marital property mattered, it would only matter with respect to the time of the alleged wrongful conduct; April 2018. It is not logical why the state family court would need to decide whether the computer was marital property or not during April 2018. Rather, the state family court will just be deciding whether it is marital property for the purpose of asset distribution. Whether the computer was marital property in April 2018 is not a matrimonial issue or and issue on the verge of being matrimonial.
The second inquiry is whether the second count under Connecticut General Statute section 53-451, -452 requires a factual determination of the factual issues the Defendants claim overlap with the divorce proceedings. Connecticut General Statues section 53-451(b) provides that "[i]t shall be unlawful for any person to use a computer or computer network without authority and with the intent to: . . . (6) [m]ake or cause to be made an unauthorized copy, in any form, including, but not limited to, any printed or electronic form of computer data, computer programs or computer software residing in, communicated by or produced by a computer or computer network . . . ." Section 53-451(a)(14) provides in relevant part that "[a] person is "without authority" when such person (A) has no right or permission of the owner to use a computer or such person uses a computer in a manner exceeding such right or permission . . . ." Section 53-452(a) authorizes a civil action by someone injured due to another's violation of 53-451. A civil action pursuant to a violation of 53-451 must be raised within two years from the date of the act complained of. Conn. Gen. Stat. § 53-452(f). Similar to the CFAA claim, this claim does not raise a factual issue that the family court will be deciding.
With respect to the second and third factual issue that the Defendants claim is inextricably intertwined with the divorce proceeding—that the password was shared and that the copying was deliberate or inadvertent—there is nothing in the pleadings that indicates that this is a factual finding the state family court will make in determining dissolution of the marriage, distribution of the assets, and child custody matters. While it is conceivable that the family court will consider the unlawful copying and downloading of information from the computer, as well as any marital assets discovered as a result, in determining fair distribution of property, the mere possibility of such consideration does not result in a finding that this issue is even on the merge of being matrimonial in nature. If that was the case, than the alleged wrongdoing of one of the parties in a dissolution action would always constitute a basis for finding that the issue is on the verge of being matrimonial and no one in a divorce action could have separate litigation ongoing at the same time. Such an interpretation of the domestic relations abstention doctrine would be too broad and would not comport with the clear direction from the Supreme Court that abstention doctrines should be used only in exceptional circumstances.
Further, the claims raised in this case are not claims that would be fully and fairly determined in state court, particularly because the pending action is a divorce proceeding. The divorce proceeding is between just one Plaintiff and one Defendant in this case: Dr. and Mrs. Stein. However, there are two other Plaintiffs in this case and four other Defendants. There is nothing before the Court showing that those parties could intervene in the divorce proceeding. There is also nothing showing that the state family court has the power to adjudicate the tort claims in this case. This is because under Connecticut statutory law, family relations matters are limited to eighteen enumerated types of matters; see Conn. Gen. Stat. § 46b-1; none of which include adjudication of federal and state tort law claims. In other words, FAA and Stein LLC could not seek redress for the alleged wrongdoing in the divorce proceedings, nor could the Needle Defendants be found liable for their alleged tortious conduct in the state law case.
The Court does recognize the family court has jurisdiction to address ethical and discovery issues, but these are not the issues raised in this court, although they are related, they are collateral to the matrimonial issues.
Therefore, the Court finds the "domestic relations" abstention doctrine is inapplicable and will not decline jurisdiction on that basis.
2. Younger and Colorado River abstention
Defendants argue that abstention pursuant to Younger v. Harris, 401 U.S. 37 (1971) is appropriate because any damages award here could interfere with the divorce proceedings, there are state interests implicated here, and Plaintiffs can recover damages in the divorce proceedings. Defendants also argue that abstention pursuant to Colorado River Conservation Dist. v. United States, 424 U.S. 800 (1976) is appropriate because the family court assumed jurisdiction over the marital property, the forums are equally convenient, stay or dismissal would avoid piecemeal litigation, the divorce proceedings were filed first, the family court gave Dr. Stein the option to have a hearing relating to the computer data, the dispositive issues or motive and authority should be addressed in state court, and the state court procedures are adequate. Plaintiffs object, arguing that abstention is not appropriate because there has been no showing of exceptional circumstances, the claims in this case are not parallel to the divorce case, and the considerations under Colorado River do not support abstention.
Younger abstention seeks to avoid federal court interference with ongoing state criminal prosecutions, state-initiated civil enforcement proceedings, and state civil proceedings that involve the ability of state courts to perform their judicial functions. Jones v. Cnty. of Westchester, 678 F. App'x 48, 49-50 (2d Cir. 2017). "Younger abstention is appropriate where '1) there is an ongoing state proceeding; 2) an important state interest is implicated; and 3) the plaintiff has an avenue open for review of constitutional claims in the state court.'" Liberty Mut. Ins. Co. v. Hurlbut, 585 F.3d 639, 647 (2d Cir. 2009).
A federal court may, in certain exceptional circumstances, abstain from exercising jurisdiction over a claim properly brought before it, but the abstention doctrine "comprises a few extraordinary and narrow exceptions to a federal court's duty to exercise its jurisdiction . . . ." Niagara Mohawk Power Corp. v. Hudson River-Black River Regulating Dist., 673 F.3d 84, 100 (2d Cir. 2012) (quoting Woodford v. Cmty. Action Agency of Greene Cnty., Inc., 239 F.3d 517, 522 (2d Cir. 2001)). One narrow exception to the general obligation to exercise jurisdiction is when a parallel state court action is pending. See Colorado River Water Conservation Dist. v. United States, 424 U.S. 800, 813 (1976). In Colorado River, the Supreme Court held that a "federal court may abstain from exercising jurisdiction when parallel state-court litigation could result in 'comprehensive disposition of litigation.'" Niagara Mohawk Power Corp., 673 F.3d at 100 (quoting Colorado River, 424 U.S. at 817-18). When determining whether to abstain from exercising jurisdiction, courts are required to consider the following factors:
(1) whether the controversy involves a res over which one of the courts has assumed jurisdiction; (2) whether the federal forum is less inconvenient than the other for the parties; (3) whether staying or dismissing the federal action will avoid piecemeal litigation; (4) the order in which the actions were filed, and whether proceedings have advanced more in one forum than in the other; (5) whether federal law provides the rule of decision; and (6) whether the state procedures are adequate to protect the plaintiff's federal rights.Niagara Mohwak Power Corp., 673 F.3d at 101 (quoting Woodford, 239 F.3d at 522). However, a court's decision to decline jurisdiction "does not rest on a mechanical checklist," but rather depends on "a careful balancing of the important factors as they apply in a given case." Moses H. Cone Mem'l Hosp. v. Mercury Constr. Corp., 460 U.S. 1, 16 (1983). Therefore, in addition to the six criteria, courts consider a wide variety of factors when conducting the abstention analysis.
Abstention pursuant to Younger and Colorado River is inappropriate here for many of the same reasons that abstention is inappropriate under the domestic relations abstention doctrine. The divorce case and this case are by no means parallel. The parties in the divorce case are just Dr. and Mrs. Stein; here there are six other parties. The issues in the divorce case are limited to divorce, property distribution, and child custody; here the issues are based in tort law. Neither of these abstention doctrines can apply when the cases are this distinct from one another. Nor should it. If the Court was to grant abstention, Stein LLC and FAA could not seek redress for the alleged torts claims raised in this case through the divorce proceeding even though they have sufficiently alleged injury. Further, Needle Defendants could not be found directly liable for their role in the alleged wrongful conduct raised in this case in the divorce proceedings. In essence, they could get away with wrongdoing simply because a codefendant was in a divorce action with a plaintiff. The family court simply could not adjudicate the tort claims raised here due to the limited nature of such proceedings, as discussed above. There is no threat of piecemeal litigation because the issues before the family court and the issues raised in this case are different.
Therefore, the Court finds that abstention under either Younger or Colorado River is inapplicable and will not decline jurisdiction over this action.
3. Stay
Defendants argue that, if the Court declines to abstain, it should nonetheless grant a stay of the federal case while the divorce is ongoing because the family court judge is better suited to make ownership and access determinations, resolution of the divorce action will speak directly to the claims in this action, stay would avoid inconsistent factual determinations, stay would conserve judicial resources, and it is possible the divorce action could render this action moot. Defendants rely heavily on two out-of-circuit cases to support their argument: Mehta v. Maddox, 296 F. Supp. 3d 60 (D.D.C. 2017) and Decourcy v. Maruk, No. 19- 20511-CIV, 2019 WL 3767502 (S.D. Fla. Aug. 9, 2019). Plaintiffs argue that reliance on Mehta and Decourcy is misplaced because those cases are distinguishable.
In Mehta, the plaintiff-husband raised a CFAA claim, along with other federal and state claims against his wife alleging that she gained unauthorized access of several of his online accounts (such as email and services accounts), altered passwords, and obtained private information. 296 F. Supp. 2d at 62. The district court granted stay finding that "determination[s] about the ownership of particular accounts and whether the alleged access was authorized or unauthorized" should be decided in the ongoing divorce proceedings. Id. at 66. Mehta is factually distinguishable for two reasons. First, in Mehta the federal suit was between husband and wife only. Here, this suit is between three plaintiffs (one of which is a party in the divorce) and five defendants (one of which is a party in the divorce). Meaning, there is no coincidence of parties here as there was in Mehta. Second, in Mehta the issue related to who owned the various email and services accounts, which is suited for the family court to decide. Here, there is no argument that Mrs. Stein could have any legal or marital interest in the PHI taken from the computer. In other words, the property question is not key to the adjudication of this case as it was in Mehta.
In Decourcy, the plaintiff-husband raised a CFAA claim, along with other federal and state claims, against his wife and her divorce attorney alleging that they gained unauthorized access to his email accounts where they read attorney-client communications, accessed architectural drawings for a project he was working on and sabotaged a business transaction. 2019 WL 3767502, at *1. The district court applied the principles from Younger and found that staying the federal suit was appropriate because the alleged wrongful conduct could be addressed in the divorce proceedings and the divorce case judge was in a better position to determine what tactical advantages the wife received from her unauthorized access. Id. at *1-2. Decourcy is distinguishable for two reasons. First, the only plaintiff in Decourcy was a party to the ongoing divorce proceedings. Here, there are two other plaintiffs who are not parties to the divorce. This is important, particularly for FAA, because FAA does not have the ability to recover for the alleged tortious conduct of the defendants in the divorce by any means. FAA alleges they have suffered injury, an injury that could not be addressed in the divorce proceeding. Second, the property that was allegedly wrongfully copied is not property of Mrs. Stein through her marriage to Dr. Stein. The copied PHI is not the same as emails stored in an email account. Nor should the two types of property be treated similarly. When a spouse unlawfully accesses another email to gain a tactical advantage in a divorce proceeding, the divorce court can determine what that advantage is and offset any benefit received when distributing assets. When a spouse unlawfully copies and disseminates PHI of third parties, that spouse does not received a tactical advantage that needs to be offset. Rather, such unlawful conduct requires the party responsible for maintaining the PHI to expel financial resources to determine the extent of the breach and to take steps to protect the information wrongfully appropriated. In addition, the party responsible for maintaining the PHI has legal exposure to the patients whose data was improperly accessed for an unintended purpose as well as regulatory authorities. See Byrne v. Ayer Center for Obstetrics and Gynecology, P.C., 327 Conn. 540 (2018) (recognizing a tort cause of action for patients against health care providers who, without authority to do so, disclose confidential information obtained in the course of the physician-patient relationship); 42 U.S.C. § 1320d-6 (proscribing civil and criminal penalties for wrongful disclosure of individual identifiable health information). Decourcy and Mehta are distinguishable.
The Court does not find that a stay would be appropriate here. Each day that passes, the evidence relating to the alleged wrongful conduct becomes older and more likely to be lost, destroyed, or otherwise made unreliable. Divorce proceedings historically can take years and sometimes even a decade. A stay here, for however long it takes for the divorce action to be finalized would prejudice both parties because they would not have the benefit of fresh evidence to support their claim or defense. Further, the outcome of the divorce is not likely to play a role in this case because only two of the parties are part of that divorce. Even if Mrs. and Dr. Stein reach an amicable resolution in the divorce, this would not resolve any disputes Dr. Stein has with Needle Defendants, FAA has with Mrs. Stein, and FAA has with Needle Defendants. Stay would cause an undue delay that would be more injurious than helpful.
Therefore, the Court declines the request to stay these proceedings until the resolution of the divorce action.
B. Stein Plaintiffs' Standing
Defendants argue that Stein Plaintiffs lack standing to assert a claim based upon the alleged access of the PHI because that PHI belonged to FAA, and thus the Stein Plaintiffs did not suffer an injury-in-fact. Plaintiffs argue that there is not an ownership requirement under the CFAA and Stein Plaintiffs did suffer an injury-in-fact.
To have standing, a plaintiff must show (1) that the plaintiff suffer an "injury in fact," (2) that there is "a causal connection between the injury and conduct complained of," and (3) that it is "likely" that the injury will be "redressed by a favorable decision." Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1990). "To establish injury in fact, a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized" and "actual or imminent, not conjectural or hypothetical.'" Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016), as revised (May 24, 2016) (citing to Lujan, 504 U.S. at 560). "For an injury to be 'particularized,' it must affect the plaintiff in a personal and individual way . . . [and a] 'concrete' injury must be 'de facto'; that is, it must actually exist." Id. at 1548.
As outlined above, the CFAA provides that "any person who suffers damages or loss by reason of a violation of this section may maintain a civil action against the violator . . . ." 18 U.S.C. § 1030(g). Subsection (e)(8) defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." Subsection (e)(11) defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service" ). "Under this definition, and under the case law interpreting it from within this circuit, the costs of investigating security breaches constitute recoverable "losses," even if it turns out that no actual data damage or interruption of service resulted from the breach." Univ. Sports Pub. Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 387 (S.D.N.Y. 2010). The question here is whether Stein Plaintiffs have alleged sufficient facts to show they have suffered damages or loss to satisfy the jurisdictional requirement for the CFAA.
Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) is instructive. In Theofel, the Ninth Circuit held that the CFAA does not have an ownership or control requirement. Id. at 1078. In Theofel, the defendants issued a patently overbroad subpoena, that resulted in approximately 400 emails from various plaintiffs being distributed to and reviewed by the defendants. Those plaintiffs filed suit alleging, inter alia, that the defendants violated the CFAA. The district court dismissed this claim finding that the CFAA does not apply to unauthorized access of a third party's computer, which the Ninth Circuit reversed finding that "[t]he district court erred by reading an ownership or control requirements into the [CFAA]." Id. at 1078. The Ninth Circuit explains that "[i]ndividuals other than the computer's owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it." Id.
Here, the amended complaint alleges that Plaintiffs commenced an investigation into Defendants' intrusion after learning of their actions. [Compl. at ¶ 31].
Specifically, Plaintiffs retained the services of the Sylint Group, Inc., a cyber-forensic and cybersecurity firm, to investigate the nature and
extent of any damage to the Protected Computer, FAA Patient PHI, and/or Stein Patient Data attributable to the acts of Defendants in accessing and using the Protected Computer to copy and download approximately 9 gigabytes of information from Plaintiffs, including whether any information was deleted, modified or otherwise overwritten, and further including whether the insertion by Defendants of an unauthorized and external storage device into that computer resulted in an infection with malware such as viruses, trojans and ransomware. The cost of that investigation exceeded the sum of $5,000.[Id. at ¶ 32].
The Court rejects Defendants standing arguments for two reasons. First, the amended complaint on its face indicates that the PHI belonged to Stein Plaintiffs' patients and the Stein Plaintiffs had an interest imposed by statute and regulation on preserving that information. Defendants claims that the information was only FAA's is unsupported and does not address the Stein Plaintiffs' responsibilities to its patients. Second, even if the PHI is solely owned by FAA, ownership is not a requirement for raising a CFAA claim as discussed in Theofel. Rather, the statute requires a showing of damages or losses. The complaint on its face shows that the Plaintiffs incurred losses in investigating the breach. Such incurred losses can be used in establishing jurisdictional standing. See Univ. Sports Pub. Co., 752 F. Supp. 2d at 387.
Therefore, the Court denies the Defendants' motion to dismiss the Stein Plaintiffs' claims due to a lack of standing.
C. Computer Fraud and Abuse Act Claim
Defendants argue that the CFAA claim should be dismissed because it does not plausibly plead that Defendants' access was unauthorized and HIPPA does not govern Defendants. Alternatively, Defendants argue that the claim should be dismissed pursuant to the rule of lenity to avoid interpreting the criminal statute in a way that criminalizes ordinary conduct. Lastly, and alternatively, Defendants argue that the Court should dismiss the § 1030(c)(4)(A)(i)(II) claim because Plaintiffs lack standing.
1. "Unauthorized"
Defendants argue that the Plaintiffs have failed to plausibly plead that access to the computer was "without authorization or exceeds authorized access" as required under the CFAA. 18 U.S.C. § 1030(a)(2). The argument is two-fold. First Defendants jointly argue that the complaint fails to plead that Mrs. Stein's access was unauthorized. Second, Needle Defendants alone argue that the complaint fails to plead that Needle Defendant's access was unauthorized.
"The statute does not define 'without authorization,' though courts have construed it to mean 'without any permission.'" Univ. Sports Pub. Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 383 (S.D.N.Y. 2010) (citing to LVRC Holding LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009)). The statute does define "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." § 1030(e)(6). "Courts applying the narrow interpretation of the statute have construed the definition of 'exceeds authorized access' to apply to a person who uses a limited level of initial access authority to obtain other, more highly protected information that he or she is not entitled to access." Univ. Sports Pub. Co., 725 F. Supp. 2d at 384.
i. Mrs. Stein's Authority
With respect to Mrs. Stein's access, Defendants argue that Mrs. Stein could not be found liable under the CFAA because she was permitted to use the subject computer and she had an interest in the computer as it was marital property at the time of the alleged unlawful conduct. In addition, Defendants argue that they are not subject to HIPPA and HIPPA cannot be a basis for finding unauthorized access. Plaintiffs' object arguing that the complaint pleads that the access was not authorized and the arguments relating to the computer being marital property are a red herring.
The complaint alleges that the patient PHI was accessible only from Dr. Stein's password protected sub-account on the computer. [Compl. at ¶¶ 21-22]. Further, the complaint alleges that access to the patient PHI required clicking on the FAA OneDrive link. [Id. at ¶ 22]. The complaint also alleges that "[a]t no time pertinent hereto did Plaintiffs authorize Defendants to access any of the Stein Patient Data or the FAA Patient PHI through the Protected Computer." [Compl. at ¶ 27]. Thus, the complaint sufficiently alleges that Defendants did not have authority to access the patient PHI, let alone download, copy, and disseminate it. Even if Mrs. Stein had authority to access this computer, she certainly exceeded her authority by accessing the password protected subaccount. Whether Dr. Stein in fact gave Mrs. Stein the password to the subaccount is a matter to be addressed during discovery.
Defendants argument about the computer being marital property poses a factual issue that cannot be resolved at this stage of the proceedings. On the face of the complaint, the computer is not marital property; rather it is owned by Stein LLC. Whether the computer is in fact marital property is a factual issue that will need to be addressed after discovery. Further, even if the computer is marital property, that fact alone does not justify dismissal for two reasons. First the computer and the password protected data on the computer are separate and distinct. Second, the complaint pleads enough facts to show that at the very least Mrs. Stein exceeded authorized access by entering a password to Dr. Stein's subaccount without permission to do so.
The Court need not address whether or not Defendants are subject to HIPPA or HIPPA-like requirements because the unauthorized access is sufficiently alleged without reliance on HIPPA.
ii. Needle Defendants' Authority
With respect to Needle Defendants' access only, Needle Defendants argue that Mrs. Stein at the very least had apparent authority to authorize the access to the computer. Plaintiffs argue that this is preposterous because Needle Defendants, as well as every lawyer in the country, knows that it is not permitted to unilaterally access PHI without consent and a non-physician's "authorization" is a legal nullity.
The Court rejects Needle Defendants' argument because there is nothing in the complaint that leaves the Court with the impression that any Plaintiffs made representations to Needle Defendants that would reasonably create apparent authority. See Fennell v. TLB Kent Co., 865 F.2d 498, 502 (2d Cir. 1989) ("Second Circuit case law supports the view that apparent authority is created only by the representations of the principal to the third party, and explicitly rejects the notion that an agent can create apparent authority by his own actions or representations."); F.D.I.C. v. Providence College, 115 F.3d 136, 141 (2d Cir. 1997) (reliance on an agent's apparent authority must be reasonable and in some circumstances the third party has a duty to inquire such as "when (1) the facts and circumstances are such as to put the third party on inquiry, (2) the transaction is extraordinary, or (3) the novelty of the transaction alerts the third party to a danger of fraud."). Further, it is wholly unreasonable to believe that Needle Defendants believed Mrs. Stein, who is not a physician-custodian of the PHI or the patient-subject of the PHI, could authorize a third party to access other persons' PHI without their consent. This is particularly true here where the person who accessed the PHI is a highly educated professional subject to legal ethics standards and acted under the supervision of a member of the bar.
Therefore, the Court finds that the complaint sufficiently pleads the unauthorized element of a CFAA claim against the Defendants.
2. Rule of Lenity
Defendants argue that the rule of lenity compels dismissal of the CFAA claim because finding liability based on the allegations in the complaint would criminalize routine use of a home computer. Plaintiffs argue that the rule of lenity does not bar the CFAA claim because, under HIPPA regulations, Defendants never had authority to access or take patient PHI.
The rule of lenity "applies only when, after consulting traditional canons of statutory construction, we are left with an ambiguous statute." Shular v. United States, 140 S. Ct. 779, 787 (2020). Where there is no ambiguity, there is nothing for the rule of lenity to resolve. Id. Though the rule of lenity is generally steered toward construction of criminal statutes, it applies here where the statute at issue has both criminal and non-criminal applications. See Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004); Executive Trim Construction, Inc. v. Gross, No. 1:20-cv-544, 2021 WL 919865, at *12 (N.D.N.Y. Mar. 10, 2021) (applying rule of lenity in analyzing CFAA claim).
The parties rely heavily on the Second Circuit's decision in United States v. Valle, 807 F.3d 508 (2015) in making their arguments. In Valle, the defendant was charged with, inter alia, improperly accessing a government computer and obtaining information in violation of § 1030(a)(2)(B) of the CFAA. Id. at 512-13. The defendant was a NYPD police officer with access to a computer program that allowed him to search restricted databases. Id. Though it was against department policy, the defendant used the database to search for someone he was accused of conspiring to kidnap. Id. The defendant was convicted on this count, but the Second Circuit reversed. Id. at 523. The Second Circuit held that "exceeds authorized access" only applies when a party "obtains or alters information that he does not have authorization to access for any purpose which is located on a computer that he is otherwise authorized to access." Id. at 511-12. The court found that "one sensible reading of the statute is that 'exceeds authorized access' is complementary, referring to a scenario where a user has permission to access the computer but proceeds to 'exceed' the parameters of authorized access by entering an area of the computer to which his authorization does not extend." Id. at 524 (emphasis in original). The court adopted this interpretation of "exceeds authorized access" pursuant to the rule of lenity because the alternative way of interpreting the statute would criminalize ordinary activity by making "every violation of a private computer use policy a federal crime"; such as "checking Facebook at work." Id. at 528. In other words, "exceeds authorized access" is not measured by the content accessed but the means of access.
What makes Valle distinguishable from the allegations here is what is fundamental to Plaintiffs' case; that is that Valle was authorized to access the program he accessed, here, the complaint alleges with specificity that Defendants were not authorized to access Dr. Stein's subaccount. The allegations are beyond mere conclusory allegations, rather the complaint alleges that Dr. Stein password protected his subaccount and did not give access to his password protected subaccount to Defendants. Further, once on Dr. Stein's subaccount, Defendants further exceeded authorized access by accessing the FAA OneDrive. At this stage of the proceedings, the complaint sufficiently shows that Defendants exceeded authorized access even when applying the narrower definition of "exceeds authorized access" found in Valle.
Defendants present a series of hypothetical situations of ordinary conduct that it thinks would be unlawful if the Court found that Plaintiffs' CFAA claim on its face survives this motion to dismiss. For example, Defendants' state that "[a]ccepting Plaintiffs' position would turn every spouse involved in a divorce proceeding into a potential criminal." What Defendants are missing is the allegations well beyond the fact that Dr. Stein and Mrs. Stein are in a divorce. Not every person in a divorce accesses their spouses work, password-protected computer account for the purpose of downloading universally recognized confidential medical records of third parties. This is not normal or ordinary alleged conduct.
Therefore, the Court rejects the Defendants' argument that the CFAA claim should be dismissed pursuant to the rule of lenity.
3. Section 1030(c)(4)(A)(i)(II).
Defendants argue that the branch of the CFAA claim predicated on an injury theory under § 1030(c)(4)(A)(i)(II)—which makes the CFAA actionable to private parties when the unlawful access involves "the modification or impairment, or potential modification or impairment, of medical examination, diagnosis, treatment, or care of 1 or more individuals"—should be dismissed because Plaintiffs do not have standing as they did not suffer the harm contemplated by this subsection. Defendant's heavily rely on Pediatric Nephrology Assoc.s of S. Florida v. Varierty Children's Hosp., 226 F. Supp. 3d 1346 (S.D. Fla. Dec. 29, 2016), where the court was not convinced that a plaintiff-physician could have standing to assert such an injury theory relating to medical records that are not that of the plaintiffs. Plaintiffs have not substantively responded to this argument; rather Plaintiffs say that an injury theory under both § 1030(c)(4)(A)(i)(I) and (II) are implicated and they only need to establish one theory for the claim to survive.
Plaintiffs are correct in so far as the CFAA does not require both injury theories to be actionable. However, Plaintiffs have abandoned their injury theory under § 1030(c)(4)(A)(i)(II) because they have not objected to Defendants argument that they lack standing to raise claim under that theory. See McLeod v. Verizon New York, Inc., 995 F. Supp. 2d 134, 143 (E.D.N.Y. 2014) ("[C]ourts in this circuit have held that '[a] plaintiff's failure to respond to contentions raised in a motion to dismiss claims constitute an abandonment of those claims.'") (collecting cases).
Therefore, the Court grants the motion to dismiss the CFAA claim to the extent that it is based on § 1030(c)(4)(A)(i)(II).
D. Connecticut Computer Crime Law Claim
Defendants argue that count two under the Connecticut Computer Crime statutes; Conn. Gen. Stat. §§ 53-451 and -452; should be dismissed. Defendants argue that Plaintiffs have not plead that access to the computer was without right or permission from the owner because the computer is marital property. Plaintiffs argue that the complaint alleges that the computer was owned by Stein LLC.
The issue of whether Mrs. Stein was the "owner" of the computer at the time of the breach is a factual dispute; the complaint claims the computer was owned by Stein LLC and Defendants claim it was marital property. The Court is required to resolve all factual disputes in favor of the plaintiff on a motion to dismiss. See Ashcroft, 556 U.S. at 680. Thus, the Court must find for the purpose of this decision that Stein LLC was the owner. Defendants' argument must fail because they are predicated on a fact not found by the Court.
Therefore, the Court rejects Defendants' argument that count two under the Connecticut Computer Crime statutes should be dismissed.
E. Negligence Claims
Defendants argue that upon dismissal of the CFAA claim, the Court should decline supplemental jurisdiction over Plaintiffs' remaining state law claims. Because the Court has not dismissed the CFAA claim, this argument is rejected. IV. CONCLUSION
For the aforementioned reasons, the motions to dismiss are granted in part and denied in part. The branch of the CFAA claim predicated on an injury theory under § 1030(c)(4)(A)(i)(II) is dismissed. All other claims remain.
IT IS SO ORDERED
/s/_________
Vanessa L. Bryant
United States District Judge Dated at Hartford, Connecticut: March 29, 2021