Summary
explaining the differentiation among circuit courts' interpretation of “cost of responding to an offense” in light of Van Buren
Summary of this case from Pinebrook Holdings, LLC v. NarupOpinion
1:21-cv-00084-RJS-CMR
03-03-2022
ACI PAYMENTS, INC., Plaintiff, v. CONSERVICE, LLC, Defendant.
Cecilia M. Romero Magistrate Judge
MEMORANDUM DECISION AND ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
ROBERT J. SHELBY UNITED STATES CHIEF DISTRICT JUDGE
This case arises out of Defendant Conservice, LLC's use of Plaintiff ACI Payments, Inc.'s payment processing platforms. Now before the court is Conservice's Motion to Dismiss ACI's Complaint. For the reasons explained below, the Motion is GRANTED IN PART and DENIED IN PART.
The following facts are drawn from ACI's Complaint. The court accepts all well-pleaded facts as true and views them in the light most favorable to the non-moving party, ACI. See, e.g., Beedle v. Wilson, 422 F.3d 1059, 1063 (10th Cir. 2005).
ACI is a New York corporation with its principal place of business in Miami, Florida.ACI provides payment processing services to billers throughout the United States, including utility billers. ACI's payment processing products include ACI Speedpay, Tran$Act, and V4 (collectively, “Speedpay”). The Speedpay platform allows consumers to make payments using credit card, debit card, and automated clearing house (ACH) transactions, using telephone, web, and mobile interfaces.
Dkt. 2 (Complaint) ¶ 2.
Id. ¶ 8.
Id.
ACI has Terms and Conditions which govern the use of Speedpay. The Terms and Conditions prohibit using Speedpay for commercial purposes. The Terms and Conditions state in pertinent part:
Id. ¶ 9.
Id.
By conducting a Service transaction, making a Payment, or accessing the Services or Website (including through Alternative Payment Channels) You represent and warrant that: (i) You are a customer of Biller, (ii) that You are using the Services and/or submitting a Payment transaction on Your own behalf, or as an employee, owner, or principal of the User-customer, and (iii) that You are not using the Service or Website under a claim of agency or other third-party relationship on behalf of a User-customer, and (iv) that You are not using the Service or Website for profit, financial gain, or any commercial benefit.
Id. ¶ 10.
“Nearly all Speedpay websites use ‘clickwraps,' in which the Terms and Conditions are presented to the user prior to making a payment.” The user must affirmatively accept the Terms and Conditions before a payment transaction can be completed.
Id. ¶ 11.
Id.
Defendant Conservice is located in River Heights, Utah. Conservice provides a service that pays customers' bills. But rather than just “step into the shoes of its clients, ” “Conservice takes money from its clients and then pays the bills through single-use, virtual credit cards . . . issued to Conservice.” By using these cards, Conservice receives a portion of the interchange fee created by the transaction.
Id. ¶ 3.
Id. ¶ 14.
Id.
Id.
“In recent years, ” ACI learned Conservice was initiating payment transactions through Speedpay, “primarily via websites, ” in violation of the Terms and Conditions. The interchange fees on Conservice's single-use, virtual credit cards are significantly higher than other cards, which “converted] payments that should cost ACI cents to process into payments that cost dollars to process.” The interchange fees are typically paid by ACI on behalf of the biller.Because ACI's convenience fee, which it charges to the consumer, is based on calculations for normal consumer use of debit cards, consumer credit cards, and ACH-not Conservice's single-use virtual commercial cards-ACI loses money on Conservice's transactions. ACI alleges that based on its initial estimates, Conservice has caused ACI over $5 million in damages as a result of this practice.
Id. ¶ 12.
Id. ¶ 16.
Id. ¶¶ 14-15.
Id. ¶ 16.
Id. ¶ 17.
After ACI sent Conservice a cease-and-desist letter in 2018, Conservice stated in writing it had stopped all payments through Speedpay. Despite this, in late 2019, ACI “noticed more activity, ” and sent more cease-and-desist letters. Those letters were disregarded by Conservice.In January 2020, ACI again sent cease-and-desist letters to Conservice, demanding Conservice stop using Speedpay to process payments. Conservice nonetheless continued to process payments using Speedpay. In December 2020, ACI sent another cease-and-desist letter, which also included a list of specific billers for which ACI could see Conservice payments. Other than one response indicating Conservice was investigating the matter, Conservice again ignored ACI's cease-and-desist request. Finally, in June 2021, ACI brought suit to enforce the Terms and Conditions of the Speedpay service.
Id. ¶ 12.
Id. ¶ 13.
Id. ¶ 18.
Id.
Id. ¶ 19.
PROCEDURAL HISTORY
On June 4, 2021, ACI filed its Complaint, alleging breach of contract, fraud, and violation of the Computer Fraud and Abuse Act arising from Conservice's alleged violations of the Terms and Conditions. ACI seeks compensatory damages, exemplary damages, and a permanent injunction barring Conservice from using ACI's Speedpay platform.
Id. ¶¶ 20-32.
Id. ¶¶ 23, 27, 32-37.
On July 19, 2021, Conservice filed a Motion to Dismiss Plaintiffs' Complaint for failure to join necessary parties, pursuant to Federal Rule of Civil Procedure 12(b)(7), or in the alternative, for failure to state a claim for relief, pursuant to Rule 12(b)(6). On August 16, 2021, ACI filed its Memorandum in Opposition. Conservice submitted its reply on August 30, 2021. The court received oral argument on February 15, 2022.
Dkt. 20 (Motion to Dismiss).
Dkt. 23 (Memorandum in Opposition to Motion to Dismiss).
Dkt. 25 (Reply in Support of Motion to Dismiss).
Dkt. 30 (Minute Entry).
LEGAL STANDARDS
Under Rule 12(b)(7), a party can move to dismiss a complaint for failure to join a necessary party under Rule 19. The inquiry under Rule 19 proceeds in three parts. First, the court determines if a party is necessary under Rule 19(a). A party is necessary if (1) “in that person's absence, the court cannot accord complete relief among existing parties;” or (2) “disposing of the action in the person's absence may: (i) as a practical matter impair or impede the person's ability to protect the interest; or (ii) leave an existing party subject to a substantial risk of incurring double, multiple, or otherwise inconsistent obligations because of the interest.” Second, if the court determines a party is necessary, the court determines whether that party can feasibly be joined. Third, if the party cannot be joined, under Rule 19(b), “the court must determine whether, in equity and good conscience, the action should proceed among the existing parties, ” considering factors including:
Fed.R.Civ.P. 12(b)(7). Since the 2007 amendments to the Federal Rules of Civil Procedure, Rule 19 uses the term “required party, ” rather than “necessary party.” Because the parties primarily use the older term “necessary party, ” the court uses it as well for consistency. See also Fed. R. Civ. P. 19 Advisory Committee's note to 2007 amendment (explaining the change from “necessary” to “required” is purely stylistic).
N. Arapaho Tribe v. Harnsberger, 697 F.3d 1272, 1278-79 (10th Cir. 2012).
Id. at 1278.
N. Arapaho Tribe, 697 F.3d at 1278.
(1) the extent to which a judgment rendered in the person's absence might prejudice that person or the existing parties;
(2) the extent to which any prejudice could be lessened or avoided by:
(A) protective provisions in the judgment;
(B) shaping the relief; or
(C) other measures;
(3) whether a judgment rendered in the person's absence would be adequate; and
(4) whether the plaintiff would have an adequate remedy if the action were dismissed for nonjoinder.
If the court determines the action cannot proceed in equity or good conscience without the missing party, the missing party is indispensable, and the action must be dismissed.
N. Arapaho Tribe, 697 F.3d at 1278-79.
The Tenth Circuit has instructed that the Rule 19 inquiry is “mainly one of prejudice.”Additionally, “[t]he proponent of a motion to dismiss under 12(b)(7) has the burden of producing evidence showing the nature of the interest possessed by an absent party and that the protection of that interest will be impaired by the absence.” The proponent can satisfy this burden by providing “relevant extra-pleading evidence, ” such as “affidavits of persons having knowledge of these interests.” The interest must be claimed, legally protected, and related to the subject of the lawsuit; inchoate interests are not protected under the Rule.
Grice v. CVR Energy, Inc., 921 F.3d 966, 969 (10th Cir. 2019).
Citizen Band Potawatomi Indian Tribe of Okla. v. Collier, 17 F.3d 1292, 1293 (10th Cir. 1994) (citations omitted).
Id.
Id. at 1294; Davis v. United States, 192 F.3d 951, 958 (10th Cir. 1999).
To survive a motion to dismiss under Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” When determining whether a complaint meets these criteria, the court will “assume the factual allegations are true and ask whether it is plausible that the plaintiff is entitled to relief.” “The court's function on a Rule 12(b)(6) motion is not to weigh potential evidence that the parties might present at trial, but to assess whether the plaintiff's complaint alone is legally sufficient to state a claim for which relief may be granted.”
Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
Id. (citing Twombly, 550 U.S. at 556).
Gallagher v. Shelton, 587 F.3d 1063, 1068 (10th Cir. 2009).
Miller v. Glanz, 948 F.2d 1562, 1565 (10th Cir. 1991).
ANALYSIS
First, the court takes up Conservice's argument that the Complaint must be dismissed for failure to join necessary parties under Rule 12(b)(7). Next, the court turns to Conservice's arguments under Rule 12(b)(6), namely, that the Complaint should be dismissed for failing to state a claim for breach of contract, fraud, or under the Computer Fraud and Abuse Act.
I. Conservice's Motion to Dismiss for Failure to Join Necessary Parties is Denied
ACI states New York law applies to the state-law claims per a choice of law provision in the Terms and Conditions. Opposition at 16 n.4. Conservice cites a mix of Tenth Circuit, Utah, New York, and New Jersey cases in its Rule 12(b)(7) argument, but never disputes or even addresses the choice of state law issue. See Motion to Dismiss at 9-13; Reply at 7-8. Therefore, while the court follows Tenth Circuit precedent in applying the Rule 19 standards, to the extent Conservice's 12(b)(7) argument focuses on rights and liabilities created under the contract at issue (the Speedpay Terms and Conditions), the court applies New York state law.
Conservice argues the Complaint must be dismissed pursuant to Rule 12(b)(7) because the billers and customers at either end of the Speedpay transactions are necessary parties under Rule 19(a), and the factors under Rule 19(b) weigh in favor of dismissal. Specifically, Conservice argues that the customers and billers are necessary parties under Rule 19(a) because ACI and Conservice “act merely as intermediary agents between the Billers and the customers, ” Conservice is not a party to the contract created by the Terms and Conditions, and therefore, “ACI will not be able to get any relief . . . from the parties already in the suit.” Conservice further argues the absent parties have an interest in either collecting or paying utility bills that would be impaired by the suit. Conservice then argues the case must be dismissed under Rule 19(b) because the customers and billers would lose the Speedpay resource, no relief is possible because the proper parties are not before the court, a judgment would be inadequate because Conservice is not a party to the contract, and ACI would have a remedy if the action is dismissed because it could sue the billers “who allegedly breached the Terms and Conditions.”
Motion to Dismiss at 11 (citing United States v. Van Diviner, 822 F.2d 960, 963 (10th Cir. 1987)).
Id.
Id. at 12.
ACI responds that the billers offer multiple payment options for utility bills, and therefore it is Conservice which affirmatively chooses to use the Speedpay service on behalf of the customers-making Conservice the only necessary party. ACI further argues Conservice uses Speedpay despite knowledge of its Terms and Conditions, which prohibit using Speedpay as a third-party on behalf of another. Because Conservice nevertheless agrees to the Terms and Conditions each time it uses Speedpay, ACI maintains Conservice is the proper party to be sued and there are no other indispensable parties. ACI concludes that even though Conservice acts on behalf of others, it is still bound by the Terms and Conditions it affirmatively accepts.
Opposition at 14-15.
Id. at 12-14.
Id. at 14.
The court agrees with ACI. Conservice, as the proponent of the Motion to Dismiss under Rule 12(b)(7), has “the burden of producing evidence showing the nature of the interest possessed by an absent party and that the protection of that interest will be impaired by the absence.” Conservice has not provided any relevant extra-pleading evidence suggesting even a single customer or biller has an interest relating to the subject of this dispute: Conservice's violations of the Terms and Conditions of the Speedpay service.
Potawatomi Indian Tribe, 17 F.3d at 1293 (citations omitted).
While Conservice is correct that a party to a contract is an indispensable party under Rule 19, it has not convinced the court that either the billers or customers are parties to Speedpay's Terms and Conditions. Conservice argues that because it is acting as the agent of the customers, it is not a party to the contract-but presumably the customers are. First, as ACI argues in Opposition, numerous courts have held the party that affirmatively accepts the terms of a clickwrap contract is bound by the contract, even if the party is acting on behalf of another.Second, and more broadly, the court is not persuaded by Conservice's agency theory. Conservice cites a New York case, Hotel Constructors, Inc. v. Seagrave Corporation, for the proposition that “an agent for a fully disclosed principal is not a proper party to a defendant's breach of contract claims.” However, Conservice does not argue or provide any evidence indicating that the customers are disclosed principals. To assert agency as a defense against contract liability, “an agent must disclose [its] agency status and the identity of [it]s principal at the time of contracting.” In other words, to establish it is acting as an agent, Conservice would have to demonstrate that at the time it accepts the Speedpay Terms and Conditions, ACI has notice that Conservice is acting as an agent on behalf of a particular customer-principal. Conservice does not make this showing. Moreover, the Hotel Constructors court also observes “[a]n agent is not liable on a contract he signs for a fully disclosed principal unless he clearly manifests his intention to bind himself instead of, or in addition to his principal.” Even granting the premise that Conservice is acting on behalf of fully-disclosed principals, Conservice has arguably “manifested [its] intent to bind [itself] instead of, or in addition to [its] principal” by affirmatively accepting the Terms and Conditions, which state in part: “You are not using [Speedpay] under a claim of agency or other third-party relationship on behalf of a User-customer.” In short, Conservice-as the proponent of the Motion to Dismiss under Rule 12(b)(7)-has failed to produce evidence indicating that the absent customers have a legally-protectable interest under its principal-agent theory.
See Motion to Dismiss at 10 (citing United Keetoowah Band of Cherokee Indians in Okla. v. Kempthorne, 630 F.Supp.2d 1296, 1301 (E.D. Okla. 2009)).
See Id. at 11.
See Nicosia v. Amazon.com, Inc., 384 F.Supp.3d 254, 272 (E.D.N.Y. 2019) (collecting cases).
Motion to Dismiss at 10 (citing Hotel Constructors, Inc. v. Seagrave Corp., 99 F.R.D. 591, 593 (S.D.N.Y. 1983)).
Deutsche Bank Securities, Inc. v. Rhodes, 578 F.Supp.2d. 652, 666 (S.D.N.Y. 2008) (applying New York law).
Hotel Constructors, Inc., 99 F.R.D. at 592.
Complaint ¶ 10.
Finally, the court is not persuaded by Conservice's suggestion that because the customers, Conservice, ACI, and the billers are part of a “supply chain, ” the billers and customers must have the opportunity “to assert their contractual rights and interests” through this suit. Unlike the single case Conservice cites to support this proposition, which involved a complex international supply chain involving the sale of luxury vehicles, ACI's Complaint describes a straightforward transaction between a biller and a customer on the Speedpay platform, into which Conservice injects its payment service. Moreover, ACI's Complaint centers on the contract between itself and Conservice formed by the Terms and Conditions, and Conservice's alleged breach of that agreement. Even granting the supply chain analogy, ACI's Complaint focuses on just one link in the chain. Absent any evidence suggesting the billers or customers have a legally protected interest in the outcome of the dispute between ACI and Conservice, the court cannot find the billers or customers are necessary parties under Rule 19(a), much less indispensable parties under Rule 19(b) whose absence requires the dismissal of the Complaint.
Motion to Dismiss at 12 (citing Creative Trade Group, Inc. v. Int'l Trade All., Inc., No. 08-C-2561, 2009 WL 3713345, at *12 (N.D. Ill. Nov. 4, 2009)); Reply at 8.
See Creative Trade Group, Inc., 2009 WL 3713345, at *2.
See Complaint ¶¶ 8-17.
Cases in which dismissals were proper under Rule 19 further illustrate this point. In Northern Arapaho Tribe, the Tenth Circuit upheld the district court's dismissal of an action for failure to join necessary parties when the Eastern Shoshone Tribe could not be joined. N. Arapaho Tribe, 697 F.3d at 1279. In that case, the Eastern Shoshone Tribe had an interest related to the subject of the action: “the Indian country status of the 1905 Act Area, ” and a “determination of that status in the absence of the Eastern Shoshone would, as a practical matter, impair or impede the ability of the Eastern Shoshone to protect that interest, ” “because whether a particular tract of land is or is not Indian country has significant implications for the governance of that land and the events occurring upon it.” Id. at 1279. In another case involving federally-recognized Indian tribes, dismissal under 12(b)(7) was appropriate when the Potawatomi Nation disputed the implementation of a federal funding formula that had been negotiated between the Potawatomi and four other tribes, none of which was a party to the action. Citizen Potawatomi Nation v. Norton, 248 F.3d 993, 995-96, 999 (10th Cir. 2001), opinion modified on reh'g, 257 F.3d 1158 (10th Cir. 2001). And in Wolf Mountain Resorts, a case Conservice cites in support of its Motion, the indispensable party was a named party to the lease at the center of the dispute. Wolf Mountain Resorts, LC v. Talisker Corp., No. 2:07-CV-00548-DAK, 2008 WL 65409, at *3 (D. Utah Jan. 4, 2008). In all these cases, the absent party had a legal interest clearly implicated by the suit in question; the interest was not speculative or inchoate.
II. Conservice's Motion to Dismiss for Failure to State a Claim is Granted in Part and Denied in Part
The court next turns to Conservice's arguments under Rule 12(b)(6). For the reasons explained below, the court finds ACI states a claim for breach of contract, fails to state a claim for fraud, and fails to state a claim under the Computer Fraud and Abuse Act. Each claim for relief is discussed in turn.
As discussed, ACI states New York law applies to the state-law claims per a choice of law provision in the Terms and Conditions. Opposition at 16 n.4. Conservice primarily cites Utah law for its Rule 12(b)(6) arguments, but does not directly dispute New York law would apply under the contract. See Reply at 10-12 (citing New York law). Because the court concludes ACI has adequately stated a claim for breach of contract, the court applies New York law to the state-law contract and fraud claims.
A. ACI Adequately States a Claim for Breach of Contract
Conservice argues it is not a party to the contract at issue, the Terms and Conditions, because (1) it acts as an agent for the customers and (2) there was no mutual assent to the contract since “ACI fails to allege a single instance in which Conservice has encountered an identifiable clickwrap or affirmatively acknowledged its agreement to those Terms and Conditions.” Therefore, Conservice argues the breach of contract claim must fail.Conservice further argues ACI has failed to allege damages proximately caused by Conservice's breach, because the use of a virtual credit card for which ACI pays a higher fee “is not prohibited by ACI's Terms and Conditions, ” and therefore, “Conservice's conduct is not the cause of ACI's damages.”
Motion to Dismiss at 14.
Id.
Id. at 14-15.
ACI responds that Conservice is a party to the Terms and Conditions because it affirmatively accepts them each time it uses Speedpay, and that it has adequately pleaded damages. ACI cites case law upholding clickwraps, such as Speedpay's, as enforceable contracts and argues it has sufficiently alleged Conservice accepted the Terms and Conditions by alleging “nearly all” Speedpay cites use clickwraps. ACI further argues it has adequately pleaded damages because it alleged Conservice's use of single-use virtual credit cards on the Speedpay platform, in violation of the Terms and Conditions, has cost ACI at least $5 million in damages.
Opposition at 17-19.
Id. at 17-18 (citing Fteja v. Facebook, Inc., 841 F.Supp.2d 829, 837 (S.D.N.Y. 2012); Nicosia v. Amazon.com, Inc., 384 F.Supp.3d 254 (E.D.N.Y. 2019)).
Id. at 19 (citing Complaint ¶ 17).
The court finds ACI has adequately pleaded breach of contract. To prevail on a breach of contract claim in New York, a party must show: “(1) a contract; (2) performance of the contract by one party; (3) breach by the other party; and (4) damages.” ACI has pleaded the existence of a contract: the Terms and Conditions. ACI pleads it has abided by its Terms and Conditions, but that Conservice has breached them by affirmatively accepting the Terms and Conditions despite not being an individual consumer. And ACI has pleaded damages flowing from Conservice's breach: an estimated $5 million dollars in additional costs.
Napster, LLC v. Rounder Records Corp., 761 F.Supp.2d 200, 206 (S.D.N.Y. 2011) (citing Terwilliger v. Terwilliger, 206 F.3d 240, 246 (2d Cir. 2000)).
Complaint ¶¶ 9-11.
Id. ¶¶ 11-14, 18.
Id. ¶ 17.
Conservice is incorrect that ACI is required to describe a specific instance in which Conservice accepted the Terms and Conditions to adequately plead breach of contract under Rule 8. While Conservice is correct that “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice, ” ACI's Complaint offers more than conclusory statements. As the Supreme Court has explained: “[a] claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully.” ACI goes beyond just pleading the elements of the cause of action for breach of contract. Rather, as discussed, ACI has pleaded factual content describing a longstanding pattern of Conservice using the Speedpay platform in violation of the Terms and Conditions, despite accepting those terms via clickwraps and receiving cease-and-desist letters from ACI. At the motion to dismiss stage, this is sufficient.
Motion to Dismiss at 13 (citing Iqbal, 556 U.S. at 678).
Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 556).
Complaint ¶¶ 12-18.
See Khalik v. United Air Lines, 671 F.3d 1188, 1192 (10th Cir. 2012) (“Under Rule 8, specific facts are not necessary; the statement need only give the defendant fair notice of what the claim is and the grounds upon which it rests.”) (internal citations and quotations omitted).
As to damages, Conservice is incorrect that ACI would have to plead Conservice's use of virtual credit cards-the source of the high interchange fees-is what violates the Terms and Conditions to have adequately pleaded damages. Under New York law, damages are awarded for foreseeable injury caused by a breach of contract. ACI has alleged Conservice's use of the Speedpay platform breaches Speedpay's Terms and Conditions because Conservice is a third-party user making use of the platform for commercial purposes. Conservice's actions in breach of the Terms of Conditions have in turn caused foreseeable damages to ACI because in using Speedpay for commercial purposes, Conservice employs virtual single-use credit cards carrying high interchange fees which ACI must pay. In other words, ACI has adequately pleaded damages flowing directly from Conservice's breach of the Terms of Services.
See, e.g., Terwillger, 206 F.3d at 248 (citing Freund v. Washington Square Press, Inc., 314 N.E.2d 419, 420-21 (N.Y. 1974)).
Complaint ¶ 21.
Id. ¶¶ 14, 16-17.
To summarize, because ACI adequately pleads the elements of a breach of contract claim, Conservice's Motion to Dismiss the first claim for relief is denied.
B. ACI Does Not State a Claim for Fraud
Conservice next argues in its Motion to Dismiss that ACI fails to plead fraud with the particularity required under Rule 9(b). Specifically, Conservice argues that because the Complaint does not allege a specific date or time Conservice accepted the Speedpay Terms and Conditions, a specific customer on whose behalf Conservice used Speedpay, the billers who were paid, or which ACI platform was used, the fraud claim must be dismissed. Additionally, Conservice argues ACI has not pleaded that Conservice owed a duty of care to ACI outside of the terms of the contract.
Motion to Dismiss at 15-16.
Id. at 16.
Id. at 16-17.
ACI responds that its fraud claim survives because, under New York law, a false statement of intention sufficiently supports an action for fraud, even if the statement relates to a contractual agreement. Therefore, because ACI's Terms and Conditions require a Speedpay user to make affirmative representations when it accepts the Terms and Conditions, and those representations were false when made by Conservice, ACI argues it has stated a claim for fraud. Additionally, ACI argues because its Complaint alleges Conservice “was submitting transactions through Speedpay at least throughout 2020, ” and further alleges the December 2020 cease-and-desist letter identified specific billers, the Complaint is sufficiently particular to satisfy Rule 9(b).
Opposition at 19-20 (citing Xiotech Corp. v. Express Data Prods. Corp., 11 F.Supp.3d 225, 241 (N.D.N.Y. 2014) (“Where a plaintiff pleads both a fraud claim and a breach of contract claim, the plaintiff must distinguish the two by (1) demonstrating a legal duty separate from the duty to perform under the contract, (2) demonstrating a fraudulent misrepresentation collateral or extraneous to the contract, or (3) seeking special damages caused by the misrepresentation and unrecoverable as contract damages.”) (citation omitted)).
Id. at 20-21.
Id. at 21-22. In Reply, Conservice argues a fraudulent inducement theory “presupposes that the complaining party would not have executed the contract but for the contract's false statements, ” and because ACI offered the contract on a take-it-or-leave-it basis to users of Speedpay, a fraudulent inducement theory is impossible to maintain. Reply at 10-11.
The court agrees with Conservice. Even assuming arguendo that ACI's fraudulent inducement theory is applicable, ACI fails to plead fraudulent inducement with the necessary particularity. Under Federal Rule of Civil Procedure Rule 9(b), “a party must state with particularity the circumstances constituting fraud or mistake.” The Tenth Circuit has explained that Rule 9(b) requires a complaint alleging fraud to “identify the time, place, content, and consequences of fraudulent conduct, ” or more plainly, to “plead the who, what, when, where and how of the alleged [fraud].” This accords with Rule 9(b)'s purpose “to afford defendant fair notice of plaintiff's claims and the factual ground upon which they are based.” In George v. Urban Settlement Services, the Tenth Circuit found fraud allegations were unsatisfactory when the plaintiff only generally alleged that he “sometimes on specific dates, made phone calls . . . spoke with unidentified . . . employees who made false representations to him via phone, and received letters through the mail . . . containing false and misleading statements.” However, allegations identifying specific employees by name, specific dates when employees made false statements, and specific actions taken in reliance on those misrepresentations were sufficient to state a claim for fraud.
United States ex rel. Lemmon v. Envirocare of Utah, Inc., 614 F.3d 1163, 1171 (10th Cir. 2010) (internal citations and quotations omitted).
Koch v. Koch Indus., Inc., 203 F.3d 1202, 1236-37 (10th Cir. 2000) (internal citation and quotation omitted).
833 F.3d 1242, 1255-56 (10th Cir. 2016).
Id. at 1256.
ACI's allegations more closely resemble the insufficient allegations in George. Alleging that Conservice accessed non-specific “websites” to use Speedpay between January 2020 and December 2020, and accepted the Terms and Conditions each time it used Speedpay, is not sufficiently particular to make out a claim for fraud. As discussed, ACI must plead the who, what, when, where, and how of the alleged fraud. ACI has generally pleaded the “who” (Conservice), the “what” (using Speedpay in violation of the Terms and Conditions), the “how” (accessing Speedpay via websites and clicking “yes” on the Terms and Conditions), and the “when” (between 2018 and 2020). ACI also identifies the consequences of the fraud: at least $5 million in damages. But ACI does not more specifically identify the “who” (the customers Conservice was acting on behalf of or the billers being paid), the “where” (which websites were accessed), or the “when” (particular dates on which Conservice accessed Speedpay). As the Tenth Circuit has explained, “Rule 9(b) does not require omniscience; rather the Rule requires that the circumstances of the fraud be pled with enough specificity to put defendants on notice as to the nature of the claim.” As pleaded, ACI's Complaint does not plead the circumstances of the alleged fraud with enough specificity to put Conservice on notice as to the nature of the claims against it. Accordingly, Conservice's Motion to Dismiss ACI's claim for relief for fraud is granted.
United States ex rel. Polukoff v. St. Mark's Hosp., 895 F.3d 730, 745 (10th Cir. 2018) (citing Williams v. Duke Energy Int'l, Inc., 681 F.3d 788, 803 (6th Cir. 2012)).
C. ACI Does Not State a Claim Under the CFAA
Conservice argues that ACI fails to state a claim under the Computer Fraud and Abuse Act (CFAA) for two reasons: first, ACI's Complaint fails to allege liability under the CFAA because it does not allege Conservice “exceeded authorized access” by using the Speedpay platform, and second, ACI fails to adequately allege “loss” within the meaning of the CFAA. The court takes up each argument in term.
i. ACI Adequately Pleads Conservice's Access Was “Without Authorization”
Conservice argues ACI's claim under the CFAA does not survive Van Buren v. United States, a recent Supreme Court case interpreting the CFAA. The court first discusses the structure of the CFAA and the Supreme Court's recent holding in Van Buren before evaluating the Parties' arguments.
141 S.Ct. 1648, 1649 (2021).
Subsections (a)(2) and (a)(4) of the CFAA provide in relevant part that “whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer” or “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . shall be punished as provided in subsection (c) of this section.” The CFAA is primarily a criminal statute, and subsection (c) enumerates the consequences of a violation. Relevant to this case, the CFAA also provides a civil cause of action in subsection (g): “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator.” Accordingly, subsections (a)(2) and (a)(4) each create civil liability either for “exceeding authorized access” or for accessing “without authorization, ” which this order will refer to as the “exceeds authorized access prong” and the “without authorization prong.”
18 U.S.C. §§ 1030(a)(2)(C), (a)(4).
Id. § 1030(c).
Id. § 1030(g).
Conservice argues only that the Complaint does not allege Conservice “exceeded authorized access” in using the Speedpay platform. See Motion to Dismiss at 18-20. Conservice does not argue the Complaint fails to allege it either “obtain[ed] information” from a protected computer, pursuant to subsection (a)(2), or “with the intent to defraud, accesse[d] a protected computer . . . and by means of such conduct further[ed] the intended fraud and obtain[ed] anything of value, ” pursuant to subsection (a)(4). Accordingly, the court determines only whether ACI adequately alleged Conservice acted either “without authorization” or “exceeded authorized access” in using the Speedpay platform.
In Van Buren v. United States, a police officer was convicted under the CFAA after he accepted a bribe to use his access to a license plate database to locate a record on an individual.The prosecution argued he had “exceeded authorized access” under the CFAA because he used his authorized access to the license plate database for “an improper purpose.” The Supreme Court reversed the conviction, holding that the exceeds authorized access prong does not apply to situations like Van Buren's, in which someone with authorized access to a system uses that access in an unauthorized manner. Rather, a person only exceeds authorized access when they access part of a computer system they lack permission to access, “such as files, folders, or databases . . . that are off limits.”
Van Buren, 141 S.Ct. at 1653.
Id.
Id. at 1655.
Id. at 1662.
Conservice argues that because Van Buren prevents applying the CFAA to situations in which someone uses authorized access for an unauthorized purpose, ACI's CFAA claim fails: “[t]he Complaint is devoid of a single allegation that Conservice hacked into any area on ACI's computer systems to gain access to information that it was not otherwise entitled to see.”
Motion to Dismiss at 20.
ACI replies that Conservice discusses the wrong prong of the CFAA: “ACI pled, and previously advised Conservice, that it had no authority whatsoever to use Speedpay to submit payments on behalf of consumers.” In other words, ACI alleges liability under the without authorization prong, not under the exceeds authorized access prong. ACI argues it pleaded that the Terms and Conditions prohibit users from using Speedpay for commercial purposes and that ACI had previously advised Conservice, through multiple cease-and-desist letters, that it had no authority to use the Speedpay service. Accordingly, ACI argues it has adequately stated a claim for relief under the without authorization prong of the CFAA.
Opposition at 22 (emphasis in original).
Id. at 23.
Id. at 22-23.
The court agrees with ACI. While Conservice is correct that Van Buren precludes liability under the exceeds authorized access prong for those who use authorized access to a computer for an unauthorized purpose, ACI adequately alleges liability under the without authorization prong. Since Van Buren was decided, numerous district courts have recognized that Van Buren's holding applies only to the exceeds authorized access prong and did not similarly limit the scope of the other provisions of the CFAA, including the without authorization prong. For example, a New York district court observed in Better Holdco, Inc. v. Beeline Loans, Inc. that “while Van Buren resolved a circuit split as to how to interpret the phrase ‘exceeds authorized access,' that is not the theory that [Better] is pursuing here. . . . [Better argues] that [Defendant's employee] Abramowitz, after he left Better, gained ‘unauthorized' access to Better's Facebook Ad Manager Account. Van Buren thus has little relevance-and is surely not ‘arguably dispositive'-as to the question of whether Better has adequately pleaded that Abramowitz's access was ‘unauthorized.'” Similarly, a Pennsylvania district court, interpreting the CFAA in a criminal case, recognized that the Van Buren court's discussion of the interplay between the without authorization and exceeds authorized access prongs did not preclude a theory under the without authorization prong:
No. 20-CV-8686 (JPC), 2021 WL 3173736, at *3 n.3 (S.D.N.Y. July 26, 2021). See also, e.g., Leitner v. Morsovillo, No. 21-CV-3075-SRB, 2021 WL 2669547, at *4 (W.D. Mo. June 29, 2021) (denying motion to dismiss CFAA claim when plaintiff adequately alleged defendants had accessed information “without authorization” and also explaining: “The question of the scope of authorization, including the issue of which party controlled the various computer systems or platforms at issue in this case, remains a fact-intensive inquiry ill-suited for resolution on a Rule 12(b)(6) motion”); Bowen v. Porsche Cars, N.A., Inc., -- F.Supp.3d --, No. 1:21-CV-471-MHC, 2021 WL 4726586, at *4 (N.D.Ga. Sept. 20, 2021) (denying motion to dismiss CFAA claim and observing Van Buren's holding on the exceeds authorized access prong of CFAA “has no application” to claims brought under the without authorization prong).
[E]ven where the Court in Van Buren discusses the interplay between liability for access “without authorization” and access that “exceeds authorization, ” nothing in the analysis [precludes] the Government's theory of prosecution. In particular, the Supreme Court agreed with Van Buren that access “without authorization” “protects computers themselves by targeting so-called outside hackers-those who ‘acces[s] a computer without any permission at all.'” The Court went on to state that “[u]nder Van Buren's reading, liability under both clauses stems from a gates-up-or-down inquiry-one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” . . . Eddings argues that there can be no criminal liability under the access “without authorization” clause because Denis was not an “‘outside hacker' attempting to get ‘gates down' unauthorized access to the IFC server.” . . . However, the Government's theory of the case is that Denis was akin to an “outside hacker”- someone “who acces[sed] a computer without any permission at all.” . . . [T]he mere fact that [Defendant] retained possession of a password which allowed her to access the server post-employment does not, under Van Buren, mean that she
necessarily was “authorized” to access the server. Rather, the issue of whether, after she terminated her employment, Denis remained authorized to access the IFC server is properly a question of fact for determination by a jury.
United States v. Eddings, No. 5:19-CR-00535, 2021 WL 2527966, at *4-5 (E.D. Pa. June 21, 2021).
Accordingly, the court looks to case law from both before and after Van Buren to determine whether ACI has adequately pleaded that Conservice accessed Speedpay “without authorization.” There is little Tenth Circuit authority interpreting the CFAA. Therefore, the court finds persuasive decisions of other circuit and district courts which have interpreted the without authorization prong in similar contexts. In particular, the court looks to a Ninth Circuit decision specifically analyzing the without authorization prong in the context of alleged violations of a website's Terms and Conditions.
The Tenth Circuit has recognized that a defendant accesses a computer “without authorization” by falsely posing as someone else and using the login credentials created for the other person to gain access to a protected computer. United States v. Willis, 476 F.3d 1121, 1123, 1125-27 (10th Cir. 2001); see also Podium Corp. Inc. v. Chekkit Geolocation Servs. Inc., No. 2:20-CV-352-DB, 2020 WL 6940737, at *2 (D. Utah Nov. 25, 2020) (dismissing a motion to dismiss a CFAA claim when plaintiff alleged the defendant “fraudulently posed as a customer of [plaintiff] and then used that false identity to obtain login credentials to access [plaintiff's] password-protected platform.”). Because ACI alleges Conservice uses customer log-in credentials with permission of the customers, Willis and Podium Corp. Inc. do not end the inquiry.
In Facebook, Inc. v, Power Ventures, Inc., the Ninth Circuit affirmed a district court's grant of summary judgment to Facebook, finding defendant Power had violated the CFAA. The Circuit Court held that the combination of violating a website's terms of use and subsequently disregarding cease-and-desist letters constituted access “without authorization” resulting in liability under the CFAA. Power argued that it had authorization from Facebook users to access Facebook's website for its purpose of “disseminat[ing] messages” through user accounts. The Circuit Court agreed that “Power had at least arguable permission to access Facebook's computers, [and so] it did not initially access Facebook's computers ‘without authorization.'” But that changed when Facebook expressly rescinded permission through its cease-and-desist letter detailing Power's violation of Facebook's terms of use and possible violation of federal and state law, which “plainly put Power on notice that it was no longer authorized to access Facebook's computers.” The Circuit Court found that stating a violation of terms of use alone would not have been enough to assert a claim under the CFAA, but Facebook's notice of revoked permission was sufficient. The Court further explained by way of analogy:
Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016).
Id. at 1068.
Id. at 1067.
Id.
Id. at 1067 n.3.
Id. at 1067-68.
Suppose that a person wants to borrow a friend's jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank's property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook's computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.
Id. at 1068. Applying this holding, other district courts within the Ninth Circuit have held access to a computer or website in violation of terms or use is “without authorization” only after permission has been explicitly revoked. See, e.g., Rimini St., Inc. v. Oracle Int'l Corp., 473 F.Supp.3d 1158, 1183 (D. Nev. 2020); Glam & Glits Nail Design, Inc. v. #NotPolish, Inc., No. 21-CV-0052-GPC-DEB, 2021 WL 2317410, at *8 (S.D. Cal. June 7, 2021).
Conservice's use of ACI's Speedpay platform closely mirrors Power's use of Facebook. Here, Conservice argues it has been authorized by specific customers to access Speedpay, just as Power argued it had been authorized by Facebook users to log into their accounts. And ACI pleads that such use violates Speedpay's Terms and Conditions, and that Conservice was put on notice of this violation through multiple cease-and-desist letters. Just as in Facebook, Inc., the combination of Conservice's violation of the Speedpay Terms and Conditions, subsequent receipt of cease-and-desist letters providing notice it was in violation of those Terms, and continued access to Speedpay after that notice can constitute access without authorization under the CFAA. ACI has therefore stated a plausible “without authorization” CFAA claim against Conservice that is not precluded by Van Buren.
ii. ACI Does Not Adequately Allege “Loss” Under the CFAA
Conservice argues that even if ACI adequately alleges Conservice violated the CFAA, ACI fails to allege either of the two types of harm the CFAA provides a remedy for. Specifically, because ACI alleges damages resulting from paying higher interchange fees- “damage … borne of its own business decisions”-Conservice argues ACI has failed to allege “loss” or “damage” as contemplated by the CFAA.
Motion to Dismiss at 21.
ACI responds first that Rule 8 “does not require [it] to identify a specific dollar amount of damages nor does it require ACI to specifically identify its general damages.” Second, ACI argues it has pleaded “loss” under the CFAA because it alleged that it sustained “increased costs that ACI would otherwise have not incurred” as a result of Conservice's pattern of using Speedpay to make payments. Therefore, “these factual allegations are sufficient to plead that ACI sustained loss in responding to Conservice's offenses and assessing damages.” ACI also argues that it need not allege harm relating to “interruption of service, ” one of two forms of loss under the CFAA.
Opposition at 24.
Id. (citing Complaint ¶ 32).
Id.
Id. at 24-25.
The CFAA indeed defines two types of loss: “(1) reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”“Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” Meeting one of the two definitions of loss is vital because “[a] civil action for a violation of [the CFAA] may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” Subclause (I) outlines the conduct relevant to ACI's claim: “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” The Supreme Court explained in Van Buren that “[t]he statutory definitions of ‘damage' and ‘loss' . . . focus on technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data. Limiting ‘damage' and ‘loss' in this way makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.'”
Id. § 1030(e)(8).
Id. § 1030(g); see also, e.g., Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014) (explaining a plaintiff may recover under the CFAA for demonstrating the first, second, or both types of loss).
18 U.S.C. § (c)(4)(A)(i)(I). For this reason, ACI's Rule 8 argument is misplaced. While a plaintiff need not specifically identify damages to satisfy Rule 8, alleging loss is a prerequisite to bringing a civil action for a violation of the CFAA.
Van Buren, 141 S.Ct. at 1660 (citing Royal Truck & Trailer Sales and Serv., Inc. v. Kraft, 974 F.3d 756, 760 (6th Cir. 2020)).
ACI argues it has specifically pleaded loss “in responding to Conservice's offenses and assessing damages, ” which falls under the first definition of loss. Conservice argues that under Van Buren, any allegation of loss under the CFAA must include technological harm. As with the without authorization prong, the Tenth Circuit has provided little guidance on interpreting loss under the CFAA. Additionally, very few district courts have had the opportunity to weigh in following Van Buren. Again, the court looks to persuasive authority outside of this circuit to determine if ACI has adequately pleaded loss under the first definition, which includes “the cost of responding to an offense.”
Opposition at 24.
Motion to Dismiss at 21-22; Reply at 13-14.
Courts within the Second Circuit narrowly interpret the phrase “cost of responding to an offense” and limit it “to situations involving damage to or impairment of the protected computer.” Accordingly, post-Van Buren, a New York district court granted a motion to dismiss when a plaintiff did not adequately allege loss under the CFAA. Specifically, allegations that a plaintiff spent over $5,000 “responding to” the violation was insufficient because the plaintiff had not alleged the money had been spent responding to “efforts to identify, diagnose, or address damage to the protected device or from an interruption of service.” The court found allegations that plaintiff's business personnel had “investigated access to the [compromised account] and reviewed change logs, the Ad Data that was improperly downloaded, and the screenshots [defendant] had taken of the Account” were insufficient under the narrow definition.
Better Holdco, Inc., 2021 WL 3173736, at *3-4 (collecting cases).
Id. at *4 (internal citations omitted).
Id. at *2.
Id.at *4.
In contrast, courts in other circuits interpret “cost of responding to an offense” more broadly. Post-Van Buren, a Georgia district court denied a motion to dismiss, following Eleventh Circuit precedent and finding the plaintiff had adequately alleged loss under the CFAA when he pleaded over $5,000 in loss, including time he would have spent working had he not been addressing unauthorized access to his car's computer. Pre-Van Buren, the Fourth and Sixth Circuits also included time spent working responding to an offense as loss under the CFAA.
Bowen, 2021 WL 4726586, at *5 (citing Brown Jordan Int'l, Inc. v. Carmicle, 846 F.3d 1167, 1174 (11th Cir. 2017) (“‘Loss' includes the direct costs of responding to the violation in the first portion of the definition.”)).
Yoder, 774 F.3d at 1073-74 (holding a 200-300 hour probe into unauthorized access met the definition of “loss” under the CFAA); A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) (“This broadly worded provision plainly contemplates consequential damages of the type sought by iParadigms-costs incurred as part of the response to a CFAA violation, including the investigation of an offense.”).
The court agrees with Conservice that ACI does not adequately allege loss within the meaning of the CFAA. Even under the broader interpretation of “cost of responding to an offense” adopted by the Fourth, Sixth, and Eleventh Circuits, ACI does not allege facts that would allow the court to infer it incurred costs “responding to [the] offense” of Conservice's use of Speedpay. ACI alleges it incurred at least $5 million in damages from Conservice's actions, including “costs it would not have otherwise incurred.” But aside from that conclusory statement, ACI does not provide any factual support indicating the “costs that [it] would otherwise not have incurred” related to actions taken to investigate or otherwise respond to the offense of Conservice's use of Speedpay. Accordingly, the court concludes that ACI has failed to allege loss under the CFAA.
The court reads the Van Buren decision to suggest a trend toward a narrower reading of the CFAA, including those provisions concerning damage and loss, but disagrees with Conservice that the Van Buren court's observation in dicta about damage and loss limits those provisions to exclusively technological harms. However, at this stage, the court will not select between the Second Circuit's narrower interpretation and the Fourth, Sixth, and Eleventh Circuit's broader interpretation of “costs of responding to an offense” because ACI's allegations of loss are insufficient under either interpretation.
Complaint ¶¶ 17, 32.
Having found ACI adequately pleaded that Conservice accessed Speedpay “without authorization” but that ACI did not adequately plead “loss” within the meaning of the CFAA, ACI's CFAA claim fails as currently pleaded.
CONCLUSION
For the reasons explained above, Conservice's Motion to Dismiss ACI's Complaint is GRANTED IN PART and DENIED IN PART. Conservice's Motion under Rule 12(b)(7) is DENIED. Conservice's Motion under Rule 12(b)(6) is GRANTED with regard to ACI's causes of action for fraud and under the CFAA, and DENIED with regard to ACI's cause of action for breach of contract.
Dkt. 20.
SO ORDERED.