RoadLink Workforce Solutions, L.L.C. (“RoadLink”) sued its
former employee Vern Malpass, claiming he “stole customer information and other
proprietary resources from his work computer before he went to work for a
competitor.” Roadlink Workforce Solutions, L.L.C. v. Malpass, 2013 WL 5274812
(U.S. District Court for the Western District of Washington 2013) (“RoadLink v. Malpass”). Roadlink alleged, among other things, that
Malpass violated “the Stored Communications Act, 1 U.S. Code § 2701 et seq. and
the Computer Fraud and Abuse Act, 18 U.S. Code § 1030”. RoadLink
v. Malpass, supra.
This, according to the opinion, is how the case arose:
RoadLink is a warehouse and workforce
logistics company. [It] provides various services to its clients, including
freight handling, warehousing, unloading of merchandise, and ancillary
services such as light maintenance and sanitation. One of RoadLink's largest
clients is the Fred Meyer store in Chehalis, Washington. . . .
Vern Malpass was a RoadLink employee
for ten years, until he resigned on April 23, 2013. During that time, Malpass
was promoted through the ranks of the company, serving a majority of his tenure
as Site Manager at the Chehalis Fred Meyer. As Site Manager, Malpass was
responsible for the day-to-day operations and financial management of
RoadLink's Chehalis Fred Meyer site, including managing the 250 RoadLink
employees at that site. . . .
In order to complete his day-to-day duties as Site
Manager, Malpass was issued a computer specifically for the Chehalis Fred Meyer
site. On that computer, he maintained and updated RoadLink's Trade Resource
files specific to the Chehalis Fred Meyer location, which included historical
information on hiring needs, communications between RoadLink and the Chehalis
Fred Meyer, communications between RoadLink and regional vendors, and other
information concerning the operations of the site.
Much of the information entered into the computer
was stored only on the [its] hard drive, with some communications stored
and backed up on the computer's Microsoft Outlook program linked to RoadLink's
email system. . . .
At the beginning of 2013, Fred Meyer
informed RoadLink it would be releasing a request for proposal in order to
receive competitive bids for the services that RoadLink was providing at the
Chehalis site. . . . Merit Integrated Logistics, one of RoadLink's competitors,
sought to obtain at least a portion of the Chehalis Fred Meyer contract. On
April 23, 2013 -- after it had already secured a piece of RoadLink's previous
contract with the Chehalis Fred Meyer, but before it began performing on that
contract -- Merit offered Malpass employment as its Site Manager at the
Chehalis Fred Meyer. . . . Malpass accepted the offer.
As part of his employment
with RoadLink, Malpass had signed multiple non-compete, non-solicit, and
confidentiality agreements. Nevertheless, before resigning at RoadLink, Malpass
copied and permanently deleted Trade Resource files stored on the
RoadLink-issued computer for the Chehalis Fred Meyer site.
RoadLink v. Malpass,
supra.
As to the case itself, the opinion explains that on
June 12, 2013, RoadLink filed its
complaint against Malpass, alleging multiple state claims and two federal
claims relating to his alleged copying and deleting of the Trade Resources
files. The two federal claims are based on alleged violations of the Stored
Communications Act . . . and the Computer Fraud
and Abuse Act. . . . RoadLink argues that Malpass has hacked and destroyed many
RoadLink files that he was not authorized to access, raising claims under the two
federal statutes.
RoadLink v. Malpass,
supra.
Malpass responded by filing a motion to dismiss the federal
claims under Rule 12(b)(6) of the Federal Rules of Civil Procedure. RoadLink v. Malpass, supra. As Wikipedia explains, and as I have noted in
prior posts, the
Rule 12(b)(6) motion, which replaced
the common law demurrer, is how lawsuits with insufficient legal
theories underlying their cause of action are dismissed from court. For
example, assault requires intent, so if the plaintiff has failed to
plead intent, the defense can seek dismissal by filing a 12(b)(6) motion.
The district court judge who has the case began his analysis
of the issues raised by Malpass’ Rule 12(b)(6) motion with RoadLink’s Store
Communications Act (SCA) claim, noting that the SCA creates a private cause of
action against anyone who
`(1) intentionally accesses without
authorization a facility through which an electronic communication service is
provided; or (2) intentionally exceeds an authorization to access that
facility; and thereby obtains, alters, or prevents authorized access to a wire
or electric communication while it is in electronic storage in such system.’ 18 U.S. Code § 2701(a)(1) and (2); see id. § 2707 (creating a
private right of action). The SCA's general prohibitions do not apply . . . `to
conduct authorized (1) by the person or entity providing a wire or electronic
communication service; [or] (2) by a user of that service with respect to a
communication of or intended for that user.’ 18 U.S. Code § 2701(c).
RoadLink v. Malpass,
supra.
In its Complaint, RoadLink claimed Malpass “violated (a)(2)
when he accessed the computer provided to him by RoadLink and copied and then
permanently deleted information and emails contained on the computer.” RoadLink v. Malpass, supra. Section
2701(a)(2) makes it a crime to exceed authorized access to a “facility through
which an electronic communication service is provided” and obtain, alter or
prevent authorized access to an electronic communication while it is in
electronic storage. In his motion,
Malpass argued that (i) “the computer system he accessed was not a `facility’
through which an electronic communication service is provided;” (ii) the files “on
the computer hard
drive and in Microsoft Outlook were not in `electronic storage;’” and (iii) “even
if the computer is
determined to be a `facility’ and the files were in `electronic storage,’
RoadLink `authorized’
the access.” RoadLink
v. Malpass, supra.
The judge agreed with Malpass. He explained that to state a claim under the
SCA
RoadLink was required to “allege that Defendant accessed without authorization ‘a
facility through which an electronic communication service is provided.’” RoadLink
v. Malpass, supra (quoting In re
iPhone Application Litigation, 844 F.Supp.2d 1040 (U.S. District Court for the Northern District of California 2012)). The SCA defines an “electronic
communication service” as “any service which provides to users thereof the
ability to send and receive wire or electronic communications.” 18 U.S.Code § 2510(15). In the In re iPhone
Application Litigation case, the court held that “including a personal
computing device within the definition of `facility’ rendered other parts of
the SCA illogical.” RoadLink v. Malpass,
supra.
The judge in this case therefore found that if the computer
issued to Malpass was a
`facility,’ then
any web site accessed
on the computer would be a user of the communication service provided by
the computer,
and consequently any communication between the individual computer and the web site is a
communication `of or intended for’ that web site, triggering the §
2701(c)(2) exception for authorized access. Instead,
Malpass and others authorized to access the computer are the user and the
computer would not classify as a facility for the purposes of § 2701(a).
RoadLink provides no facts to suggest the computer was a communication
service provider.
RoadLink v. Malpass,
supra.
As noted above, to violate 18 U.S. Code § 2701(a), Malpass
not only had to access a “facility” through which an electronic communication
service was provided but also had to obtain, alter or prevent authorized access
to an electronic communication while it was “`in electronic storage in the
system.’” “The SCA defines `electronic
storage’ as: (A) any temporary, intermediate storage of a[n] electronic
communication incidental to the electronic transmission thereof; and (B) any
storage of such communication by an electronic communication service for
purposes of backup protection of such communication.” RoadLink
v. Malpass, supra (citing 18 U.S. Code § 2510(17)).
This judge noted that in Lazette
v. Kulmatycki, 2013 WL 2455937 (U.S. District Court for the Northern District of Ohio), the judge held that “emails which are opened but not deleted
are not in `electronic storage’ for the purpose of backup protection”. RoadLink
v. Malpass, supra. This judge then
found that “[f]ollowing the reasoning that emails which are opened but not deleted
are not in `electronic storage for the purpose of backup protection, RoadLink
has failed to assert facts that support that Malpass accessed communication in
electronic storage.” RoadLink v. Malpass, supra.
Since RoadLink had not alleged facts that would show the
computer hard drive at issue “was a `facility’” and that the files “he accessed
were communications in `electronic storage,’” the judge found he did not need
to address whether RoadLink authorized Malpass to access the information or
whether such authorization ended when he “went to work for Merit.” RoadLink
v. Malpass, supra. He found RoadLink
had failed to state a viable cause of action under the SCA, and so granted
Malpass’ motion to dismiss this claim. RoadLink v. Malpass, supra.
The judge then took up RoadLink’s claim under the Computer
Fraud and Abuse Act, 18 U.S. Code § 1030. RoadLink
v. Malpass, supra. In its Complaint,
RoadLink alleged that Malpass’ actions violated two provisions of the Act: §§ 1030(a)(4) and 1030(a)(5), which provide
as follows:
(4) Knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5) (A) Knowingly caus[ing] the transmission of a
program, information, code, or command, and as a result of such conduct,
intentionally caus[ing] damage without authorization, to a protected computer;
(B) Intentionally access[ing] a protected computer without authorization,
and as a result of such conduct, recklessly caus[ing] damage; or
(C) Intentionally access[ing] a protected computer without authorization,
and as a result of such conduct, caus[ing] damage and loss.
RoadLink v. Malpass,
supra (quoting 18 U.S. Code §§ 1030(a)(4) & 1030(a)(5)).
Malpass claimed RoadLink “failed to state a claim
under § 1030 because (1) the computer at issue was not a `protected computer’ and (2) he had authorization
to access the computer and
information contained within it.” RoadLink
v. Malpass, supra.
The judge rather quickly found that the computer at issue
was a “protected computer.” RoadLink v. Malpass, supra. Section 1030(e)(2)(B) of Title 18 of the U.S.
Code defines a protected computer as one “used in or affecting interstate or
foreign commerce”, which would encompass the computer at issue here.
But the judge agreed with Malpass on the authorization
issue. Malpass claimed RoadLink's CFAA
claims were “deficient because Malpass was given authorization for unlimited access to
the computer and
files at issue.” RoadLink v. Malpass, supra.
The judge noted that the U.S. Court of Appeals for the 9th
Circuit
has determined that `an employer gives
an employee “authorization”
to access a
company computer when
the employer gives the employee permission to use it.’ LVRC Holdings
LLC v. Brekka, 581 F.3d 1127 (U.S.
Court of Appeals for the 9th Circuit 2009). A person who `exceeds authorized access’ `has permission to access the computer, but accessed information on
the computer that
the person is not entitled to access. LVRC Holdings v.
Brekka, supra.
RoadLink v. Malpass,
supra.
The judge applied this standard to RoadLink’s cause of
action and found that
Here, RoadLink granted Malpass authorization to access the
information on the computer he is alleged to have to copied and deleted. . . .
RoadLink gave Malpass a computer with which he could maintain and update the Trade
Resources and other files. . . . Under the Ninth Circuit's interpretation of
the [Computer Fraud and Abuse Act], Malpass's alleged subsequent actions -- copying
and deleting the files in the database -- do not implicate the [Act]. These
alleged actions concern the `misuse or misappropriation of the Trade Resources,
something the [Computer Fraud and Abuse Act] does not target.
Therefore, Malpass did not `exceed authorized access’ under the [Act], and RoadLink
has failed to state a claim under the [Computer Fraud and Abuse Act] for which
relief can be granted.
RoadLink v. Malpass,
supra.
The judge therefore granted Malpass’ motion to dismiss
RoadLink’s claims under the Stored Communications Act and the Computer Fraud
and Abuse Act. RoadLink v. Malpass, supra.
That still left RoadLink’s claims under state law, and RoadLink can file
an amended Complaint in which it attempts to revive its claims under either or
both of the federal statutes. RoadLink v. Malpass, supra.
No comments:
Post a Comment