Epic Sys. Corp. v. Tata Consultancy Servs. Ltd.
| Decision Date | 02 March 2016 |
| Docket Number | 14-cv-748-wmc |
| Parties | EPIC SYSTEMS CORPORATION, Plaintiff, v. TATA CONSULTANCY SERVICES LIMITED and TATA AMERICA INTERNATIONAL CORPORATION d/b/a TCA America, Defendants. |
| Court | U.S. District Court — Western District of Wisconsin |
In this highly contentious lawsuit, plaintiff Epic Systems Corporation asserts a variety of federal and state law claims against defendants Tata Consultancy Services Limited and Tata America International Corporation, respectively, a much larger, India-based company and its smaller U.S. arm. Among other things, defendants provide information technology services to the U.S. healthcare industry, while Epic is a leading provider of software to this industry. Essentially, plaintiff claims that defendants accessed its web portal without authorization while servicing a mutual client, and then used information obtained to help develop their own competitive software product and for other improper purposes. Before the court are the parties' cross-motions for partial summary judgment. (Dkt. ##195, 197.)
As noted by the court in earlier opinions and explained in greater detail below, plaintiff has compelling evidence of unauthorized access by a number of defendants' employees over an extended period of time. Based on this and other undisputed evidence, the court will grant plaintiff partial summary judgment on breach of contract claims for failure to provide written notice of unauthorized access and failure to maintain the confidentiality of Epic information and documents. The court will also grant partial summary judgment to plaintiff under the first element of the Computer Fraud and Abuse Act, 19 U.S.C. §1030(g), finding a violation of the CFAA based on defendants' unauthorized access. Finally, the court will grant plaintiff's motion with respect to its claims under the Wisconsin Computer Crimes Act, Wis. Stat. § 943.70(2)(a), based on unauthorized access and sharing of password information. In all other respects, plaintiff's motion for partial summary judgment will be denied for the reasons explained below.
In their motion, defendants correctly point out weaknesses in plaintiff's evidence of improper use of the accessed documents, as opposed to improper access. Nonetheless, a reasonable jury could find improper use based on circumstantial evidence in this record. Accordingly, the court will deny defendants' motion for partial summary judgment, save for plaintiff's conversion claim, because the property at issue is not "chattel" as a matter of Wisconsin law.1
Epic Systems Corporation is a Wisconsin corporation with its headquarters in Verona, Wisconsin. Since its inception in 1979, Epic has developed, installed and supported an integrated suite of software used by hospitals, medical groups and other healthcare organizations. Epic's software is recognized in the industry as a market leader, being used by an estimated 281,000 physicians worldwide to manage the care and records of approximately 169 million patients. Epic itself now has approximately 9,500 employees located in the United States.
Epic maintains a web portal called the "UserWeb," which contains product materials, updates, training materials and other documents detailing Epic's software and its data model, as well as information on training, setup, support and operation, and details the features and configuration of Epic's software. The UserWeb also contains discussion forums where Epic customers can communicate. Epic provides access to the UserWeb to customers, who then use information from the UserWeb to install, maintain and support its software. Epic also allows third-parties (such as consultants working for customers) to access information through Epic's UserWeb web portal necessary to further implementation, integration or testing. Epic contends, however, that only a portion of the UserWeb is available to consultants working with a customer. Furthermore, itappears that consultants generally need to sign a UserWeb Access Agreement that expressly restricts their use of this information.
The parties dispute whether Epic takes sufficient precautions to protect access to the UserWeb, including how Epic authorizes individual registration of UserWeb accounts. Because these facts are marginally relevant to the issues before the court on summary judgment, these factual disputes are not recounted except where germane to the specific issue being discussed in the opinion below. (See Defs.' PFOFs (dkt. #210) ¶¶ 23, 82-92; Pl.'s Resp. to Defs.' PFOFs (dkt. #417) ¶¶ 23, 82-92; Pl.'s Add'l PFOFs (dkt. #415) ¶¶ 583-87.)
Defendant Tata Consultancy Services Limited ("TCS India") is an Indian corporation that provides information technology services, consulting and business solutions on a global scale, and offers a wide portfolio of infrastructure, engineering and assurance services. TCS India is part of the Tata Group. TCS India has more than 318,000 employees in 42 countries.
Defendant TCS America International Corporation ("TCS America") is a New York corporation, wholly owned by TCS India. Plaintiff presents evidence that TCS America is simply the U.S. arm of TCS India, including the testimony of defendants' corporate representative, Syama Sundar, that (1) defendants do not "distinguish" between TCS America and TCS India and (2) the two entities are considered "one and the same." (Pls.' PFOFs (dkt. #213) ¶¶ 49-61.) Defendants do not dispute the specific facts proposed by plaintiff, but dispute that "there is any evidence that TCS India andTCS America were the agents of each other at the times mentioned" in the complaint. (See, e.g., Defs.' Resp. to Pl.'s PFOFs (dkt. #308) ¶ 58.) The court need not resolve this agency issue either. Instead, the court will at times simply refer to defendants jointly as "TCS," consistent with the parties' treatment.
Although TCS's number one source of revenue is work done in the United States, which accounts for 56% of total revenue, it appears that TCS has only recently begin to penetrate the market for healthcare software. TCS's software product, Med Mantra, is a consolidated, comprehensive, integrated hospital management system. TCS began development of Med Mantra's predecessor, EHIS, in 2006. Med Mantra has been implemented at 17 hospitals and 44 clinics, all part of the Apollo Group in India and the Cancer Institute in Adyar, Chennai.3 Defendants contend that the development of Med Mantra has been driven by Apollo and that it is not a good fit for other Indian hospitals. Still, as plaintiff points out, some marketing materials describe Med Mantra's vision "to be recognized as a world leading Health Care Provider solution." (Pl.'s PFOFs (dkt. #213) ¶ 45 (quoting Richmond Decl., Ex. 12 (dkt. #227-1) 26.) Defendants nevertheless claim that Med Mantra is an Indian solution and not something TCS planned to implement worldwide, at least in the short term.4 (See Defs.' Resp. to Pl.'s Add'l PFOFs (dkt. #460) ¶ 562.)
While not a party to this action, Kaiser Permanente figures prominently in the parties' dispute. Kaiser Permanente, sometimes referred to as "KP," is a not-for-profit healthcare organization with approximately 150,000 employees who provide care to approximately 8.7 million members. Kaiser Permanente is the largest managed healthcare organization in the United States. Kaiser Permanente consists of Kaiser Foundation Health Plan, Kaiser Foundation Hospitals and their subsidiaries, and the Permanente Medical Groups. Kaiser Foundation Hospitals ("Kaiser") operates a chain of medical centers, hospitals, medical offices and clinics, primarily on the West Coast of the United States.
Because his role is central to the development of plaintiff's claims, the court will introduce one more key player to this dispute upfront. In October 2012, TCS hired Philippe Guionnet as the vendor engagement executive for the Kaiser account. TCS's CEO Natarajan Chandrasekaran (commonly referred to as "Chandra") recommended Guionnet to Sundar, the head of the Kaiser account at that time. Before his employment with TCS, Guionnet worked as a Chief Information Officer at Cendant and Avis, a Deputy Chief Information Officer at Disneyland Paris and a national Director of KPMG.5 As will be described below in more detail, Guionnet was the individual whoinformed the parties and Kaiser of his suspicion that TCS was accessing Epic's UserWeb without authorization and improperly using documents from the UserWeb.
On February 4, 2003, Epic entered into a written agreement with Kaiser to license computer software to Kaiser. Kaiser uses Epic's software as an electronic health record ("EHR") that gathers and utilizes patient information. Kaiser refers to specific Epic modules it uses at KPHealthConnect. As an Epic customer, Kaiser has access to the UserWeb.
Pursuant to the terms of their agreement, Kaiser is accountable to Epic for inappropriately sharing Epic's intellectual property with third parties, but that agreement does not require Kaiser to ensure that those third parties enter into a separate contract directly with Epic.
TCS began working with Kaiser in 2005. In early August of 2005, Epic learned that four individuals from TCS had registered for some classes at Epic. Originally, Epic thought that the individuals attempting to attend Epic classes were Kaiser employees. When Epic learned that the individuals were actually TCS employees, it asked Kaiser for more details about TCS's role with Kaiser. Upon learning that Epic did not have a non-disclosure agreement with TCS, Epic removed the individuals from the class and required that they leave their materials behind. Epic later explained in an email to a contact at Kaiser that Epic was being "extra vigilant" because, in...
To continue reading
Request your trial