Maritz Holdings Inc. v. Cognizant Tech. Sols. U.S. Corp., Case No. 4:18-CV-826 CDP
| Decision Date | 19 December 2019 |
| Docket Number | Case No. 4:18-CV-826 CDP |
| Parties | MARITZ HOLDINGS INC., Plaintiff, v. COGNIZANT TECHNOLOGY SOLUTIONS U.S. CORPORATION, Defendant. |
| Court | U.S. District Court — Eastern District of Missouri |
In 2016 and 2017, plaintiff Maritz Holdings was the victim of phishing cyberattacks which led to unknown perpetrators obtaining over $12 million dollars' worth of reward gift cards. An investigation into the 2017 cyberattack allegedly revealed a connection to account credentials that Maritz had issued to employees of its IT services provider, defendant Cognizant Technology Solutions U.S. Corporation. Maritz brings this suit alleging that Cognizant violated the federal and Missouri computer tampering statutes and breached its contract in a number of ways. Maritz also alleges tort claims of conversion, negligence and unjust enrichment.
Cognizant moves to dismiss the complaint, arguing that Maritz has failed to allege that any Cognizant employee committed any of the cyberattacks and that Maritz cannot state claims against it under any of the theories set out in the complaint. I will grant the motion to dismiss as to the two statutory computer tampering claims and as to the conversion claim (Counts I, II and III). I also agree that Maritz cannot obtain the remedy of an accounting as part of its unjust enrichment claim, and so I will dismiss that claim for relief from Count VI. The motion is denied as to Maritz's remaining breach of contract, negligence, and unjust enrichment claims.
Maritz designs and operates customer rewards programs for corporate clients. In connection with these programs, Maritz purchases redeemable electronic gift cards and stores them in its internal computer system before issuing the gift cards to program participants. Maritz alleges its system was targeted in two successful cyberattacks in March 2016 and February 2017.
In the March 2016 attack, an unidentified perpetrator directed three rounds of phishing emails to more than two hundred Maritz employees. The emails contained a corrupted file which, when loaded, installed a concealed "backdoor" in the target computer. The backdoor granted the perpetrator broad access to Maritz's internal computer system, allowing the perpetrator to download and redeem gift cards worth more than $11 million. Maritz's investigation into the 2016 attack could not determine the sources of the phishing emails and subsequent theft.
The February 2017 cyberattack unfolded in similar fashion. As before, an unidentified perpetrator sent phishing emails to Maritz employees. The phishing emails contained a malicious link that installed concealed remote access tools in several Maritz computers, granting the perpetrator unfettered and undetected access to Maritz's internal computer system. Among other confidential information, the perpetrator harvested access credentials for Maritz' card fulfillment system, and allegedly stole an additional $1.2 million in unissued gift cards. Maritz again investigated the attack; unlike the first, this investigation revealed several links to Cognizant employees.
Cognizant and Maritz had entered into an Offshore Contracting Master Services Agreement (the "MSA") in 2010 to provide IT support and outsourcing services.1 Cognizant employees were issued individual accounts with limited access to Maritz's computer system and databases. Maritz's investigation into the 2017 attack revealed the attackers were accessing the Maritz system using account credentials registered to Cognizant. The investigation also uncovered a third hacking attempt tied to a Cognizant account, and revealed that Cognizant employees had shared their account credentials in violation of Maritz companypolicy. Based on this information, Maritz concluded that Cognizant employees were responsible for the February 2017 phishing attack and gift card theft.
Maritz's investigation additionally revealed that the same program was used by the perpetrator in both the 2017 and 2016 attacks, and that the 2017 attack showed similarities to the 2016 attack. Maritz ultimately concluded that the same Cognizant employees implicated in the February 2017 attack were also responsible for the larger March 2016 attack.
Maritz thereafter filed this case against Cognizant alleging one violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, one violation of the Missouri Computer Tampering Statute (MCTS), Mo. Rev. Stat. § 569.095, and one count each of conversion, breach of contract, negligence, and unjust enrichment. Cognizant denies that its employees had any involvement in the attacks, and now moves to dismiss each count under Rule 12(b)(6), Fed. R. Civ. P.
The purpose of a motion to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure is to test the legal sufficiency of the complaint. To survive a 12(b)(6) motion, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief "that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). "A claim has facial plausibility when the plaintiff pleadsfactual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Although a complaint need not contain "detailed factual allegations," it must allege facts with enough specificity "to raise a right to relief above the speculative level." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007). "A well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and 'that a recovery is very remote and unlikely.'" Id. at 556 (internal citation omitted).
Cognizant argues that Maritz has made no plausible allegations that would show that it or its employees were responsible for the cyberattacks. However, on this motion to dismiss, I must assume the truth of Maritz's factual allegation that "the attackers were accessing the Maritz system using accounts registered to Cognizant" in relation to the 2017 attack. This allegation gives rise to a reasonable inference that a Cognizant employee was responsible for the 2017 hacking. Further, based on Maritz's allegations that the second attacker had used the same program and "had run searches . . . for certain words and phrases connected to the Spring 2016 attack," a reasonable inference can be drawn that the same perpetrator committed the two attacks. ECF 1 at ¶ 42. Accordingly, because Maritz has plausibly alleged a Cognizant employee committed the 2017 gift card theft, andalleged facts from which a reasonable inference can be drawn that the same perpetrator committed the 2016 theft, I will deny Cognizant's motion to dismiss to the extent it challenges the facial plausibility of Maritz's allegations.
Count I of Maritz's complaint is brought under the federal CFAA, 18 U.S.C. § 1030. Count II is brought under Missouri's analogous computer tampering statute, Mo. Rev. Stat. § 569.095. Both computer tampering statutes provide civil remedies to owners of protected computers who are injured by one who accesses computers, or modifies or discloses data, without authorization or by exceeding the perpetrator's authorization. 18 U.S.C. § 1030(g); Mo. Rev. Stat. § 569.095, § 537.525. The federal statute provides the remedy against "the violator," while the state law provides the remedy against "any person who violates" the law. Id.
In both counts, and in Maritz's common-law conversion claim in Count III, Maritz alleges that one or more Cognizant employees accessed Maritz's network without authorization (or exceeded their authorized access) and improperly removed confidential data. Maritz alleges that Cognizant is vicariously liable for the acts of its employees because, based "on information and belief," the Cognizant employees committed the hacking "while acting in the scope of their employment and under the control and supervision of Cognizant." ECF 1 at ¶ 50.Maritz complaint, however, fails to allege any facts that could plausibly support its conclusory allegation that the Cognizant employees' unlawful acts fell within the course and scope of employment.2
Under the doctrine of respondeat superior, an employer may be held vicariously liable for its employee's misconduct where that employee is acting within the course and scope of his employment. Tuttle v. Muenks, 964 S.W.2d 514, 517 (Mo. Ct. App. 1998). "The course and scope of employment is defined as acts (1) which, even though not specifically authorized, are done to further the business or interests of the employer under his 'general authority and direction' and (2) which naturally arise from the performance of the employer's work." Hilyard v. Medtronic, Inc., 21 F. Supp. 3d 1012, 1016 (E.D. Mo. 2014) (quoting Daugherty v. Allee's Sports Bar & Grill, 260 S.W.3d 869, 872-73 (Mo. Ct. App. 2008)). The plaintiff has the burden of proving that an employee's tortious conduct was within the course and scope of his employment. Ewing-Cage v.Quality Productions, Inc., 18 S.W.3d 147, 150 (Mo. Ct. App. 2000) (citation omitted). A conclusory allegation that an employee's acts fall within the scope of employment is not sufficient to meet plaintiff's burden. Oetting v. Heffler, Radetich & Saitta, LLP, No. 4:11-CV-253 CEJ, 2011 WL 3055235, at *3 (E.D. Mo. July 25, 2011).
Maritz's vicarious liability claims fail both prongs of Missouri's respondeat superior test. First, Maritz simply does not allege that the Cognizant employee perpetrator was serving Cognizant's interests in committing the hacking and conversion. This omission alone constitutes grounds to dismiss Maritz's vicarious liability claims. See Oetting, 2011 WL 3055235, at *4 ().
Moreover, Maritz does not allege any...
To continue reading
Request your trial