Royal Truck & Trailer Sales & Serv., Inc. v. Kraft

• Decision Date: 09 September 2020
• Docket Number: No. 19-1235,19-1235
• Citation: 974 F.3d 756
• Parties: ROYAL TRUCK & TRAILER SALES AND SERVICE, INC., Plaintiff-Appellant, v. Mike KRAFT ; Kelly Matthews, Defendants-Appellees.
• Court: U.S. Court of Appeals — Sixth Circuit

974 F.3d 756

ROYAL TRUCK & TRAILER SALES AND SERVICE, INC., Plaintiff-Appellant,

v.Mike KRAFT ; Kelly Matthews, Defendants-Appellees.

No. 19-1235

United States Court of Appeals, Sixth Circuit.

Argued: December 12, 2019

Decided and Filed: September 9, 2020

ARGUED: Anthony M. Sciara, KOTZ SANGSER WYSOCKI P.C., Detroit, Michigan, for Appellant. Salvatore J. Vitale, VARNUM LLP, Novi, Michigan, for Appellees. ON BRIEF: Anthony M. Sciara, Mark F.C. Johnson, KOTZ SANGSER WYSOCKI P.C., Detroit, Michigan, for Appellant. Salvatore J. Vitale, Richard T. Hewlett, VARNUM LLP, Novi, Michigan, for Appellees.

Before: GILMAN, KETHLEDGE, and READLER, Circuit Judges.

CHAD A. READLER, Circuit Judge.

Following the abrupt resignation of two employees, Royal Truck & Trailer discovered that the employees, prior to resigning, had accessed confidential company information from their company-issued computers and cell phones and then utilized the information in violation of company policy. Royal responded by filing suit against the employees, alleging violations of the federal Computer Fraud and Abuse Act (CFAA) as well as Michigan law.

The conduct at issue might violate company policy, state law, perhaps even another federal law. But because Royal concedes that the employees were authorized to access the information in question, it has failed to satisfy the statutory requirements for stating a claim under the CFAA. Accordingly, we AFFIRM the district court's judgment.

BACKGROUND

Royal employed Defendants Mike Kraft and Kelly Matthews as a part of the company's sales team. In conjunction with their employment, Defendants received a copy of Royal's employee handbook. With respect to the use of company equipment, the handbook prohibited a range of conduct, including: personal activities; unauthorized use, retention, or disclosure of any of Royal's resources or property; and sending or posting trade secrets or proprietary information outside the organization. Royal also had a cell phone "GPS Tracking Policy." In accordance with that policy, "[e]mployees may not disable or interfere with the GPS (or any other) functions on a company issued cell phone," nor may employees "remove any software, functions or apps." R.8, Am. Compl., ¶ 18.

Kraft and Matthews abruptly resigned from Royal to take up employment with T-N-T Trailer Sales, one of Royal's Detroit-area competitors. Fearing that confidential company information might have been compromised, Royal launched an investigation. That hunch, the investigation later revealed, proved prescient. Shortly before his resignation, Kraft forwarded from his Royal email account to his personal one quotes for two Royal customers as well as two Royal paystubs. Kraft also contacted one of Royal's customers through Royal's email server to ask the customer to send "all the new vendor info" to Kraft's personal email account. With that, Kraft then deleted and reinstalled the operating system on his company-issued laptop, rendering all of its data unrecoverable. Eventually, Royal officials went to Kraft's home and took possession of the laptop as well as Kraft's company-issued cell phone.

Before her resignation, Matthews did much the same. From her Royal email account, Matthews sent to Kraft's personal email account a Royal "Salesperson Summary Report" that contained confidential and proprietary sales information. She likewise forwarded an email from her Royal account to her personal one that contained customer pricing information. And as Kraft did with his company laptop, Matthews reset her company-issued cell phone to factory settings, rendering all data on the phone unrecoverable. Matthews then returned her company-issued laptop and cell phone to Royal's corporate headquarters and resigned, announcing her resignation more broadly through social media by sharing a link to a video of Johnny Paycheck's hit song, "You Can Take This Job and Shove It."

Unamused, Royal hired a "forensics expert" to conduct a "comprehensive and costly damage assessment" in an effort to restore the deleted data on the now former employees’ devices. R.8, Am. Compl., ¶¶ 25–26. It later filed suit against Kraft and Matthews in federal court, alleging that their conduct violated the CFAA as well as Michigan law.

The district court, however, did not see things Royal's way. It concluded that because Kelly and Matthews were authorized to access the information obtained from their company-issued computers and cell phones, the two did not "exceed[ ]" their "authorized access," as those terms are used in the CFAA, by later using the information accessed on those devices in violation of company policy. Royal filed a timely appeal.

ANALYSIS

Under our familiar standard for reviewing a district court's decision granting a motion to dismiss, we "construe the complaint in the light most favorable to the plaintiff, accept its allegations as true, and draw all reasonable inferences in favor of the plaintiff." Jones v. City of Cincinnati , 521 F.3d 555, 559 (6th Cir. 2008) (quoting Directv, Inc. v. Treesh , 487 F.3d 471, 476 (6th Cir. 2007) ). Against that backdrop, we ask whether the complaint "contain[s] sufficient factual matter ... to ‘state a claim to relief that is plausible on its face.’ " Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ).

The CFAA claims. As the basis for its federal claims against Kraft and Matthews, Royal invokes § 1030(a)(2)(C) of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. That provision instructs that one who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished." Id. § 1030(a)(2) – (a)(2)(C). Although a violation of the CFAA can be met with criminal sanction ("shall be punished"), the Act also creates a private right of action, one that allows for civil liability where "the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)." Id. § 1030(g) ; Pulte Homes, Inc. v. Laborers ’ Int'l Union of N. Am. , 648 F.3d 295, 299 (6th Cir. 2011) (explaining that the CFAA "criminalizes certain computer-fraud crimes and creates a civil cause of action"). Of those five subclauses, relevant here is subclause (I), which covers "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i)(I).

1. Taking all of this together, to allege a violation of § 1030(a)(2)(C), Royal must plead that: (1) Defendants intentionally accessed a computer; (2) the access was unauthorized or exceeded Defendants’ authorized access; (3) through that access, Defendants thereby obtained information from a protected computer; and (4) the conduct caused loss to one or more persons during any one-year period aggregating at least $5,000 in value. At this threshold stage, Defendants do not contest the first or third elements, and we will accept, for today's purposes, that Royal's claim meets the $5,000 threshold in element four. That leaves the second element: whether Defendants’ access was unauthorized, or whether Defendants exceeded their authorized access, when they sent Royal's confidential information from their work devices to their personal email accounts.

We can narrow our focus even more. Royal acknowledges that Defendants had authorization to access company information through their company email accounts, and thus does not assert that Defendants’ access was without authorization. What remains for our resolution then is whether Defendants nonetheless "exceed[ed] [their] authorized access" by misusing the accessed information in violation of company policy. Id. § 1030(a)(2).

In answering that question, we begin with the CFAA's definitional provisions. The Act defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Critical to that formulation are the terms "access," "authorization," and "obtain or alter." We have previously defined the term "authorization," at least in the inverse: "[A] defendant who accesses a computer ‘without authorization,’ " we have said, "does so without sanction or permission." Pulte Homes , 648 F.3d at 304 (citing LVRC Holdings, LLC v. Brekka , 581 F.3d 1127, 1132–33 (9th Cir. 2009) ). "Authorization" thus means to have sanction or permission. Likewise, as to the terms "obtain" and "alter," Royal emphasizes mainly the former, which is customarily understood as "to gain" or "to attain." Obtain , Oxford English Dictionary Online (3d ed. 2004).

Now the term "access." It is commonly defined as some variation of "entry," generally the initial entry into something. Dictionaries include several variations of "access," one of which is "[t]he power, opportunity, permission, or right to come near or into contact with someone or something; admittance; admission." Access , Oxford English Dictionary Online (3d ed. 2011). Another definition describes how "access" customarily is used in a digital setting: "[t]he opportunity, means, or permission to gain entrance to or use a system, network, file, etc." A related definition describes "access" as "[t]he process or act of obtaining or retrieving data from storage." Id. Further reflecting how "access" is used in our technology-based society, Oxford includes a sample use of the term, defining "[h]acking" as "the practice of gaining illegal or unauthorized access to other people's computers." Id. (emphasis in original).

Reading these definitional provisions together, it follows that in utilizing the phrase "exceeds authorized access," the CFAA targets one who initially "gain[s] entrance to ... a system, network, or file" with "sanction or permission," and then "gain[s] or...