This post examines an opinion a U.S. District Court Judge
recently issued in a civil suit: RLI Insurance Company v. Elisabeth Banks,
2015 WL 400540 (U.S. District Court for the Northern District of Georgia
2015). The judge begins his opinion by
explaining how the suit arose:
On May 20, 2013, the Defendant,
Elisabeth Banks, began working for the Plaintiff, RLI Insurance Company (`RLI'),
as a Claim Examiner/Manager in [RLI’s] Atlanta, Georgia, office. [Banks]
remained employed with [RLI] until March 25, 2014, when [RLI] terminated [Banks’]
employment for performance related issues.
[RLI] maintains confidential, proprietary, and trade secret information
on its computer systems and network.
In order to protect this data, the
computer system is equipped with software called Websense, which prohibits
users from accessing certain websites, such as the cloud data storage site,
Dropbox. Additionally, [RLI] maintains
a Code of Conduct and Information Protection Policy for all employees, which
both require employees to keep the information confidential.
On January 2, 2014, [Banks] attempted
to access Dropbox from [RLI’s] computer network, but her access was denied.
[She] then used [RLI’s] computer system to research Dropbox alternatives,
and at 8:02 P.M. on January 2, 2014, accessed a cloud data storage website
called Jottacloud.
She then uploaded 757 customer claim
files and other files containing proprietary information to her personal
Jottacloud account between January 2, 2014, and her termination on March 25,
2014.
On March 24, 2014, [RLI] specifically
revoked [Banks’] permission to access the computer network, including the files
and information therein. Roughly
twenty minutes after [RLI] revoked [Banks’] access, [she] sent an email from
her RLI account to her personal account with eighty-eight confidential RLI
emails attached.
RLI Insurance Company
v. Elisabeth Banks, supra.
On April 15, 2014, RLI
filed its Verified Complaint on April
15, 2014, seeking damages and injunctive relief on various state law grounds as
well as under the federal Computer Fraud and Abuse Act (`CFAA’).
On April 16, 2014, this Court granted [RLI]
a temporary restraining order, ordering [Banks] to return all RLI documents in
her possession and allow RLI to inspect her Jottacloud account as well as her
personal computers, tablets, and other devices. [Banks] now moves to dismiss [RLI’s]
claims.
RLI Insurance Company
v. Elisabeth Banks, supra. The article you can find here explains what a Complaint is, and the role it plays in. U.S. civil practice.
And as the article you can find here explains, the CFAA
is a criminal statute that provides a
civil cause of action for anyone whose computer system or network has been
damaged or accessed without authorization, provided certain requirements are
met. Although traditionally thought of as a form of relief for those who fall
victim to computer `hackers,’ the Act has seen increased use in the
employer-employee context.
The judge began his analysis of Banks’ motion to dismiss by
explaining that a
complaint should be dismissed under
Rule 12(b)(6) only where it appears that the facts alleged fail to state a
`plausible’ claim for relief. A complaint may survive a motion to dismiss
for failure to state a claim, however, even if it is `improbable’ that a
plaintiff would be able to prove those facts; even if the possibility of
recovery is extremely `remote and unlikely.’
In ruling on a motion to dismiss, the court
must accept the facts pleaded in the complaint as true and construe them in the
light most favorable to the plaintiff. Generally, notice pleading is all that is
required for a valid complaint. Under notice pleading, the plaintiff
need only give the defendant fair notice of the plaintiff's claim and the
grounds upon which it rests.
RLI Insurance Company
v. Elisabeth Banks, supra.
He then took up Banks’ argument that the judge should
dismiss RLI’s
claims for conversion, breach of the
duty of loyalty, breach of fiduciary duty, tortious interference, and violation
of the Georgia Computer Systems Protection Act (`GCSPA’) as preempted by the
Georgia Trade Secrets Act (`GTSA’). The GTSA preempts all conflicting state
laws providing civil remedies or restitution for the misappropriation of trade
secrets.
The Georgia Supreme Court has held that
`[f]or the GTSA to maintain its exclusiveness, a plaintiff cannot be allowed to
plead a lesser and alternate theory of restitution simply because the
information does not qualify as a trade secret under the act.’
It is immaterial whether the
information at issue qualifies as a trade secret under the GTSA, `[r]ather the
key inquiry is whether the same factual allegations of misappropriation are
being used to obtain relief outside the GTSA.’
This Court therefore must address whether the Plaintiff's state law claims
rely upon factual allegations of misappropriation of trade secrets.
First, as to the Plaintiff's claim for
conversion, the Complaint clearly alleges that the claim is based on the
Defendant's alleged misappropriation of `Proprietary Information and Consumer
Claim Files.’ The claim for conversion is therefore preempted and should be
dismissed.
Similarly, the claim for breach of the duty of loyalty is based on
misappropriation of the same information, and should be dismissed.
The claim for breach of fiduciary duty
is also based on the misappropriation of confidential information, and
is therefore preempted and should be dismissed. Finally, the GCSPA claim relies
on misappropriation of the confidential information as well, and it
should be dismissed as preempted.
RLI Insurance Company
v. Elisabeth Banks, supra.
Next, the judge took up RLI’s motion to dismiss Banks’
claim for breach of contract, arguing
that no contract existed here. As a threshold matter, the Court notes that the
claim for breach of contract is not preempted by the GTSA, unlike [Banks’]
state law claims.
A claim for breach of contract requires
a valid contract, material breach of the terms of that contract, and damages
arising from the breach. The Georgia Court of Appeals has held that
violations of employee manuals are generally not actionable as a breach of
contract.
Where the statements in employee manuals
are merely expressions of `certain policies and information concerning
employment’ as opposed to language clearly creating a contract, there can be no
action for breach of contract.
Here, [RLI] alleges breaches of the
Employee Code of Conduct and the Information Protection Policy -- both employee
policy manuals. These manuals
simply contain policies and information concerning employment and therefore do
not constitute contracts. The claim for breach of contract should therefore be
dismissed.
RLI Insurance Company
v. Elisabeth Banks, supra.
And, finally, the District Court Judge took up Banks’ motion
to dismiss RLI’s
claim for violation of the CFAA on the
grounds that [she] was authorized to access the information obtained and that [RLI]
has no damages.
The CFAA requires proof that the
defendant `intentionally accesses a computer without authorization or exceeds
authorized access’ and obtains information from any protected computer. Additionally, the plaintiff must show a loss
of at least $5,000 in a one-year period.
[RLI] has alleged facts that, if true,
would show that [Banks] accessed a computer without authorization when she
accessed her email after her computer privileges were revoked and exceeded her
authorization when she uploaded files to Jottacloud. [RLI] has also pleaded
damages exceeding $5,000. [Banks’] motion to dismiss the CFAA claim
should therefore be denied.
RLI Insurance Company
v. Elisabeth Banks, supra.
So the judge granted Banks’ motion to dismiss in part and
denied it in part, which means that the suit continues, at least for now. RLI
Insurance Company v. Elisabeth Banks, supra.
No comments:
Post a Comment