Monday, February 23, 2015

Websense, Jottacloud and the Computer Fraud and Abuse Act

This post examines an opinion a U.S. District Court Judge recently issued in a civil suit:  RLI Insurance Company v. Elisabeth Banks, 2015 WL 400540 (U.S. District Court for the Northern District of Georgia 2015).   The judge begins his opinion by explaining how the suit arose:
On May 20, 2013, the Defendant, Elisabeth Banks, began working for the Plaintiff, RLI Insurance Company (`RLI'), as a Claim Examiner/Manager in [RLI’s] Atlanta, Georgia, office. [Banks] remained employed with [RLI] until March 25, 2014, when [RLI] terminated [Banks’] employment for performance related issues.  [RLI] maintains confidential, proprietary, and trade secret information on its computer systems and network.  

In order to protect this data, the computer system is equipped with software called Websense, which prohibits users from accessing certain websites, such as the cloud data storage site, Dropbox.  Additionally, [RLI] maintains a Code of Conduct and Information Protection Policy for all employees, which both require employees to keep the information confidential.

On January 2, 2014, [Banks] attempted to access Dropbox from [RLI’s] computer network, but her access was denied. [She] then used [RLI’s] computer system to research Dropbox alternatives, and at 8:02 P.M. on January 2, 2014, accessed a cloud data storage website called Jottacloud.

She then uploaded 757 customer claim files and other files containing proprietary information to her personal Jottacloud account between January 2, 2014, and her termination on March 25, 2014.  

On March 24, 2014, [RLI] specifically revoked [Banks’] permission to access the computer network, including the files and information therein.  Roughly twenty minutes after [RLI] revoked [Banks’] access, [she] sent an email from her RLI account to her personal account with eighty-eight confidential RLI emails attached.
RLI Insurance Company v. Elisabeth Banks, supra.
On April 15, 2014, RLI
filed its Verified Complaint on April 15, 2014, seeking damages and injunctive relief on various state law grounds as well as under the federal Computer Fraud and Abuse Act (`CFAA’).

On April 16, 2014, this Court granted [RLI] a temporary restraining order, ordering [Banks] to return all RLI documents in her possession and allow RLI to inspect her Jottacloud account as well as her personal computers, tablets, and other devices. [Banks] now moves to dismiss [RLI’s] claims.
RLI Insurance Company v. Elisabeth Banks, supra.  The article you can find here explains what a Complaint is, and the role it plays in. U.S. civil practice.
And as the article you can find here explains, the CFAA 
is a criminal statute that provides a civil cause of action for anyone whose computer system or network has been damaged or accessed without authorization, provided certain requirements are met. Although traditionally thought of as a form of relief for those who fall victim to computer `hackers,’ the Act has seen increased use in the employer-employee context.
The judge began his analysis of Banks’ motion to dismiss by explaining that a
complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a `plausible’ claim for relief.  A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is `improbable’ that a plaintiff would be able to prove those facts; even if the possibility of recovery is extremely `remote and unlikely.’

In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff.  Generally, notice pleading is all that is required for a valid complaint. Under notice pleading, the plaintiff need only give the defendant fair notice of the plaintiff's claim and the grounds upon which it rests.
RLI Insurance Company v. Elisabeth Banks, supra.
He then took up Banks’ argument that the judge should dismiss RLI’s
claims for conversion, breach of the duty of loyalty, breach of fiduciary duty, tortious interference, and violation of the Georgia Computer Systems Protection Act (`GCSPA’) as preempted by the Georgia Trade Secrets Act (`GTSA’). The GTSA preempts all conflicting state laws providing civil remedies or restitution for the misappropriation of trade secrets.  

The Georgia Supreme Court has held that `[f]or the GTSA to maintain its exclusiveness, a plaintiff cannot be allowed to plead a lesser and alternate theory of restitution simply because the information does not qualify as a trade secret under the act.’

It is immaterial whether the information at issue qualifies as a trade secret under the GTSA, `[r]ather the key inquiry is whether the same factual allegations of misappropriation are being used to obtain relief outside the GTSA.’  This Court therefore must address whether the Plaintiff's state law claims rely upon factual allegations of misappropriation of trade secrets.

First, as to the Plaintiff's claim for conversion, the Complaint clearly alleges that the claim is based on the Defendant's alleged misappropriation of `Proprietary Information and Consumer Claim Files.’ The claim for conversion is therefore preempted and should be dismissed. 

Similarly, the claim for breach of the duty of loyalty is based on misappropriation of the same information, and should be dismissed.

The claim for breach of fiduciary duty is also based on the misappropriation of confidential information, and is therefore preempted and should be dismissed. Finally, the GCSPA claim relies on misappropriation of the confidential information as well, and it should be dismissed as preempted.
RLI Insurance Company v. Elisabeth Banks, supra.
Next, the judge took up RLI’s motion to dismiss Banks’
claim for breach of contract, arguing that no contract existed here. As a threshold matter, the Court notes that the claim for breach of contract is not preempted by the GTSA, unlike [Banks’] state law claims.

A claim for breach of contract requires a valid contract, material breach of the terms of that contract, and damages arising from the breach. The Georgia Court of Appeals has held that violations of employee manuals are generally not actionable as a breach of contract.

Where the statements in employee manuals are merely expressions of `certain policies and information concerning employment’ as opposed to language clearly creating a contract, there can be no action for breach of contract.

Here, [RLI] alleges breaches of the Employee Code of Conduct and the Information Protection Policy -- both employee policy manuals.  These manuals simply contain policies and information concerning employment and therefore do not constitute contracts. The claim for breach of contract should therefore be dismissed.
RLI Insurance Company v. Elisabeth Banks, supra.
And, finally, the District Court Judge took up Banks’ motion to dismiss RLI’s
claim for violation of the CFAA on the grounds that [she] was authorized to access the information obtained and that [RLI] has no damages.

The CFAA requires proof that the defendant `intentionally accesses a computer without authorization or exceeds authorized access’ and obtains information from any protected computer.  Additionally, the plaintiff must show a loss of at least $5,000 in a one-year period.  

[RLI] has alleged facts that, if true, would show that [Banks] accessed a computer without authorization when she accessed her email after her computer privileges were revoked and exceeded her authorization when she uploaded files to Jottacloud. [RLI] has also pleaded damages exceeding $5,000. [Banks’] motion to dismiss the CFAA claim should therefore be denied.

RLI Insurance Company v. Elisabeth Banks, supra.
So the judge granted Banks’ motion to dismiss in part and denied it in part, which means that the suit continues, at least for now.  RLI Insurance Company v. Elisabeth Banks, supra.


No comments: