Hamilton Grp. Funding, Inc. v. Basel

• Decision Date: 12 April 2018
• Docket Number: CASE NO. 16–61145–CIV–ZLOCH
• Citation: 311 F.Supp.3d 1307
• Parties: HAMILTON GROUP FUNDING, INC., Plaintiff, v. Gerard Anthony BASEL, Defendant.
• Court: U.S. District Court — Southern District of Florida

311 F.Supp.3d 1307

HAMILTON GROUP FUNDING, INC., Plaintiff,

v.Gerard Anthony BASEL, Defendant.

CASE NO. 16–61145–CIV–ZLOCH

United States District Court, S.D. Florida.

Signed April 12, 2018

Order denying motion to alter or amend July 23, 2018

Christopher Stephen Carver, Akerman Senterfitt, Miami, FL, Paul Leo Kobak, Jason Samuel Oletsky, Stacy J. Rodriguez, Akerman Senterfitt, Ft. Lauderdale, FL, for Plaintiff.

Larry Allan Karns, Ryan Charles Shrouder, Spink & Associates, P.A., Cooper City, FL, for Defendant.

ORDER

WILLIAM J. ZLOCH, Sr. United States District Judge

THIS MATTER is before the Court upon Plaintiff Hamilton Group Funding, Inc.'s, Motion For Summary Judgment On Liability (DE 31) and Defendant Gerard Anthony Basel's Motion For Summary Judgment (DE 33). The Court has carefully reviewed said Motions, the entire court file and is otherwise fully advised in the premises.

In the above-styled cause, Plaintiff Hamilton Group Funding, Inc. (hereinafter "Plaintiff") alleges that Defendant Gerard Anthony Basel (hereinafter "Defendant") disclosed Plaintiff's internal communications, to non-party Daniel Lucas (hereinafter "Lucas") and his counsel for use in his state court action against Plaintiff and others. Based on this belief about Defendant's involvement in Lucas's possession of these documents, Plaintiff asserts two remaining counts against Defendant, Count I, for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.,¹ and Count II, for violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq., pursuant to its provision of a private cause of action at 18 U.S.C. § 2520, and also for violation of the Stored Communications Act, 18 U.S.C. § 2701, et seq., pursuant to its provision of a private cause of action at 18 U.S.C. § 2707. The Stored Communications Act is contained within the Electronic Communications Privacy Act.

I. Background

Plaintiff is a mortgage lending firm offering residential mortgage products.² Defendant was hired by Plaintiff as an IT consultant in January of 2014 and promoted in April of 2015 to Assistant Vice President, Director of Information Systems, a position he retained until his resignation on May 5, 2016. Lucas was a co-founder of Plaintiff and served as the CFO and President until his April, 2014 termination. Following his termination, Lucas initiated a lawsuit, currently pending in the Circuit Court of the Seventeenth Judicial Circuit, in and for Broward County, Florida, against Plaintiff and Plaintiff's officers and managers (hereinafter "Lucas lawsuit"). In the course of this state court action, Defendant assisted Plaintiff's attorneys with discovery, executed an affidavit, and sat for a deposition on April 6, 2016. On April 18, 2016, during Lucas's deposition of Plaintiff's CEO Mark Korell, one of the defendants in that lawsuit, seven exhibits were marked with dates subsequent to Lucas's termination and which Plaintiff had not produced to Lucas in discovery. See DE 32–7 (hereinafter "Korell Exhibits"). One of these documents is an offer letter to Michael Clark; the others consist of emails, frequently involving Mr. Korell and at times discussing Lucas. The precise nature of these communications and their relevance to the claims at issue in Lucas's lawsuit are not material to the resolution of the issues at stake in the above-styled cause, and thus the Court will not further describe their contents. But, the surfacing of these documents led to Plaintiff's investigation of a potential security breach related to these exhibits and ultimately to its request that Defendant attend a meeting. Defendant agreed to attend this meeting, but on the evening before the meeting, he resigned with no prior notice on May 5, 2016.

Plaintiff uses the Microsoft 365 platform to run its computer systems, including e-mails and daily activities.³ Prior to his resignation, Defendant had full and complete global administrative rights to Plaintiff's computer systems and servers. During Defendant's employment with Plaintiff, he received two versions of an Employee Handbook. Some relevant portions in the 2014 Employee Handbook (DE 32–4) from the section "Use of Communications & Computer Systems & Information Security," state in pertinent part:

Hamilton Group Funding, Inc. has provided these computer and communications systems to help conduct business. Although limited personal use of the Company's systems is allowed to the extent it does not violate any Company policy or interfere with job performance, no use of these systems should ever conflict with the primary business purpose for which they have been provided, with the Company's ethical responsibilities or with applicable laws and regulations. Each user is personally responsible to ensure that these guidelines are followed.

...

No employee may access, or attempt to obtain access to another employee's computer systems without appropriate authorization.

DE 32–4, pp. 25–26. The revised 2015 Employee Handbook (DE 32–5) included some of the exact same language, which will be quoted here again, as well as some additional sections. Under the section, "Technology Use and Privacy," in language virtually identical to that appearing in the 2014 Employee Handbook, this revised version states:

HGF has provided these computer and communications systems to help conduct business. Although limited personal use of the Company's systems is allowed to the extent it does not violate any Company policy or interfere with job performance, no use of these systems should ever conflict with the primary business purpose for which they have been provided, with the Company's ethical responsibilities or with applicable laws and regulations. Each user is personally responsible to ensure that these guidelines are followed.

...

No employee may access, or attempt to obtain access to another employee's computer systems without appropriate authorization.

DE 32–5, pp. 42–43.

Following Mr. Korell's deposition, on April 20, 2016, Plaintiff hired Jeffrey E. Tuley (hereinafter "Tuley") of Net Evidence, Inc., to perform a computer forensic investigation as to whether there had been a security breach in Plaintiff's systems. The Parties are greatly at odds over the interpretation of Tuley's findings, but not with the findings themselves. Thus, the Court sets forth statements within his Expert Witness Report (DE 32–3) which the Court deems relevant to its analysis of the instant Motions (DE Nos. 31 & 33). Tuley concluded:

The only location the Korell Exhibits were found was inside the mailbox of Mr. Korell. This indicated they were not at that time saved or forwarded to another mailbox or user drive space of [Plaintiff]. Additionally, I reviewed audit and log data from the Office 365 system and Mark Korell's system to identify any accessing of his files or system. The log data did not show any access from other user accounts to Mark Korell's information.

DE 32–3, ¶ 9. During his review of users of Plaintiff's system, Tuley located a user, Keri Ochs (hereinafter "Ochs"), Plaintiff's former Vice President and Head of Information Systems, whose employment ended in April of 2014, but who, nevertheless, at the time of his investigation in April of 2016, still retained full and complete global administrative rights to Plaintiff's systems. Tuley's report observes that these credentials remaining active presented an "unsecure ‘open door’ " Id. at ¶ 12, and he notes that an unidentified party using her username and credentials accessed her mailbox on June 9, 2015, and, again, as recently as February 9, 2016. See Id. at ¶¶ 16, 19. Tuley also analyzed Defendant's laptop and included several paragraphs about his related findings:

My forensic inspection of [Defendant]'s laptop revealed that, prior to returning the laptop, [Defendant], or someone acting on his behalf, had deleted the "user directory" and his personal profile from the computer. Additionally, I determined that on or about April 22, 2016, between the hours of 10:00 pm and 11:59 pm (based on the clock settings in the laptop), [Defendant], or someone acting on his behalf, deleted a number of files (including documents and other data) from the laptop's hard drive while at the same time multiple USB Removable Flash Drives were connected to the laptop.

Specifically, a SanDisk Cruzer Glide USB Flash Drive and a Silicon Power USB Drive were plugged into on the laptop between 10:00 p.m. and 11:59 p.m. on April 22, 2016, i.e., during the time files were being deleted from the laptop hard drive.

I was not able to recover any of the files deleted from the laptop's hard drive or to determine what may have been downloaded to any of the USB flash drives.

DE 32–3, ¶¶ 30–32. Finally, while Tuley was not able to arrive at any definitive conclusions about the security breach, he provides this assessment:

Based on my investigation, it is my determination that someone using Ochs' credentials accessed Ochs' OneDrive and mailbox on [Plaintiff]'s computer system well after Ochs' resignation from [Plaintiff]. Whoever logged into [Plaintiff]'s computer system using Ochs' credentials would have had access to all of the emails of any [Plaintiff] employee, including Mark Korell, Mike Clark, and John Kantor, as well as full access to any other documents or information [Plaintiff] maintained within [Plaintiff]'s Microsoft 365 account.

[Defendant] with his credentials could have accessed the entire email system or could have used Ochs' credentials such that use of Ochs' credentials to access [Plaintiff]'s computer system is not the only method by which someone with global administrative access credentials could have obtained the Korell Exhibits.

Id. at ¶¶ 36–37.

Though Defendant was deposed, he frequently asserted his Fifth Amendment right not to incriminate himself. U.S. Const. amend. V. As noted above, both the CFAA and SCA are primarily criminal statutes, which also include the private civil causes of action asserted in the above-styled cause. The Court will...