Opinion
Civil Action No. 1:18cv1484 (LMB/JFA)
05-12-2020
FEDERATED IT, INC., Plaintiff, v. BARRENCE ANTHONY, et al., Defendants.
PROPOSED FINDINGS OF FACT AND RECOMMENDATIONS
This matter is before the court on plaintiff Federated IT, Inc.'s ("Federated IT" or "plaintiff") motion for default judgment against defendant Ashley Arrington. (Docket no. 41). Pursuant to 28 U.S.C. § 636(b)(1)(C), the undersigned magistrate judge is filing with the court his proposed findings of fact and recommendations, a copy of which will be provided to all interested parties.
Procedural Background
On December 4, 2018, plaintiff filed a complaint against defendants Barrence Anthony and Ashley Arrington. (Docket no. 1) ("Compl."). The complaint alleges ten counts: (1) violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("CFAA"); (2) violation of the Virginia Computer Crimes Act, Va. Code Ann. § 18.2-152.1 ("VCCA"); (3) misappropriation of a trade secret under the Defense of Trade Secrets Act, 18 U.S.C. § 1836 ("DTSA"); (4) misappropriation of a trade secret under the Virginia Uniform Trade Secrets Act, Va. Code Ann. §§59.1-336-59.1-343; (5) breach of fiduciary duty; (6) tortious interference with existing contract; (7) conversion; (8) breach of contract; (9) conspiracy; and (10) statutory business conspiracy. (Compl. ¶ 1). On the same day as the filing of the complaint, a summons was issued as to the defendants. (Docket no. 2). On February 28, 2019, plaintiff filed a return of service confirming that the summons and complaint were served on defendant Arrington on February 25, 2019. (Docket no. 3). In accordance with Federal Rule of Civil Procedure 12(a), defendant Arrington's responsive pleading was due on March 18, 2019, twenty-one (21) days after she was served with a copy of the summons and complaint. Defendant Anthony filed a motion to stay the case pending the resolution of criminal proceedings on March 15, 2019 which the court granted the same day. (Docket nos. 4, 6). On September 30, 2019, plaintiff filed a motion to lift the court's stay which the court granted the following day on October 1, 2019. (Docket nos. 7, 10). Subsequently, the court ordered that defendants were to file their responsive pleadings to the complaint no later than October 9, 2019. (Docket no. 11). Defendant Arrington filed an answer to the complaint on October 9, 2019. (Docket no. 13).
The court issued a Scheduling Order on October 16, 2019 setting a discovery due date of March 13, 2020. (Docket no. 14). On October 30, 2019, plaintiff filed a discovery plan with the court. (Docket no. 19). The undersigned held an initial pretrial conference on November 6, 2019 and defendant Arrington attended the conference pro se. (Docket no. 22). On the same day, this court entered a Rule 16(B) Scheduling Order approving plaintiff's discovery plan. (Docket no. 23). The court also ordered that this civil proceeding was stayed against defendant Anthony given his recent Chapter 7 bankruptcy filing. (Docket nos. 25, 26).
Plaintiff filed a motion to compel initial disclosures and discovery responses from defendant Arrington on November 26, 2019 with a memorandum in support and a notice of hearing for December 6, 2019. (Docket nos. 28-30). On December 6, 2019, the undersigned held the hearing and plaintiff's counsel appeared, but defendant Arrington did not. (Docket no. 31). The court granted plaintiff's motion to compel in part and ordered defendant Arrington to serve her initial disclosures, her responses to interrogatories, and responses to certain document requests by December 20, 2019. (Docket no. 32). A copy of that order was mailed to defendant Arrington on December 6, 2019 and she was explicitly warned that failure to comply with the order could subject her to the entry of default. (Id.).
When defendant Arrington failed to comply with the court's December 6, 2019 order, plaintiff requested an entry of default as to defendant Arrington on January 10, 2020 and noticed the request for a hearing on January 24, 2020. (Docket nos. 33, 34). Plaintiff's counsel appeared at the hearing on January 24, 2020, but defendant Arrington did not. (Docket no. 35). As defendant Arrington failed to comply with the court's order following the motion to compel, the undersigned granted plaintiff's request for entry of default. (Docket no. 36). The Clerk of Court entered default as to defendant Arrington later that day. (Docket no. 37).
On February 4, 2020, the District Judge ordered plaintiff to file a motion for default judgment, an accompanying memorandum in support, and a notice of hearing. (Docket no. 38). On March 16, 2020, plaintiff filed a motion for default judgment (Docket no. 41), a memorandum in support (Docket no. 42), a declaration of Matthew Bucholz (Docket no. 42-1, "Bucholz Decl."), a declaration of Peter Cohen (Docket no. 42-2, "Cohen Decl."), and a notice setting the motion for a hearing on April 10, 2020 (Docket no. 43). In accordance with Eastern District of Virginia General Order No. 2020-07, the hearing on plaintiff's pending motion for default judgment was continued to May 8, 2020. (Docket no. 44). On April 10, 2020, Eastern District of Virginia General Order No. 2020-12 was issued extending the time period for the suspension of all non-critical and non-emergency in-person proceedings through June 10, 2020. Accordingly, the undersigned cancelled the hearing scheduled for May 8, 2020 and instead ordered that any objections to plaintiff's motion for default judgment be filed with the court by May 8, 2020 at 5:00 p.m. (Docket no. 45). A copy of that order was mailed to defendant Arrington. (April 13, 2020 minute entry). No objection to the motion for default judgment has been filed and the time for doing so has expired.
Factual Background
The following facts are established by the complaint and plaintiff's memorandum in support of its motion for default judgment. (Docket no. 42). Plaintiff provides cyber security, information technology, and analytic and operations support services. (Compl. ¶ 14). From its Arlington office, plaintiff managed a contract with the U.S. Army Office of the Chief of Chaplains ("CCRSS contract") which required the creation and maintenance of enterprise cloud services to host servers to provide a Financial Management System for U.S. Army Chaplain Corps activities. (Id. ¶¶ 15-16). To accomplish this, plaintiff provided stewardship over a U.S. Army-owned domain name registration through GoDaddy.com. (Id. ¶ 15). Plaintiff developed a SharePoint application for financial management transactions; routed a Help Desk email through an unclassified site; established a cloud-based infrastructure through Amazon Web Services; created and maintained a test environment, backup solution, and back-end database for analytics and metrics; and introduced a secure mechanism for users to log in and access the services provided. (Id.).
Plaintiff employed defendant Arrington as a project manager for the CCRSS contract from October 5, 2015 to December 23, 2016. (Id. ¶ 18). Defendant Arrington was defendant Anthony's direct supervisor and at some point during her tenure and unbeknownst to plaintiff, she and defendant Anthony engaged in a romantic relationship. (Id. ¶ 19). Defendant Anthony, as part of his role as senior systems engineer, controlled an encrypted file which contained network architecture diagrams, all relevant system passwords, administrative support documents, and other documentation which was critical to the operation of the cloud-based enterprise. (Id. ¶¶ 17, 20).
Due to job abandonment, failure to show up for work, and insubordination, plaintiff decided to terminate defendant Anthony's employment in December 2016. (Id. ¶ 21). Between December 7 and December 8, 2016, defendant Anthony deactivated all other administrator accounts except his own and refused to provide his replacement with the password to the master password file. (Id. ¶¶ 23-24). He also changed the responsible party contact information and the listed account ownership profile information on plaintiff's Amazon Web Services administrative account to "Anthony Enterprises." (Id. ¶ 25). Further, he changed the Help Desk email address to redirect emails to his personal Gmail account. (Id. ¶ 26). On December 8, 2016, defendant Anthony utilized his corporate Office 365 account to delete nineteen files from the corporate SharePoint project folder that included production encryption keys, account information, and network diagram files. (Id. ¶ 31). The deletion of this information hindered plaintiff's ability to properly perform the routine operation and maintenance of the Financial Management System. (Id.). Defendant Anthony also downloaded at least two files relating to plaintiff's management of the CCRSS system project. (Id.). He erased the hard drive on his work laptop, something he was not authorized to do, and made unauthorized images of the Army's servers which contained the Financial Management System, changing the user permission on these files and sharing the images to his own personal account. (Id. ¶¶ 32, 36). From December 8 to December 12, 2016, defendant Anthony gained and maintained unauthorized access to the CCRSS web application resulting in loss of productivity for the enterprise. (Id. ¶¶ 44-45). It was also discovered that defendant Anthony had changed the ownership information for the registration of the domain name with the registrar GoDaddy.com. (Id. ¶ 47). From December 12 to at least December 22, 2016, defendant Anthony attempted thousands of "brute force cyberattacks" against the CCRSS web application system. (Id. ¶ 54). This necessitated a shutdown of one of the servers which resulted in a system outage for Help Desk emails from December 22, 2016 to January 5, 2017. (Id.).
Defendant Arrington resigned from plaintiff effective December 23, 2016. (Id. ¶ 55). Prior to her resignation, she had been included on all internal communications concerning defendant Anthony's actions. (Id. ¶ 56). When defendant Anthony's efforts were first discovered, Matthew Bucholz, president of plaintiff, enacted a litigation hold on all corporate email communications. (Id. ¶ 58). When reviewing defendant Arrington's emails following her resignation, he discovered that she had sent privileged information regarding plaintiff's investigation into defendant Anthony's actions to her personal Gmail account as well as "For Official Use Only" government documents. (Id. ¶ 59). These emails were sent after defendant Anthony's termination and while he was actively conducting cyberattacks against the CCRSS system. (Id.). The emails included domain name registration account information, log file and security log file information, and sensitive, controlled password and username information. (Id. ¶ 60). Defendant Arrington attempted to conceal the fact that she had sent these documents to herself by sending the information on three separate occasions, deleting the emails from her "sent" folder, and then deleting the emails from the "deleted" folder. (Id. ¶ 61). Plaintiff later recovered the emails in the purged folder that remained because of the litigation hold placed on all email accounts. (Id. ¶ 62). The information defendant Arrington sent to her personal email account would have allowed defendant Anthony to determine what evidence plaintiff was collecting about his activities and how successful his efforts had been to sabotage the Army services and therefore assist defendant Anthony in his efforts against plaintiff. (Id. ¶¶ 65, 66).
Proposed Findings and Recommendations
Rule 55 of the Federal Rules of Civil Procedure provides for the entry of a default judgment when "a party against whom a judgment for affirmative relief is sought has failed to plead or otherwise defend." Fed. R. Civ. P. 55(a). At the hearing on January 24, 2020, the undersigned found that defendant Arrington had failed to participate in discovery or otherwise defend against this action despite a warning that failure to do so could result in a finding of default and default judgment. (Docket no. 36). Based on the failure to plead or otherwise defend against this action, the court entered an order requesting that the Clerk of Court enter default as to defendant Arrington. (Id.). The Clerk of Court entered default the same day. (Docket no. 37).
A defendant in default admits the factual allegations in the complaint. See Fed. R. Civ. P. 8(b)(6) ("An allegation—other than one relating to the amount of damages—is admitted if a responsive pleading is required and the allegation is not denied."); see also GlobalSantaFe Corp. v. Gobalsantafe.com, 250 F. Supp. 2d 610, 612 n.3 (E.D. Va. 2003) ("Upon default, facts alleged in the complaint are deemed admitted and the appropriate inquiry is whether the facts as alleged state a claim."). Rule 55(b)(2) of the Federal Rules of Civil Procedure provides that a court may conduct a hearing to determine the amount of damages, establish the truth of any allegation by evidence or investigate any other matter.
Jurisdiction and Venue
A court must have both subject matter and personal jurisdiction over a defaulting party before it can render a default judgment. Plaintiff alleges that this matter is properly before this court pursuant to 28 U.S.C. § 1332 based on complete diversity of citizenship and an appropriate amount in controversy. (Compl. ¶¶ 3, 4, 6).
Plaintiff Federated IT is a Delaware corporation with its principal place of business in Virginia. (Compl. ¶ 2). Both defendant Anthony and defendant Arrington are citizens of Maryland. (Id. ¶¶ 3-4). The amount in controversy exceeds $75,000. (Id. ¶ 6). Given that these allegations are uncontested, this court has jurisdiction pursuant to 28 U.S.C. § 1332.
The court also has personal jurisdiction over defendant Arrington. Although she resides in Maryland, defendant Arrington principally worked at plaintiff's Arlington, Virginia office. (Compl. ¶¶ 4, 10). She also worked at plaintiff's office at the Pentagon. (Id. ¶ 4). Her conduct giving rise to plaintiff's claims occurred in Virginia. (Docket no. 42 at 17). Venue is proper in this court pursuant to 28 U.S.C. § 1391 because a substantial part of the events or omissions giving rise to plaintiff's claims against defendant Arrington occurred in the Eastern District of Virginia. (Compl. ¶¶ 7, 8, 11).
For these reasons, the undersigned magistrate judge recommends a finding that this court has subject matter jurisdiction over this action, that this court has personal jurisdiction over defendant Arrington, and that venue is proper in this court.
Service
Pursuant to Federal Rule of Civil Procedure 4(e)(2), an individual within a judicial district of the United States may be served by the delivery of a copy of the summons and complaint to the individual personally, or by leaving a copy of the summons and complaint at the individual's dwelling or usual place of abode with someone of suitable age and discretion who also resides there. On December 4, 2018, the Clerk of Court issued a summons for service on Ashely Arrington in Waldorf, Maryland 20601. (Docket no. 2). On February 28, 2019, an affidavit of service indicated Loqua Wade, a process server, personally served defendant Arrington at the Waldorf address on February 25, 2019. (Docket no. 3).
Plaintiff did respond to the complaint (Docket no. 13) and she attended the initial pretrial conference on November 6, 2019 (Docket no. 22). Based on the foregoing, the undersigned recommends a finding that defendant Arrington was properly served with the summons and complaint and she has notice of this action.
Grounds for Default Judgment
In accordance with Federal Rules of Civil Procedure 33(b)(2) and 34(b)(2)(A), on November 19, 2019 defendant Arrington was required to serve responses to plaintiff's first set of interrogatories and first set of requests for production of documents thirty (30) days after service of the discovery requests. Further, pursuant to the court's Rule 16(B) Scheduling Order, defendant Arrington was required to serve initial disclosures on November 21, 2019. (Docket no. 23, ¶ 3). Defendant Arrington failed to serve initial disclosures or responses to plaintiff's discovery requests. On November 26, 2019, plaintiff filed a motion to compel which the court granted in part. (Docket nos. 28, 32). The court ordered defendant Arrington to serve her initial disclosures and provide complete responses to plaintiff's interrogatories and specific requests for production of documents within fourteen (14) days of the order. (Docket no. 32). Defendant Arrington failed to do so. On January 10, 2020, plaintiff filed a request for entry of default against defendant Arrington pursuant to Federal Rule of Civil Procedure 55(a) and noticed the request for a hearing on January 24, 2020. (Docket nos. 33, 34). The certificate of service accompanying the filing of the request indicates that plaintiff's counsel sent a copy to defendant at her Waldorf address. (Docket no. 33 at 4, Docket no. 34 at 2). At the hearing, counsel for plaintiff appeared but defendant Arrington did not. (Docket no. 35). Following the hearing, the undersigned requested that the Clerk of Court enter a default against defendant Arrington. (Docket no. 36). The Clerk of Court entered a default against defendant Arrington later the same day. (Docket no. 37).
On March 16, 2020, plaintiff filed a motion for default judgment (Docket no. 41), a memorandum in support (Docket no. 42), a declaration of Matthew Bucholz (Docket no. 42-1), a declaration of Peter Cohen (Docket no. 42-2), and a notice setting the motion for a hearing on April 10, 2020 (Docket no. 43). The motion for default judgment was accompanied by the requisite Roseboro notice. (Docket no. 41 at 1-2). The certificates of service accompanying the motion, memorandum in support, and notice indicate that plaintiff's counsel sent a copy of the motion, memorandum, declarations, and notice of hearing to defendant Arrington at the Waldorf address. (Docket nos. 41-43). A copy of the order cancelling the hearing scheduled for May 8, 2020 and requiring that any objections to the entry of a default judgment be filed by May 8, 2020 at 5:00 p.m. was also mailed to defendant Arrington. (Docket no. 45). For the reasons stated above, the undersigned magistrate judge recommends a finding that the Clerk of Court properly entered a default as to defendant Arrington and that she has notice of these proceedings.
Liability
According to Federal Rule of Civil Procedure 54(c), a default judgment "must not differ in kind from, or exceed in amount, what is demanded in the pleadings." Given that a default has been entered, the factual allegations in the complaint are deemed admitted. See Fed. R. Civ. P. 8(b)(6). Here, plaintiff seeks the entry of a default judgment against defendant Arrington on Counts 1-2, 5-7, and 9-10 of the complaint. (Docket no. 42 at 3). Accordingly, only those counts are discussed below.
Violation of the Computer Fraud and Abuse Act (Count One)
Count One of plaintiff's complaint states that both defendants violated 18 U.S.C. § 1030(a)(2), (b) and (c) by intentionally accessing a computer owned by plaintiff, exceeding authorized access, and obtaining information from the U.S. Army, a department/agency of the United States. (Compl. ¶ 68). More specifically, plaintiff states that the defendants knowingly and with the intent to defraud accessed a "protected computer," knowingly caused "the transmission of a program, information, code, or command," and intentionally caused damage to plaintiff. (Id. ¶¶ 69-71). Further, plaintiff asserts that the defendants knowingly "trafficked," with the intent to defraud, passwords and other similar information, which affected interstate or foreign commerce. (Id. ¶¶ 72-73).
The Computer Fraud and Abuse Act is primarily a criminal statute designed to combat hacking. Estes Forwarding Worldwide LLC v. Cuellar, 239 F. Supp. 3d 918, 922 (E.D. Va. 2017) (citing A.V. ex rel Vanderhye v. iParadigms, LLC, 562 F.3d 630, 645 (4th Cir. 2009)). However, the statute provides that "[a]ny person who suffers damage or loss by reason of a violation of this section" has the ability to bring a civil suit "to obtain compensatory damages and injunctive relief or other equitable relief." Id. (quoting 18 U.S.C. § 1030(g)). To successfully state a claim under 18 U.S.C. § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2)(B), a plaintiff must allege that the defendant "(1) intentionally; (2) accessed a computer; (3) without authorization or exceeded its authorized access; and (4) obtained information from a department or agency of the United States; (5) which resulted in a loss to one or more persons during any one-year period aggregating at least $5,000 in value or damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security." Space Systems/Loral, LLC v. Orbital ATK, Inc., 306 F. Supp. 3d 845, 850 (E.D. Va. 2018). A claim based on a violation of 18 U.S.C. § 1030(a)(2)(C) tracks many of the same elements: a plaintiff must show that a defendant "(1) intentionally (2) accessed a computer (3) without authorization or in such a way that exceeded his authorized access, and (4) obtained information (5) from any 'protected computer,' (6) resulting in a loss to one or more persons during any one-year period aggregating at least $5,000 in value." Estes Forwarding Worldwide, LLC, 239 F. Supp. 3d at 922-23.
The statute defines the term "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6); see also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) ("[W]e adopt a narrow reading of the terms 'without authorization' and 'exceeds authorized access' and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access."). As applicable to 18 U.S.C. § 1030(a)(2)(C), a "protected computer" is defined as one "exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government." 18 U.S.C. § 1030(e)(2)(A).
Here, there is no question that defendant Arrington intentionally accessed a computer owned and operated by plaintiff and obtained information and sent that information to her personal Gmail account, including twenty-eight megabytes of information, some of which was designated as "For Official Use Only." (Compl. ¶¶ 59-60, 70, 72). Plaintiff alleges that this information contained domain name registration account information, log file and security log file information for the server that acted as an access point for system administrators, and sensitive and controlled password and username information. (Compl. ¶ 60). However, the issue with this claim is that defendant Arrington, as the project manager for the CCRSS contract, appears to have had access to this information. There is no specific allegation in the complaint that defendant Arrington did not have authorization to access this information, only that she then misused certain information that she had accessed. Given that an essential element of a civil claim under this statute is accessing information "without authorization or exceeded its authorized access" and the narrow interpretation of this language by the courts, the undersigned recommends a finding that plaintiff has not established a claim for breach of the Computer Fraud and Abuses Act—specifically, 18 U.S.C. § 1030(a)(2)(B) and 18 U.S.C. § 1030(a)(2)(C)—against defendant Arrington.
Given the recommendations as to Counts 5, 7, 9, and 10, this recommendation has little bearing on plaintiff's ultimate recovery in this case.
Violation of the Virginia Computer Crimes Act (Count Two)
Plaintiff's second count asserts that both defendants violated the Virginia Computer Crimes Act when they temporarily or permanently disabled computer data, programs, or software from a computer network owned by plaintiff with malicious intent and made or caused to be made unauthorized copies of such data, programs, and software. (Compl. ¶¶ 76-79). To show a violation of the VCCA, "a plaintiff must demonstrate that the defendant (1) used a computer or computer network without authority (2) with the intent to obtain property or services by false pretenses, embezzle or commit larceny, or convert the property of another." Fred v. Torres, No. 1:08cv1153, 2009 WL 537563, at *7 (E.D. Va. Mar. 3, 2009); see also Va. Code § 18.2-152.3; Othentec Ltd. v. Phelan, 526 F.3d 135, 140 (4th Cir. 2008), Space Sys./Loral, LLC, 306 F. Supp. 3d at 855-56. Under the VCCA, a person acts "without authority" when "[s]he knows or reasonably should know that [s]he has no right, agreement, or permission or acts in a manner knowingly exceeding such right, agreement, or permission." Va. Code § 18.2-152.2.
Once again, while defendant Arrington accessed information of a highly sensitive and confidential nature found on plaintiff's computers and computer network there is no allegation that she did not have authorization or exceeded her authorized access in obtaining that information. (Compl. ¶¶ 59-60). She may have wrongfully used this information by sending it to her personal Gmail account and providing it to defendant Anthony after his termination, but there is no basis for a finding that she did not have authority to access that information. (Id. ¶ 59). Accordingly, the undersigned recommends a finding that plaintiff has not established a claim for violation of the VCCA against defendant Arrington.
Breach of Fiduciary Duty (Count Five)
Count five of plaintiff's complaint asserts defendant Arrington breached her fiduciary duties to plaintiff, including her duty of loyalty. (Compl. ¶¶ 97-98). Under Virginia law, the elements of a claim for breach of fiduciary duty are: "(1) the defendant owes a fiduciary duty, (2) the defendant breached that fiduciary duty, and (3) the breach of fiduciary duty resulted in damages." Plumbers and Steamfitters Union Local No. 10 v. Waters, No. 3:20cv003, 2020 WL 1644563, at *5 (E.D. Va. Apr. 2, 2020) (quoting Carstensen v. Chrisland Corp., 442 S.E.2d 660, 666 (Va. Cir. 1994)); NorthStar Aviation, LLC v. Alberto, 332 F. Supp. 3d 1007, 1016 (E.D. Va. 2018)). An agent is a fiduciary and owes her principal a "strict duty of loyalty." Bocek v. JGA Assocs., LLC, 537 F. App'x 169, 176 (4th Cir. 2013) (citing Restatement (Third) of Agency § 8.01). An agent breaches her fiduciary duty by using "confidential information belonging to the principal for the agent's own benefit." Id. (citing Restatement (Third) of Agency § 8.05(2)).
Defendant Arrington was a project manager of the CCRSS contract, defendant Anthony's supervisor, and a member of plaintiff's Incident Response Team. (Compl. ¶¶ 16, 19, 63). She owed plaintiff a fiduciary duty and breached that duty by sending herself twenty-eight megabytes of confidential information which belonged to plaintiff, inclusive of emails that described the status of the pending investigation into defendant Anthony's conduct. (Id. ¶ 59). Defendant Arrington then went to great lengths to conceal this breach, erasing the emails from both her "sent" and "deleted" folders. (Id. ¶ 61). As a result of defendant Arrington's breach of fiduciary duty, plaintiff was damaged: it was unable to quickly regain access to its systems because of defendant Anthony's continued sabotage and cyberattacks. (Id. ¶ 65). Accordingly, the undersigned recommends a finding that plaintiff has established a claim for breach of fiduciary duty against defendant Arrington.
Tortious Interference with Contract (Count Six)
Plaintiff's sixth count states that both defendants intentionally interfered with plaintiff's CCRSS contract with the aim of harming plaintiff's work on the contract. (Compl. ¶ 103). Specifically, plaintiff asserts that the defendants used several improper and unlawful means to interfere with the CCRSS contract, acting outside of the scope of their employment with plaintiff. (Id. ¶¶ 104-05). Plaintiff states that the defendants acted with evil motive, actual malice, with intent to injure, and in willful disregard of plaintiff's rights. (Id. ¶ 106).
For a successful claim in Virginia for tortious interference with a contract, a plaintiff must show "(1) the existence of a valid contract; (2) knowledge of the contract on the part of the interferor; (3) intentional interference inducing or causing a breach or termination of the contract; and (4) resultant damage to the party whose contract has been disrupted." Ford Motor Co. v. Nat'l Indem. Co., 972 F. Supp. 2d. 850, 856 (E.D. Va. 2013) (quoting Chaves v. Johnson, 230 Va. 112, 120 (Va. 1985)). "[T]he occurrence of . . . plaintiff's injury marks the last event necessary to establish liability." Id. (quoting Gen. Assurance of America, Inc. v. Overby-Seawell, 522 F. App'x 200, 206 (4th Cir. 2013)). Plaintiff and the U.S. Army Office of the Chief of Chaplains had a valid contract—the CCRSS contract—which defendant Arrington knew existed given her role as project manager. (Compl. ¶¶ 15, 18). Through defendant Arrington's actions, such as sending to her private Gmail account emails containing sensitive information and documentation to include the status of plaintiff's investigation into defendant Anthony's cyberattacks, she arguably interfered with plaintiff's CCRSS contract. (Compl. ¶¶ 59-60, 65). The problem with plaintiff's claim for tortious interference with contract has to do with the requirement "intentional interference inducing or causing a breach or termination of the contract." The actions of the defendants occurred in December 2016 and into January 2017. (Id. ¶ 54). The complaint was filed on December 4, 2018 (almost two years later) and it states that plaintiff "has a contract with the US Army Office of Chief of Chaplains" and that it "manages the CCRSS contract from its Arlington office." (Id. at ¶¶ 15, 16). There is no allegation in the complaint that the CCRSS was breached or terminated. The declaration of Matthew Bucholz dated March 16, 2020, states that at the end of a scheduled option-year period, the Army declined to award another option. (Bucholz Decl. ¶ 7). Mr. Bucholz states that the failure to exercise this option was due to the actions of defendants Anthony and Arrington. (Id.). Given that the complaint fails to allege any breach or termination of the contract and the extended period between the defendants' conduct and the Army's decision not to award a follow-on option (as opposed to terminating an existing contract), the plaintiff has failed to establish the element of a breach or termination of the contract that was caused by the defendants' actions. Accordingly, the undersigned magistrate judge recommends a finding that plaintiff has not established a claim for tortious interference with contract against defendant Arrington.
Conversion (Count Seven)
Count seven of plaintiff's complaint asserts a conversion claim against both defendants' wrongful control, dominion, and assumption of authority over plaintiff's CCRSS contract accounts, files, and applications. (Compl. ¶ 110). Plaintiff's complaint also states that defendants acted with malice, ill-will, and a conscious disregard for plaintiff's rights, as well as with an evil motive, actual malice, and an intent to injure. (Id. ¶¶ 111-12).
Under Virginia law, "[a] person is liable for conversion for the wrongful exercise or assumption of authority over another's goods, depriving the owner of their possession, or any act of dominion wrongfully exerted over property in denial of, or inconsistent with, the owner's rights." E.I. DuPont de Nemours & Kolon Industries, 688 F. Supp. 2d 443, 454 (E.D. Va. 2009) (quoting Simmons v. Miller, 261 Va. 561, 582 (2001)). Courts in this jurisdiction have recognized a more expansive definition of conversion in "cases where intangible property rights arise from or are merged with a document." Combined Ins. Co. v. Wiest, 578 F. Supp. 2d 822, 835 (W.D. Va. 2008) (citing United Leasing Corp. v. Thrift Ins. Corp., 247 Va. 299, 304 (1994)). This has included the removal of confidential information from an employer. See E.I. DuPont de Nemours, 688 F. Supp. 2d at 455 ("[G]iven the expansive definition of conversion employed in Virginia, . . . it appears that the purloining of copies of documents would constitute conversion because such action is an act of "dominion" inconsistent with the true owner's property rights."); see also Marsteller v. ECS Federal, Inc., No. 1:13cv593, 2013 WL 4781786, at *8 (E.D. Va. Sept. 5 2013) (denying dismissal of defendant's conversion claim against an employee who had taken and retained proprietary documents from her employer).
Defendant Arrington sent three separate emails to her personal Gmail account on December 15, 16, and 22, 2016 which contained privileged information regarding plaintiff's investigation into defendant Anthony's actions as well as "For Official Use Only" government documents. (Compl. ¶ 59). Those emails contained domain name registration account information, log file and security log file information for a server that acted as an access point for system administrators, and sensitive and controlled password and usemame information. (Id. ¶ 60). Defendant Arrington's wrongful control over this confidential, proprietary information and documentation of the plaintiff is inconsistent with plaintiff's right to that property. (Id. ¶ 110). Accordingly, the undersigned recommends a finding that plaintiff has established that defendant Arrington wrongfully converted plaintiff's property.
Civil Conspiracy (Count Nine)
Plaintiff's ninth count states a claim for civil conspiracy against both defendants. (Compl. ¶¶ 118-23). Specifically, plaintiff states that defendant Arrington and defendant Anthony entered into a conspiracy together to sabotage plaintiff's CCRSS contract by converting ownership of the Amazon Web Services account, redirecting the Help Desk email, converting the domain name registration, deleting project files, misappropriating trade secrets, interfering with a server, and initiating cyberattacks. (Id. ¶ 121). Such actions were beyond the scope of defendant Arrington's employment with plaintiff. (Id. ¶ 119). As alleged in the complaint, these actions were done with evil motive, actual malice, and with the intent to injure. (Id. ¶ 122).
For a common law civil conspiracy claim under Virginia law, a plaintiff must show "(i) an agreement between two or more persons (ii) to accomplish an unlawful purpose or to accomplish a lawful purpose by unlawful means, which (iii) results in damage to plaintiff." Firestone v. Wiley, 485 F. Supp. 2d 694, 703 (E.D. Va. 2007) (citing Glass v. Glass, 228 Va. 39, 47 (1984)). Further, under Virginia law, "a common law claim of civil conspiracy generally requires proof that the underlying tort was committed." Id. (quoting Almy v. Grisham, 639 S.E.2d 182, 189 (2007)). This is based on the premise that the "gist" of the civil action "is the damage caused by the acts committed in pursuance of the formed conspiracy and not the mere combination of two or more persons to accomplish an unlawful purpose or use unlawful means." Id. (quoting Almy, 639 S.E.2d at 190).
Defendant Arrington sent to her personal Gmail account several emails containing sensitive and controlled password and username information; log file and security log file information for the server that acted as an access point for system administrators; and domain name registration account information. (Compl. ¶ 60). Although she had no use for this information outside of her work duties, the information would be useful for defendant Anthony to continue his efforts to sabotage the computer system and to ascertain what evidence plaintiff had concerning his activities. (Id. ¶ 65). Defendant Arrington's efforts assisted defendant Anthony's efforts and resulted in the conversion of the Help Desk email and the domain name registration, the sabotage of an Army server which plaintiff manages, the misappropriation of trade secrets, the deletion of project files, and the initiation of cyberattacks against the CCRSS enterprise and Financial Management System. (Compl. ¶ 121). As a result of defendant Arrington's actions, plaintiff was damaged by having to undertake recovery efforts at substantial expense. (Bucholz Decl. ¶ 11). Accordingly, the undersigned recommends a finding that plaintiff has established a claim for civil conspiracy against defendant Arrington.
Statutory Conspiracy (Count Ten)
Count ten of plaintiff's complaint states a claim for statutory conspiracy against both defendants for acting in concert with the intent to willfully and maliciously injure plaintiff by improper means. (Compl. ¶ 126). Under Virginia law, statutory conspiracy is defined as "any two or more persons who combine, associate, agree, mutually undertake or conceit together for the purpose of . . . willfully and maliciously injuring another in his reputation, trade, business or profession by any means whatever." Va. Code Ann. § 18.2-499(A); see also Steele v. Goodman, 382 F. Supp. 3d 403, 422 (E.D. Va. 2019).
As noted above, defendant Arrington acted in concert with defendant Anthony by assisting in his efforts to sabotage plaintiff's CCRSS contract to include converting the Help Desk email and domain name registration, misappropriating trade secrets and deleting files, and initiating cyberattacks. (Compl. ¶ 121). Defendant Arrington also passed on privileged information concerning plaintiff's investigation into defendant Anthony. (Id. ¶ 59). Her actions, alongside defendant Anthony's, caused damage to plaintiff to include monetary costs and damage to its professional reputation. (Bucholz Decl. ¶¶ 9, 11). Accordingly, the undersigned recommends a finding that plaintiff has established a claim against defendant Arrington for statutory conspiracy.
Relief
For the counts specific to defendant Arrington, plaintiff's complaint seeks the following:
• Counts 1 and 2: money damages in the amount of $500,000.00; pre- and post-judgment interest;
• Counts 5, 6, 7, and 9: money damages in the amount of $500,000.00; pre- and post-judgment interest; punitive damages in an amount not to exceed Virginia's statutory maximum;
• Count 10: money damages in the amount of $500,000.00; pre- and post-judgment interest; punitive damages in an amount that does not exceed Virginia's statutory
maximum; treble damages; loss of profits; costs; and reasonable attorney's fees. (Compl. at 26-27).Plaintiff's motion for default judgment seeks money damages in the amount of $300,805.43: $216,657.93 in trebled compensatory damages + $50,000.00 in punitive damages + $34,147.50 in attorney's fees and costs. (Docket no. 42 at 28).
Compensatory Damages
In its motion for default judgment, plaintiff seeks an award of compensatory damages for certain sums it alleges were caused by defendant Arrington's misconduct. (Docket no. 42 at 29). In support of its request for compensatory damages, plaintiff submitted a declaration of Matthew Bucholz detailing the costs incurred by plaintiff that it believes were due to defendant Arrington's misconduct. (Bucholz Decl.). The total amount of compensatory damages plaintiff seeks from defendant Arrington is $72,219.31. (Id. ¶ 2). This includes plaintiff's prorated salary calculated for the time in which she allegedly abandoned her fiduciary duties—November 1, 2016 through December 22, 2016—at a total cost of $15,972.60 (53 days x $301.37 (salary per day)). (Id. ¶ 9). Further, plaintiff seeks damages for half of the cost of the follow-on work that was not awarded to plaintiff in the amount of $30,820.86 (1/2 of $61,641.73 (total revenue lost: $616,417.26/plaintiff's 10% average fee)). (Id. ¶ 10). Defendant Arrington's misconduct also caused plaintiff's Incident Response Team to incur costs which were not considered billable time or invoiced to the government. (Id. ¶ 11). These costs covered the period from December 8, 2016 through January 31, 2017 and the work of four personnel. (Id.)
As stated in the Bucholz declaration, defendant Arrington was informed of defendant Anthony's impending termination a full month before it occurred in early December 2016, thereby justifying a November 1, 2016 start date for the calculation of defendant Arrington's salary following the breach of her fiduciary duties. (Bucholz Decl. ¶ 4).
| Plaintiff'sPersonnel | Annual Salary | Hourly Rate | Hours | Amount |
|---|---|---|---|---|
| MatthewBucholz | $250,000.00 | $120.19 | 194 | $23,316.86 |
| Carlos Rivera | $200,000.00 | $96.15 | 105 | $10,095.75 |
| Alex Burkart | $208,000.00 | $100.00 | 23 | $2,300.00 |
| Ming Chan | $76,000.00 | $36.54 | 78 | $2,850.12 |
| TOTAL: $38,562.73 |
Treble Damages
In addition to compensatory damages, plaintiff seeks the trebling of damages according to Virginia's business conspiracy statute. (Docket no. 42 at 29). Plaintiff has asserted, and defendant Arrington has defaulted on, Count 10 of plaintiff's complaint which alleges statutory conspiracy pursuant to Va. Code Ann. § 18.2-499, et seq. As such, plaintiff asserts that it is entitled to a trebling of any compensatory damages award under that count. (Id.).
As noted above, statutory conspiracy is defined by Virginia law as "any two or more persons who combine, associate, agree, mutually undertake or concert together for the purpose of . . . willfully and maliciously injuring another in his reputation, trade, business or profession by any means whatever." Va. Code Ann. § 18.2-499(A). To recover treble damages in a civil action, "the plaintiff must prove the conspiracy by clear and convincing evidence." AvalonBay Communities, Inc. v. Willden, No. 1:08cv777, 2009 WL 2431571, at *8 (E.D. Va. Aug. 7, 2009) (citing Michigan Mut. Ins. Co. v. Smoot, 128 F. Supp. 2d 917, 924-25 (E.D. Va. 2000); William v. Dominion Tech. Partners, LLC, 265 Va. 280, 290 (2003)); see also BHR Recovery Communities, Inc. v. Top Seek, LLC, 355 F. Supp. 3d 416, 425 (E.D. Va. 2018) ("Like fraud, a plaintiff must plead business conspiracy with particularity."). A plaintiff is required to show proof of "legal malice"—"that the defendant acted intentionally, purposely, and without lawful justification." AvalonBay Communities, 2009 WL 2431571, at *8 (citing Commercial Bus. Sys., Inc. v. Bellsouth Services, Inc., 249 Va. 39 (1995)). Although the statute does not require a showing that a defendant's co-conspirator acted with legal malice, it does require that one of the parties "acting with legal malice, conspire[d] with another party to injure the plaintiff." BHR Recovery Communities, 355 F. Supp. 3d at 425 (quoting Multi-Channel TV Cable Co. v. Charlottesville Quality Cable Operating Co., 108 F. 3d 522, 527 (4th Cir. 1997)).
Plaintiff's complaint establishes that defendant Arrington conspired with defendant Anthony to injure plaintiff and its CCRSS contract. Defendant Arrington was defendant Anthony's supervisor and, unbeknownst to plaintiff, they were in a romantic relationship. (Compl. ¶ 19). Defendant Arrington was told of defendant Anthony's impending termination a full month before it occurred. (Bucholz Decl. ¶ 4). Prior to defendant Anthony's termination on December 8, 2016, he undertook steps to alter administrative passwords, he sabotaged numerous Federated accounts, deleted files, erased the hard drive on his work laptop, and changed the Help Desk email address to an email address he alone controlled. (Compl. ¶¶ 22-32). Following defendant Anthony's termination on December 8, 2016, defendant Arrington was included on internal communications regarding plaintiff's Incident Response Team that was tasked with restoring access to the Amazon Web Services and other issues related to defendant Anthony's misconduct. (Compl. ¶¶ 42, 56, 63). On December 15, 16, and 22, 2016, defendant Arrington sent twenty-eight megabytes of For Official Use Only government documents and other files containing sensitive information to her personal Gmail account. (Compl. ¶ 59). These documents included information concerning the on-going cyberattack by defendant Anthony and the corporate response efforts. (Compl. ¶ 61). Defendant Arrington took various steps to conceal the fact that she had sent those documents to herself. (Id.). Defendant Arrington resigned her position with plaintiff effective December 23, 2016. (Compl. ¶ 55). Given these undisputed facts, the undersigned recommends that the compensatory damages be trebled in accordance with the provisions in the Virginia business conspiracy statute providing for an award of $124,195.35 ($41,398.45 in compensatory damages x 3 = $124,195.35).
Punitive Damages
While plaintiff seeks an additional award of punitive damages of $50,000 against defendant Arrington, the recommended trebling of compensatory damages under the Virginia business conspiracy statute provides an adequate penalty in this case. Accordingly, the undersigned recommends that no additional punitive damages be awarded.
Attorney's Fees and Costs
Plaintiff seeks attorney's fees and costs against defendant Arrington for fees and expenses incurred in this action. (Docket no. 42 at 27). In support of this request, plaintiff submitted a declaration from Peter C. Cohen detailing the attorney's fees incurred in this action. (Cohen Decl.). The Cohen declaration details that 43.30 hours of attorney time (at a rate of $575 per hour) and 37 hours of paralegal time (at a rate of $250 per hour) were billed for this case for a total amount of $34,147.50. (Id. ¶¶ 2-3). The declaration states these fees were incurred from December 4, 2018 (when the complaint was filed) to the present. (Id. ¶ 2). The Cohen declaration adequately supports the request for the hourly rates of the attorney and paralegal and there has been no objection raised to those rates. However, the declaration fails to address the issue that this action was brought against two defendants and at least a portion of the fees associated with the preparation of the complaint, the lifting of the stay, and defendant Anthony's bankruptcy filing should not be charged to defendant Arrington. In addition, as discussed above, plaintiff's all-encompassing, ten-count complaint may be appropriate as to defendant Anthony, but plaintiff named defendant Arrington in all ten counts. Given the recommended lack of success on several of these counts and the decision not to pursue three counts in this motion for default judgment, a reduction of the fees is appropriate. Under the circumstances, it is recommended that a reduction of 10% for fees unrelated to defendant Arrington and an additional 10% reduction for lack of success be applied to the requested amount. This would result in an award of $27,318.00 for attorney's fees ($34,147.50 x 0.8 = $27,318.00).
Conclusion
For these reasons, the undersigned recommends that default judgment be entered in favor of plaintiff Federated IT, Inc. and against defendant Arrington in the total amount of $151,513.35 (($41,398.45 in compensatory damages x 3 = $124,195.35) + attorney's fees and costs of $27,318.00 = $151,513.35).
Notice
By means of the court's electronic filing system and by mailing a copy of this proposed findings of fact and recommendations to Ashley Arrington, 5407 Minnow Court, Waldorf, Maryland 20601, the parties are notified that objections to this proposed findings of fact and recommendations must be filed within fourteen (14) days of service of this proposed findings of fact and recommendations and a failure to file timely objections waives appellate review of the substance of the proposed findings of fact and recommendations and waives appellate review of any judgment or decision based on this proposed findings of fact and recommendations.
ENTERED this 12th day of May, 2020.
/s/_________
John F. Anderson
United States Magistrate Judge Alexandria, Virginia