Us Bioservices Corp. v. Lugo

• Decision Date: 21 January 2009
• Docket Number: Case No. 08-2342-JWL.
• Citation: 595 F.Supp.2d 1189
• Parties: US BIOSERVICES CORPORATION, et al., Plaintiffs, v. Leticia LUGO, et al., Defendants.
• Court: U.S. District Court — District of Kansas

595 F.Supp.2d 1189

US BIOSERVICES CORPORATION, et al., Plaintiffs, v. Leticia LUGO, et al., Defendants.

Case No. 08-2342-JWL.

United States District Court, D. Kansas.

January 21, 2009.

Stacey A. Campbell, Littler Mendelson, PC, Denver, CO, Thomas M.L. Metzger, Littler Mendelson, PC, Colombus, OH, for Plaintiffs.

Anthony J. Paduano, Paduano & Weintraub LLP, New York, NY, James A. Durbin, Swanson Midgley, LLC, Kansas City, MO, for Defendants.

MEMORANDUM AND ORDER

JOHN W. LUNGSTRUM, District Judge.

Plaintiffs are specialty pharmaceutical care providers, servicing the pharmaceutical needs of manufacturers, physicians, patients, and payors. In this action, by their second amended complaint, plaintiffs allege that defendants Leticia Lugo and Garth Groman, while still employed by plaintiffs, obtained plaintiffs' confidential information; that Ms. Lugo and Mr. Groman disclosed such information to their new employer, defendant Axelcare Health Solutions, LLC ("Axelcare"), a competitor of plaintiffs; and that defendants have used such information to interfere with plaintiffs' contractual and business relationships. Plaintiffs assert claims for violations of the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030; misappropriation of trade secrets in violation of K.S.A. § 60-3320; tortious interference with contract and prospective business relations; and breach of contract.

This matter presently comes before the court on defendants' motion to dismiss the entire complaint for failure to state a claim, pursuant to Fed.R.Civ.P. 12(b)(6) (Doc. # 41). For the reasons set forth below, the court grants the motion in part and denies it in part. The court grants the motion with respect to plaintiffs' claims for violations of section 1030(a)(5) of the CFAA, and those claims are hereby dismissed. The court denies the motion as it relates to plaintiffs' other claims.

I. Applicable Standards

The court will dismiss a cause of action for failure to state a claim only when the factual allegations fail to "state a claim to relief that is plausible on its face," Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S.Ct. 1955, 1974, 167 L.Ed.2d 929 (2007), or when an issue of law is dispositive. Neitzke v. Williams, 490 U.S. 319, 326, 109 S.Ct. 1827, 104 L.Ed.2d 338 (1989). The complaint need not contain detailed factual allegations, but a plaintiff's obligation to provide the grounds of entitlement to relief requires more than labels and conclusions; a formulaic recitation of the elements of a cause of action will not do. Bell Atlantic, 127 S.Ct. at 1964-65. The court must accept the facts alleged in the complaint as true, even if doubtful in fact, id. at 1965, and view all reasonable inferences from those facts in favor of the plaintiff, Tal v. Hogan, 453 F.3d 1244, 1252 (10th Cir.2006). Viewed as such, the "[f]actual allegations must be enough to raise a right to relief above the speculative level." Bell Atlantic, 127 S.Ct. at 1965 (citations omitted). The issue in resolving a motion such as this is "not whether [the] plaintiff will ultimately prevail, but whether the claimant is entitled to offer evidence to support the claims." Swierkiewicz v. Sorema N.A., 534 U.S. 506, 511, 122 S.Ct. 992, 152 L.Ed.2d 1 (2002) (quoting Scheuer v. Rhodes, 416 U.S. 232, 236, 94 S.Ct. 1683, 40 L.Ed.2d 90 (1974)).

II. CFAA Claims

Plaintiffs have asserted claims against defendants Lugo and Groman under paragraphs (a)(2)(C), (a)(4), (a)(5)(A)(ii), and (a)(5)(A)(iii) of the CFAA (Count IV of the second amended complaint). Those provisions create civil liability against whoever does the following:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

...

(C) information from any protected computer¹ if the conduct involved an interstate or foreign communication; [or]

...

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ...; [or]

...

(5)(A)(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage²; or

(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.

18 U.S.C. § 1030(a)(2), (4), (5)(A)(ii) and (iii) (emphasis added); see also id. § 1030(g) (providing for civil liability for violations involving certain conduct, including conduct causing a loss of at least $5,000 in value). Thus, paragraphs (a)(2) and (a)(4) apply only if the defendant accesses the computer "without authorization" or "exceeds authorized access," while paragraph (a)(5)(A)(ii) or (iii) applies only if the defendant accesses the computer "without authorization."

The individual defendants argue that in committing the allegedly wrongful acts—obtaining confidential information on their work computers, e-mailing it to their personal e-mails, and later disclosing it to their new employer—they did not access plaintiffs' computers without authorization or exceed their authorized access, as required for liability, because they were authorized to access that particular information in their employment with plaintiffs. Thus, they seek dismissal of plaintiffs' claims under the CFAA.

Plaintiffs argue in response that a person acts without authorization or exceeds his authorization when he obtains information from his employer's computer system for a wrongful purpose, such as the disclosure of confidential information to a competitor. Indeed, a few courts have focused on the defendant's intent or his use of the information in finding liability under the CFAA. See, e.g., International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D.Wash.2000). In Shurgard, the court, in concluding that the plaintiff had stated a claim under paragraph (a)(2)(C) of the CFAA, held that the plaintiff's former employees had acted without authorization when they obtained information from the plaintiff's computers because, under Restatement (Second) of Agency § 112, their authorization terminated when they allegedly became agents of the defendant competitor during the act. See Shurgard, 119 F.Supp.2d at 1124. In Citrin, the court similarly held that the defendant's authorization to access the plaintiff's computer files had terminated when he violated his duty of loyalty to his employer imposed by agency law. See Citrin, 440 F.3d at 420-21.

A number of courts have rejected the Shurgard and Citrin courts' reliance on agency law in applying the authorization provisions of the CFAA, instead applying those provisions in the manner urged by defendants here. See, e.g., Condux Int'l, Inc. v. Haugum, 2008 WL 5244818, at *4-6 (D.Minn. Dec. 15, 2008); Black & Decker (US), Inc. v. Smith, 568 F.Supp.2d 929, 933-36 (W.D.Tenn.2008); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 963-68 (D.Ariz.2008); Diamond Power Int'l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1341-43 (N.D.Ga.2007); Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377, at *3-4 (E.D.Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4-7 (M.D.Fla. Aug. 1, 2006); International Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 498-99 (D.Md.2005). Neither side to the present dispute has acknowledged this clear split in the caselaw or argued why this court should favor one line of cases over the other; instead, each side merely attempts to distinguish factually the "non-controlling" cases cited by the other. Thus, the parties have offered little help in resolving this conflict.

After reviewing the cases, this court finds persuasive the reasoning of the courts in the latter line of cases. Accordingly, the court follows their lead in holding that, under these provisions of the CFAA, access to a protected computer occurs "without authorization" only when initial access is not permitted, and a violation for "exceeding authorized access" occurs only when initial access to the computer is permitted but the access of certain information is not permitted. See, e.g., Shamrock, 535 F.Supp.2d at 963.

The court particularly adopts the synthesis of the arguments and caselaw and the analysis of the court in Shamrock, which the court will summarize here. First, the plain language of the CFAA compels this interpretation. "Without authorization" is not defined in the CFAA, but "authorization" is commonly equated with permission. See id. at 965 (quoting Lockheed, 2006 WL 2683058, at *5). The CFAA defines "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Thus, under the clear language of the statute, a violation for exceeding authorized access occurs when the defendant has permission to access the computer in the first place, but then accesses certain information to which he is not entitled. Under Citrin and Shurgard, on which plaintiffs rely, a person who has initial authorization to use the computer but then, with an improper purpose and in breach of his duty of loyalty, acquires information to which he is not entitled has acted "without authorization"—despite the statute's contemplation that such conduct constitutes "exceeding authorized access". In that way, the Citrin and Shurgard courts have overlooked the distinction between, and thereby conflated, the "without authorization" and "exceeds authorized access" prongs of the statute. See Shamrock, 535 F.Supp.2d at 965 (quoting Diamond Power, 540 F.Supp.2d at 1342-43). Accordingly, the language of the CFAA targets "the unauthorized procurement or alteration of information, not its misuse or misappropriation." Id. (quoting ...