Gemstone Foods, LLC v. AAA Foods Enters.
| Decision Date | 26 February 2022 |
| Docket Number | 5:15-cv-01179-MHH,5:15-cv-02207-MHH |
| Parties | GEMSTONE FOODS, LLC et al., Plaintiffs, v. AAA FOODS ENTERPRISES, INC. et al., Defendants. v. MICHAEL ENSLEY et al., Plaintiffs, v. BEN O. TURNAGE et al., Defendants. |
| Court | U.S. District Court — Northern District of Alabama |
Gemstone and RCF allege that the defendants violated the Computer Fraud and Abuse Act - the CFAA - because the defendants (Doc. 391 pp. 89-90, ¶ 5.132). “Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer” violates the CFAA. 18 U.S.C § 1030(a)(2)(C). “[E]xceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The CFAA provides a private right of action for “[a]ny person who suffers damage or loss by reason of a violation of [the CFAA].” 18 U.S.C. § 1030(g).
Gemstone's CFAA claim pertains to the Wester laptop. (Doc. 391, pp 8990). Mr. Wester accessed Gemstone information from the Toshiba laptop while he worked for Gemstone and after he left Gemstone and brought the laptop to Farm Fresh. Mr. Wester may be liable to Gemstone under the CFAA if, when he used the laptop to access Gemstone information, he obtained Gemstone information that he was not authorized to obtain.
The Supreme Court's recent decision in Van Buren v. United States, 141 S.Ct. 1648 (2021), sheds light on Gemstone's claim concerning the Wester laptop. In Van Buren, the defendant, a former police sergeant, “used his patrol-car computer to access the law enforcement database with his valid credentials” to run a license- plate search in exchange for money. Van Buren, 141 S.Ct. at 1653. The United States charged the police officer with a felony violation of the CFAA “on the ground that running the license plate . . . violated the ‘exceeds authorized access' clause of 18 U.S.C. § 1030(a)(2).” Van Buren, 141 S.Ct. at 1653. The jury convicted the defendant, and the Eleventh Circuit affirmed the conviction, finding that the police officer exceeded his authorized access under the CFAA because, although he had the technological ability, permission, and credentials to access his computer and retrieve license plate information, he “access[ed] the law enforcement database for an ‘inappropriate reason.'” Van Buren, 141 S.Ct. at 1654.
The Supreme Court granted certiorari in Van Buren to examine potential CFAA liability for people who access computers they are authorized to access, obtain information on those computers they are authorized to obtain, but then use that information for an improper purpose. See Van Buren, 141 S.Ct. at 1653 n.2. The Supreme Court found that such people do not violate the CFAA:
In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer-such as files, folders, or databases- that are off limits to him. The parties agree that [the defendant] accessed the law enforcement database system with authorization. The only question is whether [the defendant] could use the system to retrieve license-plate information. Both sides agree that he could. [The defendant] accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit ....
Under Van Buren then, the dispositive question is whether Mr. Wester was restricted from accessing Gemstone's computer system from the Toshiba laptop, restricted from accessing policy documents and other records that he copied, and/or restricted from accessing co-employees' email accounts and email messages which he did not receive through his own Gemstone email account. Viewing the evidence in the light most favorable to Gemstone and RCF, the answer is yes and no. The parties seem to agree that, while Mr. Wester worked at Gemstone, he was authorized to access policy documents and other records from Gemstone's computer system.[1]Therefore, a CFAA claim may not rest on evidence that Mr. Wester downloaded to the Toshiba laptop certain Gemstone forms and policies while he worked at Gemstone.
The Gemstone employee email accounts that Mr. Wester accessed in the Gemstone computer system and downloaded onto the laptop are another matter. In his first deposition, Mr. Wester testified that when Gemstone began operating, he helped employees set up their email accounts. . He stated that when Gemstone opened its second plant, he set up a Gmail account in his name so that “[they] could access files at either plant one or plant two.” (Doc. 4228, pp. 18-19, tpp. 68-69; see also Doc. 422-8, p. 19, tp. 70). At some point while he was working at Gemstone, Mr. Wester loaded his co-employees' Gemstone email accounts onto the Toshiba laptop. In his first deposition, Mr. Wester testified that in 2014, he would backup the laptop monthly because Mr. Welborn, Mr. Pass, and Ms. Campos “kept losing” email messages. . Mr. Wester acknowledged that he created several accounts on the laptop for Gemstone employees, including Mr. Power and Mr. Knight, in January and February of 2015 after discussions about the creation of Farm Fresh were underway. . Mr. Wester stated that he was “keeping everybody updated.” (Doc. 422-8, p. 26, tp. 97). In addition, Mr. Wester acknowledged that after he left Gemstone on February 16, 2015, he continued to set up Gemstone email accounts on the laptop. .
Mr. Wester was not authorized to access Gemstone's computer system and take information from Gemstone email accounts after he left Gemstone. Mr. Wester's technological ability to access the email accounts because Gemstone had not yet changed the passwords for the accounts is not the equivalent of permission to access the accounts. Jurors reasonably could conclude from the evidence that Gemstone did not learn that Mr. Wester took the Toshiba laptop with him when he left the company until Mr. Wester turned the laptop over to his attorneys in 2018, and Gemstone did not know that Mr. Wester had downloaded Gemstone employees' email accounts onto the laptop until a forensic examination of the laptop was completed during this litigation. Unlike the parties in the Van Buren case, the parties here do not agree that Mr. Wester was authorized to access Gemstone email accounts after he left Gemstone. In fact, there is no evidence in the record that indicates that Gemstone gave Mr. Wester permission to access Gemstone email accounts after he left the company in February of 2015.
Moreover, the evidence viewed in the light most favorable to the plaintiffs indicates that, even while he worked at Gemstone, Mr. Wester did not have permission to access Gemstone email accounts other than his own. Mr. Wicker testified that he was responsible for setting up employees' email accounts. (Doc. 419-7, p. 13, tp. 40).[2] Mr. Wicker testified that Mr. Wester did not inform him that he (Mr. Wester) was setting up Outlook email accounts as a backup in case Gemstone employees lost email messages. (Doc. 419-7, p. 53, tp. 200). When asked in his deposition whether he authorized Mr. Wester to place his Gemstone email account on the Toshiba laptop, Mr. Welborn said no. .
Mr. Pass did not remember Mr. Wester informing him (Mr. Pass) that his email would be downloaded onto the Toshiba laptop. . Mr. Power and Mr. Easterling testified that they did not know of anyone at Gemstone who had access to their Gemstone Foods Outlook accounts while they worked for the company. (Doc. 422-10, p. 70, tp. 266; Doc. 422-12, p. 84, tp. 324). And in his first deposition, Mr. Wester testified that neither Mr. Ensley nor Gary Hill knew that he (Mr. Wester) had installed co-employees' Gemstone email accounts on the Toshiba laptop. (Doc. 422-8, p. 26-27, 100-01). The Court has found no evidence, other than Mr. Wester's testimony, that suggests that Gemstone gave him ongoing access to Gemstone email accounts other than his own. A jury does not have to accept Mr. Wester's testimony in this regard.[3] Therefore, evidence concerning a CFAA violation connected to Wester laptop is disputed.
Before a jury may decide whether Mr. Wester violated the CFAA Gemstone must identify evidence of damages the company incurred because of the alleged CFAA violation. A party may proceed with a civil action for a CFAA violation only if the alleged misconduct involves one of several factors, including “loss to 1 or more persons during any 1-year period . . . aggregating at least $5, 000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). A CFAA “loss” is “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). Damages under...
To continue reading
Request your trial