Unauthorized Access, the Former Employees and the Computer Fraud and Abuse Act

This post examines an opinion a U.S. Magistrate Judge who sits in the U.S. District Court for the District of Colorado issued recently:  Wolf v. Schadegg, 2016 WL 1117364 (2016).  As judges usually do, this judge begins her opinion by explaining how and why the civil suit arose:

The relevant factual background for this motion involves data, trade secrets, and other confidential information allegedly obtained by Defendants Michael Schadegg and Shawn Cochran, former employees of Plaintiff Wolf Auto Center Sterling, LLC (`Wolf Auto’), in contravention of state and federal law. See Complaint [# 1]. Plaintiff David Wolf is the owner and sole member of Plaintiff Wolf Auto, a car dealership selling Ford and Chrysler cars as a franchisee.  Id. ¶ 3-4. Both of the named Defendants were former employees of Plaintiff Wolf Auto: Defendant Schadegg was a general manager of several of its dealerships until he was terminated on April 14, 2014, and Defendant Cochran was its finance and insurance manager until he left his job on May 7, 2014. Id. ¶ 7-8, 11. Both Defendants were subsequently employed by one of Wolf Auto's competitors, Korf Continental Sterling (`Korf’). Id. ¶ 9, 11.

Plaintiffs allege that in late 2014 they discovered numerous instances of unauthorized access to Wolf Auto's computer systems and servers. Id. ¶ 64. Specifically, Plaintiffs claim that Defendants used their prior usernames, passwords, and company email accounts to obtain data, confidential information, and trade secrets from Wolf Auto after they had ceased being employees. Id. ¶¶ 26-33. Plaintiffs cite to several specific instances, alleging that, for example, an individual or several individuals using a computer with an IP address³ assigned to Korf accessed data from Wolf Auto's website on several occasions from May 2014 to September 2014. Id. ¶ 34.

Thus, on May 15, 2015, Plaintiffs filed this action alleging a claim against Defendants for violation of the Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030, as well as several state law claims for theft of trade secret information, civil theft, conversion, breach of fiduciary duty, unjust enrichment, civil conspiracy, and tortious interference with prospective business  advantage. Complaint [# 1] ¶¶ 53-120. Based on the CFAA claim, Plaintiffs allege that subject-matter jurisdiction is appropriate pursuant to 28 U.S. Code § 1331, and that the Court thus has supplemental jurisdiction over the remainder of Plaintiffs' claims pursuant to 28 U.S. Code § 1367(a). Complaint [# 1] ¶ 51.

Wolf v. Schadegg, supra.

The Magistrate Judge went on to explain that

[o]n July 21, 2015, Defendants filed the present Motion, requesting that the Court dismiss Plaintiffs' CFAA claim for failure to state a claim pursuant to Rule 12(b)(6). Motion [# 12] at 2. Defendants also argue that because Plaintiffs have failed to state a claim under the CFAA—Plaintiffs' sole basis for federal question jurisdiction—the state law claims should consequently be dismissed for lack of subject-matter jurisdiction pursuant to Rule 12(b)(1). Id. at 6. Thus, because the Court denies the request for dismissal under Rule 12(b)(6), the Court does not reach Defendants' argument for dismissal pursuant to Rule 12(b)(1).

Wolf v. Schadegg, supra.

Next, the Magistrate Judge outlined the “legal standard” she was required to apply in ruling on the defendants’ motions to dismiss the suit:

The purpose of a motion to dismiss pursuant to Rule 12(b)(6) is to test `the sufficiency of the allegations within the four corners of the complaint after taking those allegations as true.’ Mobley v. McCormick, 40 F.3d 337, 340 (U.S. Court of Appeals for the 10th Circuit 1994); Fed. R. Civ. P. 12(b)(6) (stating that a complaint may be dismissed for `failure to state a claim upon which relief can be granted’). `The court's function on a Rule 12(b)(6) motion is not to weigh potential evidence that the parties might present at trial, but to assess whether the plaintiff's complaint alone is legally sufficient to state a claim for which relief may be granted.’ Sutton v. Utah State School for the Deaf & Blind, 173 F.3d 1226, 1236 (U.S. Court of Appeals for the 10<sup>th</sup> Circuit 1999). To withstand a motion to dismiss pursuant to Rule 12(b)(6), `a complaint must contain enough allegations of fact “to state a claim to relief that is plausible on its face.”’ Robbins v. Oklahoma, 519 F.3d 1242, 1247 (U.S. Court of Appeals for the 10^th Circuit 2008) (quoting Bell Atlantic Corporation v. Twombly, 550 U.S. 544, 570 (2007)); see also Shero v. City of Grove, Okla., 510 F.3d 1196, 1200 (U.S. Court of Appeals for the 10^th Circuit 2007) (`The complaint must plead sufficient facts, taken as true, to provide ‘plausible grounds' that discovery will reveal evidence to support the plaintiff's allegations’) (quoting Bell Atlantic v. Twombly)).

`A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.’ Ashcroftv. Iqbal, 556 U.S. 662, 678 (2009). `A pleading that offers labels and conclusions or a formulaic recitation of the elements of a cause of action will not do. Nor does a complaint suffice if it tenders naked assertion[s] devoid of further factual enhancement.' Id. (brackets in original; internal quotation marks omitted).

To survive a motion to dismiss pursuant to Rule 12(b)(6), the factual allegations in the complaint `must be enough to raise a right to relief above the speculative level.’ Christy Sports, LLC v. Deer Valley Resort Co., 555 F.3d 1188 (U.S. Court of Appeals for the 10<sup>th</sup> Circuit 2009). `[W]here the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct,’ a factual allegation has been stated, `but it has not show[n] that the pleader is entitled to relief,’ as required by Rule 8(a). Ashcroft v. Iqbal, supra.

Wolf v. Schadegg, supra.

The Magistrate Judge then began her analysis of the defendants’ arguments in the Rule 12(b)(6) motion to dismiss, noting, initially, that the

CFAA is primarily a criminal statute, and a list of potential violations is set forth in 18 U.S. Code § 1030(a). Of those violations, the parties appear to agree that any of the following subsections in particular might apply here: (a)(2)(C), (a)(4), (a)(5)(B), or (a)(5)(C). See Motion [# 12] at 3; Response [# 18] at 6. Each of these subsections differs in various ways—such as in the scienter requirement necessary to establish a violation—but, because none of the elements of these subsections is presently in dispute here, the Court will dispense with a lengthy discussion of the subsections and cite to Subsection (a)(2)(C) by way of example. A violation under that subsection occurs where a defendant (1) intentionally accesses a computer; (2) without or exceeding authorization; and (3) thereby obtains information from a protected computer. 18 U.S. Code § 1030(a)(2)(C).

An additional factor must be satisfied to establish a civil violation under the CFAA, which is the subject of Defendants' present motion. Pursuant to Section 1030(g), a private right of action may be brought by `[a]ny person who suffers damage or loss . . . if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).’ 18 U.S. Code §1030(g). . . . The parties agree that only Subclause (I) is relevant here: `loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.’ Id. § 1030(c)(4)(A)(i)(I). Subsection (e)(11) defines ‘loss’ as `any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]’ Id. § 1030(e)(11).

This definition of `loss’ does not include lost revenue apart from the lost revenue incurred as a result of the interruption of service, and hence does not `include lost revenue resulting from the dissemination of the computer  information to a competitor.’ Am. Family Mut. Ins. Co. v. Gustafson, 2011 WL 782574, at *5 (U.S. District Court for the District of Colorado Feb. 25, 2011), amended,  2012 WL 426636 (D. Colo. Feb. 10, 2012).

Wolf v. Schadegg, supra.

The Magistrate Judge then took up the arguments made by both sides, noting that they

dispute whether Plaintiffs have sufficiently alleged damages pursuant to [18 U.S. Code] §1030(g). With respect to damages under the CFAA claim, the Complaint alleges that `Wolf Auto hired a computer forensic firm to investigate and assess the extent of Schadegg's and Cochran's unauthorized access to its computer systems, for which it incurred charges in excess of $5,000’ and that, `[u]pon discovering Schadegg's and/or Cochran's repeated unauthorized access to its computer systems and server in late 2014, Wolf Auto took actions to secure its computer systems and servers from further unauthorized access by Schadegg, Cochran, and others.’ Compl. [# 1] ¶ 63-64.

Defendants argue that `Plaintiffs have failed to allege facts demonstrating that any discrete act of either Mr. Schadegg or Mr. Cochran caused them a loss or losses “aggregating at least $5,000 in value.”’ Motion [# 12] at 5. More specifically, Defendants contend that Plaintiffs `do not attribute their computer  forensic investigation charges to any one act or even any one individual,’ and because they `cannot apply their loss across separate acts and, presumably, across multiple individuals, Plaintiffs' allegation of their loss is insufficient to state a claim under the CFAA.’ Id. at 5-6.

Wolf v. Schadegg, supra.

The Magistrate Judge went on to explain that the plaintiffs

respond that courts interpret the CFAA as imposing no requirement that the damage or loss be attributable to any particular instance, but rather that `the $5,000 floor applies to how much damage or loss there is to the victim over a one-year period, not from a particular intrusion.’ Response [# 18] (quoting Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 934 (U.S. Court of Appeals for the 9^th Circuit 2004). As a preliminary matter, the Court agrees with Plaintiffs' argument here, and notes that many other courts have rejected Defendants' argument that $5,000 threshold be met with respect to each particular intrusion. See, e.g., Freedom Banc Mortg. Servs., Inc. v. O'Harra, 2012 WL 3862209, at *7 (U.S. District Court for the Southern District of Ohio Sept. 5, 2012); Del Vecchio v. Amazon.com, Inc., 2012 WL 1997697, at *5 (U.S. District Court for the Western District of Washington June 1, 2012); Ticketmaster L.L.C. v. RMG Techs., Inc., 507 F. Supp. 2d 1096, 1113 (U.S. District Court for the Central District of California 2007); Sprint Nextel Corp. v. Simple Cell, Inc., Civ. No. CCB-13-617, 2013 WL 3776933, at *7 (U.S. District Court for the District of Maryland July 17, 2013).

Wolf v. Schadegg, supra.

But the Magistrate Judge also went on to note that,

[h]owever, Defendants also aver that Plaintiffs `make no attempt to allocate the cost of the computer forensic investigation to each individual,’ and thus that `Plaintiffs potentially may be using the cost of a computer forensic investigation made necessary by the acts of one individual . . . to state CFAA claims against other individuals. ’Reply [# 19] at 3 (emphases added). Further, Defendants note that because the Complaint also alleges that Plaintiffs discovered instances of unauthorized access from a former employee who is not a party to this action, it therefore follows that at least some of the loss Plaintiffs attribute to Defendants may not have been caused by them at all. Id.; Complaint [# 1] ¶ 35. Thus, Defendants argue that because Plaintiffs do not clearly allege that each Defendant's individual act or acts caused loss in the amount of $5,000 or more, Plaintiffs have failed to state a claim for relief under the CFAA. Id.

Wolf v. Schadegg, supra.

The Magistrate Judge went on to explain that the

Court finds Defendants' argument unpersuasive. Defendants premise their argument on CFAA's language stating that `[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator[.]’ 18 U.S. Code § 1030(g) (emphasis added). But the argument that Plaintiffs are required to allege what specific loss was incurred by each Defendant and in what amounts at the pleading stage is flawed for several reasons.

First and foremost, Defendants' argument is simply one inference of many that may be drawn from Plaintiffs' Complaint. However, as the Supreme Court has noted, a plaintiff has sufficiently pled a claim when it has `factual content that allows the court to draw the reasonable `factual that the defendant is liable for the misconduct alleged Ashcroft v. Iqbal, supra (emphasis added). Here, Plaintiffs cite to numerous instances of alleged unauthorized access to Wolf Auto's computer systems by both Defendants or individuals who were using the usernames and passwords previously assigned to Defendants. See Complaint [# 1]. These allegations permit, for example, an inference that both Defendants were working together to access Plaintiffs' data, particularly given that Defendants were working for the same rival company and undoubtedly were familiar with each other by virtue of their past employment with Plaintiff Wolf Auto.

Wolf v. Schadegg, supra (emphasis in the original).

The Magistrate Judge concluded her opinion by explaining that,

[f]urther, while the parties both note that there appear to be no cases determining whether a plaintiff is required to meet the $5,000 floor with respect to each defendant individually or all defendants collectively, cases confronting analogous issues under the CFAA are nonetheless instructive. For example, in Sprint Nextel Corp. v. Simple Cell, Inc., supra, the defendants argued on a motion to dismiss that the plaintiff could not sufficiently relate the loss it claimed to have suffered to any particular alleged action. Sprint Nextel Corp. v. Simple Cell, Inc., 2013 WL 3776933, at *7.

The court held that whether the actions could be `provably tied to any CFAA violation is an issue of fact,” and found that plaintiff had “sufficiently pled its CFAA claims.’ Id. Similarly, the real questions presented by Defendants' argument—who caused the alleged loss sustained by Plaintiffs and to what degree each individual caused this loss—are also questions of fact whose answers are not necessarily available to Plaintiffs prior to discovery. See also Quantlab Techs. Ltd. (BVI) v. Godlevsky, 2015 WL 1651251 (U.S. District Court for the Southern District of Texas 2015) (remarking that it may be the case that a plaintiff need `only show $5,000 of expenses in response to all of  Defendants' alleged intrusions’ but ultimately concluding that it was unnecessary to reach this question, because an issue of material fact existed as to whether the plaintiff incurred $5,000 in qualifying losses from each particular defendant's actions); see also Carnegie Strategic Design Engineers, LLC v. Cloherty, 2014 WL 896636, at *4 (U.S.District Court for the Western District of Pennsylvania, Mar. 6, 2014) (`Plaintiff may show loss by alleging that it expended an amount to investigate whether such damage occurred’), appeal dismissed (Aug. 26, 2014).

Wolf v. Schadegg, supra.