Summary
holding that conclusory allegation that claimant “has been damaged,” unaccompanied by allegation as to the nature of such damage, and further assertion that “data was erased” without identification of the data that was allegedly erased, insufficient to state CFAA claim
Summary of this case from New South Equipment Mats, LLC v. KeenerOpinion
Case No. 11-2693-JWL
05-09-2012
Brooke Bashaw, Katie Sellers and Lauren Spalsbury, Plaintiffs, v. Jeremiah Johnson, Defendant.
MEMORANDUM AND ORDER
Plaintiffs are former employees of defendant Jeremiah Johnson and/or defendant's law firm. Plaintiffs filed this diversity lawsuit alleging that defendant required plaintiffs to wear skirts in the office and then used an application on his iPhone and iPad to conduct video surveillance of the area beneath a particular desk in the office such that defendant secretly obtained video recordings of plaintiffs' legs, lower torsos and undergarments. Plaintiffs assert state law claims of invasion of privacy; outrage; and breach of fiduciary duty. Defendant has counterclaimed for violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (CFAA), and breach of contract. Specifically, he contends that plaintiffs, in violation of the CFAA, accessed defendant's iPhone and iPad in excess of their authorization and deleted data from those devices. He further contends that plaintiffs breached a confidentiality agreement by disclosing to the district attorney's office information obtained during a confidential mediation session.
This matter is presently before the court on plaintiffs' motion to dismiss defendant's counterclaims for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6). As will be explained, the motion is granted in part and denied in part. The motion is granted with respect to defendant's CFAA counterclaim and that claim is dismissed in its entirety. With respect to defendant's breach of contract counterclaim, the motion is granted to the extent defendant claims he was exposed to an increased risk of criminal prosecution as a result of the alleged breach and is denied to the extent defendant claims he incurred attorneys' fees as a result of the breach.
Although plaintiff Brooke Bashaw has not joined in the motion to dismiss, the court sua sponte dismisses defendant's counterclaims against Ms. Bashaw to the same extent as it dismisses those claims against the other plaintiffs.
Computer Fraud and Abuse Act Claim
Count I of the counterclaim complaint asserts that one or more plaintiffs violated the Computer Fraud and Abuse Act (CFAA) by accessing, without authorization or in excess of their authorization, defendant's iPad, iPhone and one or more of defendant's computers and deleting unspecified data from those devices. Defendant asserts that he has been damaged by the actions of plaintiffs and that the damages "would exceed" at least $5000 in value "and would be a threat or invasion of the public interest and confidential information contained therein." Plaintiffs move to dismiss this counterclaim on the grounds that the claim fails under Iqbal/Twombly in at least two respects-defendant does not sufficiently allege the nature of his damages within the meaning of the CFAA and defendant does not sufficiently allege a qualifying "loss" within the meaning of the CFAA. As will be explained, the court concludes that defendant has adequately pled neither damages nor loss within the meaning of the CFAA. Dismissal of the counterclaim, then, is warranted.
Plaintiffs also contend that defendant cannot plausibly allege facts in support of the "without authorization" or "exceeds authorization" element of his CFAA claim. Because dismissal of the CFAA claim is clearly appropriate on other grounds, the court declines to address this issue.
The CFAA is a federal statute that criminalizes certain activities in connection with computers. See 18 U.S.C. § 1030. Despite the criminal nature of the CFAA, it does provide a private civil cause of action under limited circumstances. See id. § 1030(g); TriTeq & Sec. LLC v. Innovative Secured Solutions, LLC, 2012 WL 394229, at *5 (N.D. Ill. Feb. 1, 2012). Pursuant to § 1030(g), a civil action may be brought only if the conduct "involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)." 18 U.S.C. § 1030(g). In other words, a plaintiff alleging a violation under § 1030(g) must allege the conduct involved one of the following factors:
(I) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value; (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (III) physical injury to any person; (IV) a threat to public health or safety; [or] (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.Id. § 1030(c)(4)(A)(i)(I)-(V).
In his counterclaim, defendant states claims against plaintiffs under § 1030(g) for violations of § 1030(a)(2), (a)(4) and (a)(5). Each of these subsections, with some variation, prohibits accessing a protected computer without authorization and obtaining information from the computer. According to the counterclaim complaint, each of these asserted violations are based on conduct (as required by § 1030(g)) involving a loss aggregating at least $5,000 in value. For each of these asserted violations, then, defendant must allege a "loss" within the meaning of the CFAA. In addition, subsection (a)(5) contains an express "damage" requirement such that defendant must also adequately allege "damage" within the meaning of the statute for purposes of his subsection (a)(5) claim. See TriTeq Lock, 2012 WL 394229, at *5. Thus, to state a claim under § 1030(g) for violation of § 1030(a)(5) based upon § 1030(c)(4)(A)(i)(I), a plaintiff must allege both "damage" and a "loss" aggregating at least $5,000 in value. Id.
Although defendant's counterclaim also references a "threat or invasion of the public interest," that circumstance is not one of the enumerated circumstances set forth in subsection (c)(4)(A)(I). Thus, the only circumstance identified in the counterclaim that fits within the enumerated circumstances of the statute is the asserted loss in excess of $5,000.
The CFAA defines the term "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). In construing this term, courts have determined that "damage" refers to "the destruction, corruption, or deletion of electronic files, the physical destruction of a hard drive, or any 'diminution in the completeness or usability of the data on a computer system.'" See TriTeq Lock, 2012 WL 394229 at *6 (citing cases). Defendant conclusorily alleges in this counterclaim that he "has been damaged" but he does not assert the nature of such damage. In his submissions on the motion, he claims that he suffered damages because "data was erased." No where in his submissions or his counterclaim complaint does defendant identify the data that was allegedly erased. This allegation, then, essentially parrots the statutory language and is insufficiently factual to frame plausibly the damages element of defendant's CFAA claim. See TriTeq Lock, 2012 WL 394229, at *6 (plaintiff did not sufficiently allege "damage" for purposes of CFAA claim where complaint alleged only that defendant caused damage but failed to allege any facts "to give color to this bare assertion of damage"); Ipreo Holdings LLC v. Thomson Reuters Corp., 2011 WL 855872, at *7 (S.D.N.Y. Mar. 8, 2011) (the complaint must allege with some particularity "damage" as defined by the CFAA); Fink v. Time Warner Cable, 2009 WL 2207920, at *4 (S.D.N.Y. July 23, 2009) (dismissing CFAA claim under Iqbal where plaintiff alleged only that defendant caused damage by impairing the availability of data). For this reason, defendant cannot state a claim for relief under subsection (a)(5).
Similarly, defendant has not adequately pled a qualifying "loss" for purposes of the CFAA. Under the CFAA, "the term 'loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11). The majority of courts have construed the term "loss" to include only two types of injury-costs incurred (such as lost revenues) because the computer's service was interrupted and costs to investigate and respond to computer intrusion or damage. See TriTeq Lock, 2012 WL 394229, at *6-7 (collecting cases); Trademotion, LLC v. Marketcliq, Inc., _ F. Supp. 2d _, 2012 WL 682465, at *6 (M.D. Fla. Mar. 2, 2012).
In his counterclaim, defendant has not alleged that he suffered any "loss" under the CFAA. While he alleges that unspecified losses "would exceed" $5,000 in value, he does not allege that he actually incurred losses in that amount. He does not allege or identify any investigative or response costs incurred as a result of the alleged CFAA violation and he does not allege any lost revenues or other losses incurred due to any interruption in service. In his submissions, he contends that qualifying losses under the statute include "for example" the prorated salaries or wages of employees who spent time restoring a backup of deleted data or recreating lost work, but he does not suggest that his employees performed these tasks or that he incurred costs relating to such tasks. Because he has not alleged any loss under the statute, defendant cannot maintain a CFAA claim for violations of any of the subsections identified in his counterclaim complaint. This claim is dismissed in its entirety.
Breach of Contract
For his second counterclaim, defendant alleges that the parties participated in a confidential mediation session and executed an agreement that any communications made in connection with the mediation would be deemed confidential. According to defendant, plaintiffs, after the mediation failed, violated the confidentiality agreement by providing information obtained during the mediation process to the district attorney, who was at that time investigating whether to pursue criminal charges against defendant relating to the subject of plaintiffs' lawsuit. Defendant alleges that the district attorney then contacted defendant's criminal attorney by telephone to discuss the pending investigation against defendant in light of the information disclosed from the mediation. Defendant contends that plaintiffs breached the confidentiality agreement and alleges damages "including but not limited to attorneys' fees and costs, and the potential that the matter under investigation by the Johnson County District Attorney's office would be formally commenced" against defendant.
Plaintiffs move to dismiss this claim on the grounds that the damages alleged by defendant are speculative and contingent and, as such, are not recoverable under Kansas law.With respect to defendant's claim of damages in the form of attorneys fees, plaintiffs assert that defendant had retained a criminal lawyer prior to the mediation and that his counterclaim alleges only one phone call in which his criminal lawyer participated as a result of the information provided by plaintiffs to the district attorney. He alleges no other activity involving his criminal lawyer resulting from any breach of the confidentiality agreement. With respect to the asserted "potential" that formal charges would be filed against defendant, plaintiffs contend that such damages are clearly speculative or contingent as no such charges have been filed to date.
Prior to their discussion of defendant's asserted damages, plaintiffs "note" certain situations in which a disclosure of information obtained at the mediation would not constitute a violation of the parties' confidentiality agreement. Plaintiffs' first scenario concerns a personal injury lawsuit concerning a car accident. Plaintiffs' second scenario assumes that defendant here, during the pre-suit mediation, threatened to contact law enforcement about pursuing criminal charges against plaintiffs for "computer crimes" if plaintiffs proceeded with a civil suit against him. According to plaintiffs, "if" defendant made such threats, then plaintiffs' counsel had a duty to contact the district attorney to discuss the merits of the threatened criminal charges and could do so without violating the agreement.
The court cannot ascertain whether the example provided by plaintiffs is intended as an actual or hypothetical example. Moreover, this argumentto the extent it is oneis not addressed in any substantive way in plaintiffs' reply brief. Finally, there are several instances in plaintiffs' motion in which the asserted basis for dismissal is clearly limited to the damages aspect of defendants' counterclaim. For these reasons, the court reads plaintiffs' motion as seeking dismissal of the counterclaim solely on the basis of the speculative nature of defendant's damages.
In response, defendant first contends that plaintiffs' argument "ignores other potential claims arising from Plaintiffs' conduct, including but not limited to negligent and intentional interference with potential business relations." Of course, it is not plaintiffs' responsibility to discern any and all potential claims that might arise from the allegations in Count II when defendant has expressly limited that count to a counterclaim for breach of contract. If defendant believes that these allegations form the basis for a counterclaim in addition to breach of contract, it is incumbent upon him to allege that claim. He has not done so at this juncture and the court takes the counterclaim at face value-as asserting only a counterclaim for breach of contract.
Turning back to defendant's claim for damages incurred as a result of the alleged breach of contract, plaintiffs have not directed the court to any authority for their assertion that "pointing to one phone call is not enough" to state a non-speculative claim for damages. While incurring fees for one phone call may not state a sizeable claim for damages, it is certainly a plausible claim for damages stemming from the alleged breach. See J.R. Simplot v. Chevron Pipeline Co., 563 F.3d 1102, 1116 (10th Cir. 2009) (measure of damages for breach of contract may include attorneys' fees incurred as a result of the breach); Shughart Thomson & Kilroy, P.C. v. Max Rieke & Bros., Inc., 24 Kan. App. 2d 205, 206 (1997) (referencing judgment that included attorney fees incurred as a result of breach of contract). Plaintiffs' motion to dismiss on this basis is denied.
With respect to defendant's asserted damages in the form of an increased risk of criminal prosecution, defendant does not respond at all to plaintiffs' argument that such "damages" are speculative in that criminal charges have not been filed against defendant. It appears, then, that defendant concedes that this element of his claim for damages is appropriately dismissed. But even aside from defendant's concession, the court would dismiss without prejudice this aspect of defendant's claim for damages. The mere possibility that defendant may be at an increased risk for criminal prosecution is speculative-it is entirely dependent on the potential future actions of a third party. Defendant's hypothetical speculation about the possibility of future injury is insufficient to show the requisite actual harm stemming from the alleged breach of contract. See State ex rel. Stovall v. Reliance Ins. Co., 278 Kan. 777, 789, 107 P.3d 1219 (2005) ("A party is not entitled to recover damages 'not the proximate result of the breach of contract and those which are remote, contingent, and speculative in character."').
In so deciding, the court finds particularly persuasive the decisions of numerous courts holding, in the context of data security breaches, that an allegation of an increased risk of identity theft, without more, does not amount to actual damage. See Reilly v. Ceridian Corp., 664 F.3d 38, 42-43 (3rd Cir. 2011) (affirming dismissal of claims for breach of contract and negligence relating to increased risk of identity theft where allegations of hypothetical, future injury were insufficient to plead actual injury); Pisciotta v. Old Nat'l Bancorp., 499 F.3d 629, 635-40 (7th Cir. 2007) (affirming grant of motion for judgment on the pleadings on negligence claim; allegations of information exposure and risk of identity theft does not constitute compensable injury); Brit Ins. Holdings N.V. v. Krantz, 2012 WL 28342, at *7-9 (N.D. Ohio Jan. 5, 2012) (granting 12(b)(6) motion on counterclaims for breach of contract and negligence where defendants alleged increased risk of identity theft; hypothetical future harm insufficient to demonstrate that defendants suffered actual harm as required for claims); Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., 2009 WL 799760, at *2 (E.D. La. Mar. 24, 2009) (granting 12(b)(6) motion on negligence claim where plaintiff alleged only increased risk of credit card fraud and identity theft, plus credit monitoring measures); Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 705, 712 (S.D. Ohio 2007) (plaintiff cannot recover when "no unauthorized use of her personal information has occurred"); Key v. DSW, Inc., 454 F. Supp. 2d 684, 690 (S.D. Ohio 2006) ("[i]n the identity theft context, courts have embraced the general rule that an alleged increase in risk of future injury is not an 'actual or imminent' injury"); Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 781-82 (W.D. Mich.2006) (plaintiff cannot recover for "a potential future loss which has not actually occurred"); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006) (plaintiff cannot recover for the "perceived risk of future harm").
For the foregoing reasons, the court dismisses that aspect of defendant's claim for damages relating to an increased risk of criminal prosecution. Without expressing any opinion on the viability of an amendment, defendant may move to amend his counterclaim with respect to his damages at some future date if criminal charges are initiated against him.
IT IS THEREFORE ORDERED BY THE COURT THAT plaintiffs' motion to dismiss defendant's counterclaims (doc. 6) is granted in part and denied in part.
IT IS SO ORDERED.
Dated this 9th day of May, 2012, at Kansas City, Kansas.
___________________________
John W. Lungstrum
United States District Judge