Monday, September 23, 2013

Workforce Logistics, Customer Information and Computer Crime

-->
RoadLink Workforce Solutions, L.L.C. (“RoadLink”) sued its former employee Vern Malpass, claiming he “stole customer information and other proprietary resources from his work computer before he went to work for a competitor.”  Roadlink Workforce Solutions, L.L.C. v. Malpass, 2013 WL 5274812 (U.S. District Court for the Western District of Washington 2013) (“RoadLink v. Malpass”).  Roadlink alleged, among other things, that Malpass violated “the Stored Communications Act, 1 U.S. Code § 2701 et seq. and the Computer Fraud and Abuse Act, 18 U.S. Code § 1030”.  RoadLink v. Malpass, supra.



This, according to the opinion, is how the case arose:



RoadLink is a warehouse and workforce logistics company. [It] provides various services to its clients, including freight handling, warehousing, unloading of merchandise, and ancillary services such as light maintenance and sanitation. One of RoadLink's largest clients is the Fred Meyer store in Chehalis, Washington. . . .



Vern Malpass was a RoadLink employee for ten years, until he resigned on April 23, 2013. During that time, Malpass was promoted through the ranks of the company, serving a majority of his tenure as Site Manager at the Chehalis Fred Meyer. As Site Manager, Malpass was responsible for the day-to-day operations and financial management of RoadLink's Chehalis Fred Meyer site, including managing the 250 RoadLink employees at that site. . . .



In order to complete his day-to-day duties as Site Manager, Malpass was issued a computer specifically for the Chehalis Fred Meyer site. On that computer, he maintained and updated RoadLink's Trade Resource files specific to the Chehalis Fred Meyer location, which included historical information on hiring needs, communications between RoadLink and the Chehalis Fred Meyer, communications between RoadLink and regional vendors, and other information concerning the operations of the site.



Much of the information entered into the computer was stored only on the [its] hard drive, with some communications stored and backed up on the computer's Microsoft Outlook program linked to RoadLink's email system. . . .



At the beginning of 2013, Fred Meyer informed RoadLink it would be releasing a request for proposal in order to receive competitive bids for the services that RoadLink was providing at the Chehalis site. . . . Merit Integrated Logistics, one of RoadLink's competitors, sought to obtain at least a portion of the Chehalis Fred Meyer contract. On April 23, 2013 -- after it had already secured a piece of RoadLink's previous contract with the Chehalis Fred Meyer, but before it began performing on that contract -- Merit offered Malpass employment as its Site Manager at the Chehalis Fred Meyer. . . . Malpass accepted the offer.



As part of his employment with RoadLink, Malpass had signed multiple non-compete, non-solicit, and confidentiality agreements. Nevertheless, before resigning at RoadLink, Malpass copied and permanently deleted Trade Resource files stored on the RoadLink-issued computer for the Chehalis Fred Meyer site.



RoadLink v. Malpass, supra.



As to the case itself, the opinion explains that on



June 12, 2013, RoadLink filed its complaint against Malpass, alleging multiple state claims and two federal claims relating to his alleged copying and deleting of the Trade Resources files. The two federal claims are based on alleged violations of the Stored Communications Act . . . and the Computer Fraud and Abuse Act. . . . RoadLink argues that Malpass has hacked and destroyed many RoadLink files that he was not authorized to access, raising claims under the two federal statutes.



RoadLink v. Malpass, supra.



Malpass responded by filing a motion to dismiss the federal claims under Rule 12(b)(6) of the Federal Rules of Civil Procedure. RoadLink v. Malpass, supra.  As Wikipedia explains, and as I have noted in prior posts, the



Rule 12(b)(6) motion, which replaced the common law demurrer, is how lawsuits with insufficient legal theories underlying their cause of action are dismissed from court. For example, assault requires intent, so if the plaintiff has failed to plead intent, the defense can seek dismissal by filing a 12(b)(6) motion. 



The district court judge who has the case began his analysis of the issues raised by Malpass’ Rule 12(b)(6) motion with RoadLink’s Store Communications Act (SCA) claim, noting that the SCA creates a private cause of action against anyone who



`(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electric communication while it is in electronic storage in such system.’ 18 U.S. Code § 2701(a)(1) and (2)see id. § 2707 (creating a private right of action). The SCA's general prohibitions do not apply . . . `to conduct authorized (1) by the person or entity providing a wire or electronic communication service; [or] (2) by a user of that service with respect to a communication of or intended for that user.’ 18 U.S. Code § 2701(c).



RoadLink v. Malpass, supra.



In its Complaint, RoadLink claimed Malpass “violated (a)(2) when he accessed the computer provided to him by RoadLink and copied and then permanently deleted information and emails  contained on the computer.” RoadLink v. Malpass, supra. Section 2701(a)(2) makes it a crime to exceed authorized access to a “facility through which an electronic communication service is provided” and obtain, alter or prevent authorized access to an electronic communication while it is in electronic storage.  In his motion, Malpass argued that (i) “the computer system he accessed was not a `facility’ through which an electronic communication service is provided;” (ii) the files “on the computer hard drive and in Microsoft Outlook were not in `electronic storage;’” and (iii) “even if the computer is determined to be a `facility’ and the files were in `electronic storage,’ RoadLink `authorized’ the access.”  RoadLink v. Malpass, supra.



The judge agreed with Malpass.  He explained that to state a claim under the SCA

RoadLink was required to “allege that Defendant accessed without authorization ‘a facility through which an electronic communication service is provided.’”  RoadLink v. Malpass, supra (quoting In re iPhone Application Litigation, 844 F.Supp.2d 1040 (U.S. District Court for the Northern District of California 2012)). The SCA defines an “electronic communication service” as “any service which provides to users thereof the ability to send and receive wire or electronic communications.” 18 U.S.Code § 2510(15). In the In re iPhone Application Litigation case, the court held that “including a personal computing device within the definition of `facility’ rendered other parts of the SCA illogical.” RoadLink v. Malpass, supra.



The judge in this case therefore found that if the computer issued to Malpass was a



`facility,’ then any web site accessed on the computer would be a user of the communication service provided by the computer, and consequently any communication between the individual computer and the web site is a communication `of or intended for’ that web site, triggering the § 2701(c)(2) exception for authorized access. Instead, Malpass and others authorized to access the computer are the user and the computer would not classify as a facility for the purposes of § 2701(a). RoadLink provides no facts to suggest the computer was a communication service provider.



RoadLink v. Malpass, supra.



As noted above, to violate 18 U.S. Code § 2701(a), Malpass not only had to access a “facility” through which an electronic communication service was provided but also had to obtain, alter or prevent authorized access to an electronic communication while it was “`in electronic storage in the system.’”  “The SCA defines `electronic storage’ as: (A) any temporary, intermediate storage of a[n] electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”  RoadLink v. Malpass, supra (citing 18 U.S. Code § 2510(17)).



This judge noted that in Lazette v. Kulmatycki, 2013 WL 2455937 (U.S. District Court for the Northern District of Ohio), the judge held that “emails which are opened but not deleted are not in `electronic storage’ for the purpose of backup protection”.  RoadLink v. Malpass, supra.  This judge then found that “[f]ollowing the reasoning that emails which are opened but not deleted are not in `electronic storage for the purpose of backup protection, RoadLink has failed to assert facts that support that Malpass accessed communication in electronic storage.”  RoadLink v. Malpass, supra.



Since RoadLink had not alleged facts that would show the computer hard drive at issue “was a `facility’” and that the files “he accessed were communications in `electronic storage,’” the judge found he did not need to address whether RoadLink authorized Malpass to access the information or whether such authorization ended when he “went to work for Merit.”  RoadLink v. Malpass, supra.  He found RoadLink had failed to state a viable cause of action under the SCA, and so granted Malpass’ motion to dismiss this claim.  RoadLink v. Malpass, supra.



The judge then took up RoadLink’s claim under the Computer Fraud and Abuse Act, 18 U.S. Code § 1030. RoadLink v. Malpass, supra.  In its Complaint, RoadLink alleged that Malpass’ actions violated two provisions of the Act:  §§ 1030(a)(4) and 1030(a)(5), which provide as follows:


(4) Knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;



(5) (A) Knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer;



(B) Intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly caus[ing] damage; or



(C) Intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.



RoadLink v. Malpass, supra (quoting 18 U.S. Code §§ 1030(a)(4) & 1030(a)(5)).



Malpass claimed RoadLink “failed to state a claim under § 1030 because (1) the computer at issue was not a `protected computer’ and (2) he had authorization to access the computer and information contained within it.” RoadLink v. Malpass, supra.



The judge rather quickly found that the computer at issue was a “protected computer.”  RoadLink v. Malpass, supra.  Section 1030(e)(2)(B) of Title 18 of the U.S. Code defines a protected computer as one “used in or affecting interstate or foreign commerce”, which would encompass the computer at issue here. 



But the judge agreed with Malpass on the authorization issue.  Malpass claimed RoadLink's CFAA claims were “deficient because Malpass was given authorization for unlimited access to the computer and files at issue.”  RoadLink v. Malpass, supra.  The judge noted that the U.S. Court of Appeals for the 9th Circuit



has determined that `an employer gives an employee authorization” to access a company computer when the employer gives the employee permission to use it.’  LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009). A person who `exceeds authorized access’ `has permission to access the computer, but accessed information on the computer that the person is not entitled to access. LVRC Holdings v. Brekka, supra.  



RoadLink v. Malpass, supra. 



The judge applied this standard to RoadLink’s cause of action and found that



Here, RoadLink granted Malpass authorization to access the information on the computer he is alleged to have to copied and deleted. . . . RoadLink gave Malpass a computer with which he could maintain and update the Trade Resources and other files. . . . Under the Ninth Circuit's interpretation of the [Computer Fraud and Abuse Act], Malpass's alleged subsequent actions -- copying and deleting the files in the database -- do not implicate the [Act]. These alleged actions concern the `misuse or misappropriation of the Trade Resources, something the [Computer Fraud and Abuse Act] does not target.



Therefore, Malpass did not `exceed authorized access’ under the [Act], and RoadLink has failed to state a claim under the [Computer Fraud and Abuse Act] for which relief can be granted.



RoadLink v. Malpass, supra. 



The judge therefore granted Malpass’ motion to dismiss RoadLink’s claims under the Stored Communications Act and the Computer Fraud and Abuse Act.  RoadLink v. Malpass, supra.  That still left RoadLink’s claims under state law, and RoadLink can file an amended Complaint in which it attempts to revive its claims under either or both of the federal statutes.  RoadLink v. Malpass, supra. 


No comments:

Post a Comment