Opinion
CASE NO. 19-81644-CIV-ALTMAN
2020-06-09
FLORIDA ATLANTIC UNIVERSITY BOARD OF TRUSTEES, Plaintiff, v. Neil PARSONT, et al., Defendants.
Amy S. Rubin, Fox Rothschild LLP, West Palm Beach, FL, Megan Anne McNamara, Fox Rothschild, LLP, West Palm beach, FL, for Plaintiff. Richard Dean Rivera, Smith, Gambrell and Russell, Jacksonville, FL, Holly B. Lance, Pro Hac Vice, James L. Bikoff, Pro Hac Vice, Smith, Gambrell & Russell, LLP, Washignton, DC, for Defendants.
Amy S. Rubin, Fox Rothschild LLP, West Palm Beach, FL, Megan Anne McNamara, Fox Rothschild, LLP, West Palm beach, FL, for Plaintiff.
Richard Dean Rivera, Smith, Gambrell and Russell, Jacksonville, FL, Holly B. Lance, Pro Hac Vice, James L. Bikoff, Pro Hac Vice, Smith, Gambrell & Russell, LLP, Washignton, DC, for Defendants.
Before the Hon. Roy K. Altman:
ORDER AND PRELIMINARY INJUNCTION
ROY K. ALTMAN, UNITED STATES DISTRICT JUDGE
While attending business school at Florida Atlantic University ("FAU" or the "University"), Neil Parsont started Owl Tutoring, which caters exclusively to FAU students. From its inception, however, Owl Tutoring used a logo and color scheme that, according to FAU, infringed the University's intellectual property. So, in 2019, FAU began investigating Owl Tutoring with an eye towards filing suit. During that investigation, FAU became aware of other, more serious problems with Parsont's business. Specifically, FAU learned that Parsont was collecting (and storing) its students’ login credentials—and that he was using those credentials to send marketing emails to University students and faculty.
In late 2019, FAU filed this lawsuit, in which—as relevant here—it alleges that Parsont accessed the University's email servers without authorization. Soon after the Complaint was filed—and to forestall FAU's plan to pursue a preliminary injunction—Parsont agreed, in a signed document, not to collect or store the login credentials of FAU's students. And, for a time, that agreement held. Unfortunately, in April of 2020, FAU learned that Owl Tutoring had used two of its students’ accounts to send mass-marketing emails to other FAU students and staff. Believing that Parsont had reneged on his previous agreement—and afraid that its computer systems were being accessed without its consent—FAU filed its motion for a preliminary injunction. This Order follows.
THE FACTS
The Plaintiff is FAU's Board of Trustees, the University's governing body. See Complaint [ECF No. 1] ¶ 10. The Defendants are Neil Parsont, a former FAU student, and his company, Owl Tutoring—the Florida corporation through which Parsont provides tutoring services to FAU students. See id. ¶¶ 12–14. Parsont started Owl Tutoring while he was a student in FAU's MBA program. See id. ¶¶ 49–54.
FAU filed this lawsuit in December of 2019. See generally Compl. In it, FAU pursues the following causes of action: (Count I) Federal Trademark Infringement; (Count II) Federal Trade Dress Infringement, False Designation of Origin, and Unfair Competition; (Count III) Common Law Trademark and Trade Dress Infringement; (Count IV) Tortious Interference with Business Relationships; (Count V) Violation of the Computer Fraud and Abuse Act (the "CFAA"); and (Count VI) Violation of the Florida Computer Abuse and Data Recovery Act (the "CADRA"). See id. at 22–29. As redress, FAU seeks a permanent injunction and monetary damages. See id. at 29–31.
The Complaint focuses on two separate aspects of the Defendants’ conduct. First , FAU claims that the Defendants have infringed its intellectual property by adopting a logo, mascot, and color scheme that mirrors its own trademarks. See id. ¶¶ 20–41. Second , FAU avers that the Defendants violated Florida and federal law by obtaining the login credentials of FAU students and then using those credentials to "gain unauthorized access to FAU's Computers and send mass marketing emails from the students’ email accounts." Id. ¶ 47; see also id. ¶¶ 42–48.
On April 20, 2020, FAU filed a Motion for Preliminary Injunction (the "Motion") [ECF No. 34]. In that Motion, FAU says that, after it caught the Defendants violating the CFAA and the CADRA in November of 2019, Parsont executed a declaration—in which he promised that his collection of FAU credentials "would immediately cease." Mot. at 2; see also Mot. Ex. 2 (the "Parsont Declaration") [ECF No. 34-2].
The Parsont Declaration is illuminating because it contains Parsont's own explanation of what happened. In it, for instance, he describes how the Owl Tutoring website had an "Invite Classmates" option, which—in exchange for a discount on tutoring services—asked students to supply Owl Tutoring with their FAU credentials. See id. ¶¶ 4–5. The Defendants would then use those credentials to log in to the students’ accounts and send marketing emails to other FAU students. See id. ¶¶ 6–8. Through the Declaration, Parsont promised to "remove[ ] the pop-up from Owl tutoring's website and disable[ ] the ‘Invite Classmates’ function on Owl Tutoring's ‘Study Feed’ platform." Id. ¶ 9. Parsont also agreed to turn over all the student credentials he had stored, see id. ¶ 10, and promised to cease collecting those credentials in the future, see id. ¶ 9. Satisfied with the terms of the Parsont Declaration, FAU agreed not to seek injunctive relief at that time.
But, in April of 2020, things changed. Specifically, on April 9, 2020, Parsont accessed two FAU students’ email accounts and, once in the FAU network, sent three mass-marketing emails to dozens of FAU students and staff. See Declaration of James Cooley [ECF No. 34-1] ¶¶ 23–37; Petition-Emails [ECF No. 51-3]; Composite Petition-Emails [ECF No. 51-4]; Change.org Petition [ECF No. 51-5]. Believing that these new emails violated both the terms of the Parsont Declaration and several provisions of federal and state law, FAU filed its Motion.
In their Response to the Motion [ECF No. 36], the Defendants allege that the April 2020 emails were sent, not by Parsont, but by the students themselves—by a sharing function accessible through Change.org. See id. at 2–3. In particular, the Defendants say, the students voluntarily sent the emails, while they were logged into their own FAU accounts on the Defendants’ computers, by completing a Change.org petition and forwarding the ensuing signature request to some of their friends. See id. In support, the Defendants have submitted affidavits from the two students —in which those students attest, under oath, to having sent, voluntarily and from their own accounts, the mass-marketing emails in question. See Affidavit of Margaux Williams [ECF No. 39]; Affidavit of Man Mui [ECF No. 40].
Although there are three emails, there are only two student accounts because two of the mass-marketing emails were sent from Margaux Williams’ email account.
But, at an evidentiary hearing on the Motion [ECF No. 52], the Defendants’ story quickly crumbled. Margaux Williams—one of the students—recanted the assertions she had made in her affidavit and explained that: (1) she did not send the Change.org petition herself; (2) Parsont had used her FAU login credentials to access her FAU email account and to send the petition to her contacts; (3) Parsont had stored her FAU login credentials on his Owl Tutoring computer; (4) Parsont would often access her FAU account outside of her presence, see, e.g. , April Text Messages [ECF No. 51-8]; and (5) Parsont had directed her to sign her affidavit (without edits) under the false pretense that doing so would "100% guarantee no one bothers [her] with other questions," see April 26, 2020 Email [ECF No. 51-9]. Towards the end of her testimony, Ms. Williams candidly expressed regret over her decision to sign her affidavit, explained that she had signed it because of Parsont's misrepresentation to her, and made clear that, if she had understood the import of her actions, she would not have signed it. Her testimony was clear, unwavering, and entirely corroborated by her emails with Parsont and her conversation with Dean Aubrey Pusey.
Dean Pusey submitted her own affidavit, in which she attested that, on April 16, 2020, Ms. Williams told her that Parsont had logged into her FAU email account and sent the Change.org petition to her friends. See Pusey Aff. [ECF No. 42] ¶¶ 4–6. Although Dean Pusey was at the hearing and prepared to testify, the Court decided not to hear from her after establishing that her testimony about this conversation (1) would simply reiterate what she had declared in her Affidavit, and (2) had already come into evidence through Ms. Williams. In any case, in adjudicating a motion for preliminary injunction, the Court may consider hearsay—so long as the Court finds that hearsay reliable. See, e.g. , Levi Strauss & Co. v. Sunrise Int'l Trading Inc. , 51 F.3d 982, 985 (11th Cir. 1995) ("At the preliminary injunction stage, a district court may rely on affidavits and hearsay materials which would not be admissible evidence for a permanent injunction, if the evidence is ‘appropriate given the character and objectives of the injunctive proceeding.’ " (quoting Asseo v. Pan Am. Grain Co. , 805 F.2d 23, 26 (1st Cir. 1986) )). And, because this portion of Dean Pusey's Affidavit was specifically corroborated by Ms. Williams’ testimony, the Court finds this aspect of the Affidavit reliable.
Parsont, for his part, conceded as much as he could of Ms. Williams’ testimony. He admitted, for example, that: (1) he and his attorneys had drafted the affidavit for Ms. Williams; (2) he had promised Ms. Williams that she would have no further obligations after she signed the affidavit; and (3) he had instructed Ms. Williams to leave the affidavit open on her computer for awhile, to make fake edits to it, and to delete those fake edits before signing the document and returning it to him—presumably to trick the IT specialists into believing that she (and not he) had composed it. Notably, Parsont also admitted to accessing (on several occasions) Ms. Mui's FAU account outside of her presence. In fact, Parsont admitted that, in a rather cynical attempt at deception, he (and not Ms. Mui) had composed the somewhat-garbled, English-as-a-second-language syntax that pervades the Mui Affidavit. Ms. Mui is Chinese, and Parsont conceded that he had (again, rather cynically) tried to make the affidavit sound as if it had come from her. Parsont did, however, stand firm on one point: Mesdames Williams and Mui—he insisted—completed the Change.org petition and emailed it to their contacts.
Although the Defendants had told the Court at a status conference that they would be calling Ms. Mui in their case-in-chief, they elected not to call her at the hearing—and, no less significant, chose not to introduce her affidavit into evidence.
Notably—and unlike Ms. Williams—Parsont's testimony was neither consistent nor particularly credible. The following recitation identifies, in no particular order, only the most poignant—and memorable—examples of Parsont's prevarications. He had a great deal of trouble, for example, remembering the contents of conversations he had with Ms. Williams and her father just a few days before. On the other hand, he was able to recall even the most minute details about the tutoring sessions at issue here—which occurred almost six weeks earlier. He told us, for instance, precisely when the students arrived and when they left, where they (and he) were sitting, what they discussed, and even the tilt and angle of the computer screens. No less probative, when asked about the terms of a policy he had admittedly signed several times before, he quibbled with opposing counsel about the meaning of the word "familiar." Moreover, despite operating a business that relies almost exclusively on the use of computers, he disclaimed any knowledge about even the most rudimentary internet security measures. At the same time, he was able to describe precisely how Change.org auto-populates its petitions—apparently, it does so by employing something called an "ATI"—and could recite from memory the kinds of hardware that commonly accompany most commercially-available Apple computers. And yet, when he was asked a simple question about the process of "mirror imaging" his hard-drive, he feigned complete ignorance. Parsont's testimony, in sum, was defensive, inauthentic, and ultimately unconvincing.
The Court has not lost sight of the obvious here: Parsont was keen to talk in detail about the ATI because it supported his theory that he had not actually "written" or "sent" the petition, whereas he feigned ignorance on the "mirror image" because he did not want to concede how unobtrusive that process would be—a reality that, as we shall see, undermines his lawyers’ position on the "balance of the hardships."
THE LAW
"A preliminary injunction is an extraordinary and drastic remedy not to be granted unless the movant clearly establishes the ‘burden of persuasion’ as to the four requisites." All Care Nursing Serv., Inc. v. Bethesda Mem'l Hosp., Inc. , 887 F.2d 1535, 1537 (11th Cir. 1989) (cleaned up). Those four familiar factors are: "(1) a substantial likelihood of success on the merits; (2) that irreparable injury will be suffered if the relief is not granted; (3) that the threatened injury outweighs the harm the relief would inflict on the non-movant; and (4) that entry of the relief would serve the public interest." Schiavo ex rel. Schindler v. Schiavo , 403 F.3d 1223, 1225–26 (11th Cir. 2005).
"A showing of irreparable injury is ‘the sine qua non of injunctive relief.’ " Siegel v. LePore , 234 F.3d 1163, 1176 (11th Cir. 2000) (cleaned up). And that showing of irreparable injury "must be neither remote nor speculative, but actual and imminent." Ne. Fla. Chapter of the Ass'n of Gen. Contractors v. City of Jacksonville , 896 F.2d 1283, 1285 (11th Cir. 1990) ; see also Chacon v. Granata , 515 F.2d 922, 925 (5th Cir. 1975) ("An injunction is appropriate only if the anticipated injury is imminent and irreparable.").
"[W]here facts are bitterly contested and credibility determinations must be made to decide whether injunctive relief should issue," district courts must hold an evidentiary hearing on the propriety of injunctive relief. McDonald's Corp. v. Robertson, 147 F.3d 1301, 1312 (11th Cir. 1998) (citing All Care Nursing Serv. , 887 F.2d at 1538 ) (further citation omitted). At that hearing, the Court sits as both factfinder and assessor of credibility. See Four Seasons Hotels and Resorts, B.V. v. Consorcio Barr, S.A. , 320 F.3d 1205, 1211 (11th Cir. 2003).
ANALYSIS
I. Substantial Likelihood of Success on the Merits
FAU's Motion alleges that the Defendants violated both the CFAA and the CADRA. See generally Mot. at 1–2. In a recent decision, this Court analyzed the contours of subsection (a)(2) of the CFAA as follows:
FAU also argues that the Defendants violated subsection (a)(4) of the CFAA. But, because FAU has shown a substantial likelihood of success under subsection (a)(2), the Court need not address this alternative position here.
The CFAA punishes anyone "[w]ho[ ] ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer[.]" 18 U.S.C. § 1030(a)(2) ; see also 18 U.S.C. § 1030(a)(4) ("Whoever ... knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ... shall be punished[.]"). While the CFAA was designed as a criminal statute to punish computer hacking, see Trademotion, LLC v. Marketcliq, Inc. , 857 F. Supp. 2d 1285, 1289–90 (M.D. Fla. 2012), it does allow private civil actions in a narrow set of circumstances. See 18 U.S.C. § 1030(g).
A CFAA claim has four elements: (1) a defendant intentionally accessed a protected computer; (2) without authorization or exceeding authorized access; and the defendant (3) thereby obtained information; and (4) the plaintiff suffered damage or loss of at least $5,000.00. Hamilton Grp. Funding, Inc. v. Basel , 311 F. Supp. 3d 1307, 1313 (S.D. Fla. 2018) (citing 18 U.S.C. § 1030(g) ).
Hall v. Sargeant , 2020 WL 1536435, at *28 (S.D. Fla. Mar. 30, 2020). Similarly, under the CADRA:
A person who knowingly and with intent to cause harm or loss: (1) Obtains information from a protected computer without authorization and, as a result, causes harm or loss; (2) Causes the transmission of a program, code, or command to a protected computer without authorization and, as a result of the transmission, causes harm or loss; or (3) Traffics in any technological access barrier through which access to a protected computer may be obtained without authorization, is liable to the extent provided in s. 668.804 in a civil action to the owner, operator, or lessee of the protected computer, or the owner of information stored in the protected computer who uses the information in connection with the operation of a business.
Id. at *32 (citing FLA. STAT. § 668.803 ). Since both statutes have similar elements—and because both provide for injunctive relief, see 18 U.S.C. § 1030(g) ; FLA STAT. § 668.804(1)(c) —the Court will focus its inquiry on the CFAA. And FAU has shown that it is substantially likely to prevail on all four elements of that claim.
a. Parsont intentionally "accessed" FAU's "protected computer"
To prevail on its CFAA claim, FAU must first show that Parsont "accessed" its "protected computer." See 18 U.S.C. § 1030(a)(2). The CFAA defines a "computer" as:
an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.
18 U.S.C. § 1030(e)(1). A "protected computer," by contrast, includes "a computer ... which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." 18 U.S.C. § 1030(e)(2)(B).
At the evidentiary hearing, James Cooley—FAU's Chief Information Security Officer—testified that, when an email is sent from an FAU student account, that email is routed through an FAU server housed somewhere in the United States. FAU, Cooley continued, operates its email server as a virtual tenant—with Google managing the server's physical location. Cooley added that, when a person logs into an FAU email or Canvas account, that person necessarily "accesses" the FAU server. Finally, Cooley explained that the routing of FAU emails through its massive server network affects interstate commerce: students can, for example, log into their accounts from anywhere in the world. Cf. United States v. Hornaday , 392 F.3d 1306, 1311 (11th Cir. 2004) ("The internet is an instrumentality of interstate commerce."). The FAU email server thus qualifies as a "protected computer" under the CFAA.
Both Cooley and Parsont described Canvas as a class-management system, through which students can complete homework assignments and receive messages from their professors.
By not raising it, the Defendants have waived any argument that the FAU server is not "in or affecting" interstate or foreign commerce. See Hamilton v. Southland Christian Sch., Inc. , 680 F.3d 1316, 1319 (11th Cir. 2012) ("[T]he failure to make arguments and cite authorities in support of an issue waives it.").
Parsont, however, insists that he did not "intentionally access" the FAU server because the students voluntarily logged into their own email accounts and shared the Change.org petition with their friends. But Ms. Williams specifically testified that Parsont logged into her FAU account and sent the petition to her contacts. And Ms. Williams’ testimony on this central question was corroborated by other evidence. First , it was consistent with the emails she exchanged with Parsont, in which he: (1) instructed her to create a fake paper trail, as it were, that would make it appear as if she—rather than his lawyers—had composed the affidavit he later submitted to the Court; and (2) lied to her about the consequences of signing the affidavit. Second , and no less significant, Ms. Williams testified (and an affidavit from Dean Pusey confirms) that, before Parsont reached out to her, she had told Dean Pusey the truth—namely, that Parsont sent the Change.org petition from her email account.
And, while Parsont testified that Ms. Williams sent the petition from her own account, he has a powerful incentive to say so because to say otherwise is, in large measure, to concede the Motion. Either way, as the Court has already explained, Parsont's testimony came across as significantly less believable than Ms. Williams’. Indeed, unlike Ms. Williams, Parsont can point to no other evidence—not an email or an (un-doctored) affidavit—that might corroborate his side of the story.
But, even if the Court were to credit Parsont's telling, he still would have "intentionally accessed" FAU's computer system. As FAU points out, the CFAA does not limit its own reach to "personal" or "direct" access. To the contrary, it penalizes even indirect access to a "protected computer." See, e.g. , Teva Pharm. USA, Inc. v. Sandhu , 291 F. Supp. 3d 659, 671 (E.D. Pa. 2018) ("A person who did not directly access the computer may still be liable under the CFAA if he ‘directs, encourages, or induces’ someone else to access a computer that he himself is unauthorized to access.... One who is not authorized to access the information may gain access through one who has access authority, giving rise to liability for indirect access." (internal citations omitted)). And this makes sense. The statute never modifies the verb-phrase "intentionally accesses" with the adverb "directly"—nor would Congress have wanted to. After all, rather than enter a victim's network directly, a savvy hacker can wreak just as much damage—or more—by using a mole within the victim organization to enter the network undetected. Notably, Parsont does not dispute the self-evident proposition that, whoever typed in the key strokes, he directed the students to log into their email accounts and send the Change.org petition. That is all the statute requires.
FAU, in short, is very likely to show that Parsont—directly or indirectly—intentionally accessed its "protected computer" system.
b. Parsont lacked or exceeded authorized access
FAU says that Parsont either lacked or else exceeded his authorization when he accessed its students’ accounts. See Mot. at 9–12. The CFAA punishes any individual who "intentionally access[es] a computer without authorization or exceeds authorized access. " 18 U.S.C. § 1030(a)(2) (emphasis added). Although the CFAA does not define "without authorization," it makes clear that "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6) ; see also EarthCam, Inc. v. OxBlue Corp. , 703 F. App'x 803, 808 (11th Cir. 2017) ("[O]ne of the lessons from [our precedent] may be that a person exceeds authorized access if he or she uses the access in a way that contravenes any policy or term of use governing the computer in question."). FAU is substantially likely to show that Parsont either lacked or "exceed[ed] authorized access."
In support of its argument, FAU points to its policies and procedures, which unambiguously restrict who may access its email and Canvas accounts. So, for example, FAU's "Acceptable Use of Technology Resources" Policy provides that "University technology resources may not be used for personal financial gain unless approved by the President or Provost.... Email blasts for personal purposes are not permitted." Acceptable Use of Technology Resources Policy (Effective Date: 5-31-11) [ECF No. 51-1] at 1–2. This policy makes clear that "[u]sers shall not access resources, files, and networks to which they were not granted access, or in excess of their approved access," and that those users "are not permitted to share their FAU Net ID password with any other person." Id. Similarly, the "Responsible Use of Data Access" Policy prohibits students from "[p]ermit[ting] any other person to use accounts granted to them" and—perhaps more importantly—precludes an individual from "[c]aus[ing], encourag[ing,] or assist[ing] another person in violating these restrictions." Responsible Use of Data Access Policy (Effective Date: 5-31-11) [ECF No. 51-2] at 2. Because, even by his own telling, Parsont violated these policies—by "encouraging" students to send an "Email blast for personal purposes"—FAU says that Parsont both (1) accessed its computers without authorization and (2) exceeded any authorization he might have had.
The Defendants respond as follows:
The problem with this argument is that Defendants are not bound to FAU's IT policies. Defendants are not students nor employees of Plaintiff. Plaintiff's issue therefore lies with its own students, not Defendants. While Plaintiff suggests in its Complaint – although not in the present Motion – that Defendants somehow "tricked" FAU's students into providing them their credentials, Plaintiff has not put forth any supporting evidence for this assertion.
Resp. at 10.
Unfortunately for the Defendants, FAU has provided enough evidence for the Court to conclude that it is substantially likely to show that, when he sent the emails in question, Parsont knew all about FAU's user-access policies. Specifically, FAU has introduced Parsont's FAU disciplinary records, which indicate that, while at FAU, Parsont was (repeatedly) caught violating the very policies at issue here. See Composite Parsont Disciplinary Records (the "Disciplinary Records") [ECF No. 51-10] at 4. In some cases, Parsont even admitted to the violations and accepted responsibility for his actions. See id. at 4–7.
At the hearing, the Court reserved ruling on the admissibility of these records. Having reviewed the records again, the Court now OVERRULES the Defendants’ objection to these exhibits and ADMITS them into evidence. The disciplinary records are extremely probative on the central issue in dispute: Parsont's knowledge of FAU's internet-user policies. And they are not unduly prejudicial because the Court is admitting them only to show Parsont's knowledge—and for no other purpose. Either way, at a preliminary injunction hearing, the Court may admit otherwise-inadmissible evidence if the Court finds that evidence reliable. See, e.g. , Levi Strauss , 51 F.3d at 985 ("At the preliminary injunction stage, a district court may rely on affidavits and hearsay materials which would not be admissible evidence for a permanent injunction, if the evidence is ‘appropriate given the character and objectives of the injunctive proceeding.’ " (quoting Asseo , 805 F.2d at 26 )); see also Sierra Club v. Fed. Deposit Ins. Corp. , 992 F.2d 545 (5th Cir. 1993) (stating that "at the preliminary injunction stage, the procedures in the district court are less formal, and the district court may rely on otherwise inadmissible evidence, including hearsay evidence."). The Defendants do not contest the authenticity of these records—and, having reviewed them, the Court finds them unquestionably reliable in the circumstances presented here.
At the hearing on this Motion, Parsont admitted to signing some of these records. Those records Parsont himself signed are therefore not hearsay. See Fed. R. Evid. 801(d)(2)(B). And, because the rest of the records are being introduced, not for the truth of the disciplinary violations alleged there, but only to show that Parsont was aware of FAU's policies, they are not hearsay in any event.
This evidence that Parsont knew about FAU's policies is sufficient to show that he lacked (or exceeded) "authorization" under the CFAA. See, e.g. , EarthCam , 703 F. App'x 803. In EarthCam , the Eleventh Circuit was faced with an analogous factual situation, in which a plaintiff brought a civil CFAA claim premised on the defendant's alleged violations of the terms of the plaintiff's End User Licensing Agreement ("EULA"). See id. at 806–10. As here, the case turned on the defendant's knowledge of the terms of that EULA. But, because the plaintiff adduced no evidence that the defendant had "knowledge of the EULA's terms," the court concluded that the plaintiff's argument—that the defendant lacked authorization because it violated those terms—improperly "hinge[d] on layers of inference ... too attenuated to create a jury question on knowledge." Id. at 809–10. The Eleventh Circuit thus affirmed the district court's grant of summary judgment for the defendant. Id. at 810.
In reaching this conclusion, however, the EarthCam Court was careful to distinguish the facts of State Analysis, Inc. v. Am. Fin. Servs. Assoc. , 621 F. Supp. 2d 309, 316 (E.D. Va. 2009). In that case, as the Eleventh Circuit explained, the district court properly allowed the plaintiff's CFAA claim to proceed because the plaintiff had shown that the "defendant unquestionably knew [the terms of the licensing agreement] because it had once been a client of the licensor's and subject to the same licensing agreement." EarthCam, Inc. , 703 F. App'x at 808. The State Analysis Defendant's knowledge of the EULA's terms, the Eleventh Circuit said, was "surefire evidence" that it had lacked "authorization." Id. at 808–09. In other words, by showing that Parsont has, on several prior occasions, admitted to violating the very same policies at issue here, FAU has submitted precisely the kind of "surefire evidence" that the Eleventh Circuit has suggested would be sufficient to sustain a claim of unauthorized access.
But, even if Parsont did not have specific knowledge about the contours of FAU's internet-access policies, Cooley testified at the hearing that, during his investigation, he discovered that Parsont was still using his own University email address. Parsont did not deny this allegation—nor could he. FAU has provided the Court with evidence that Parsont was logged into his FAU account as recently as January 30, 2020. See FAU Account Login History [ECF No. 51-6] (showing "nparsont@fau.edu" logged in on January 30, 2020 at 4:09 p.m.). As Cooley explained (in testimony that went entirely unrebutted), before obtaining his own FAU email account, Parsont had to agree to abide by each of the policies at issue here. By operating his own FAU email account, in other words, Parsont has eviscerated his lawyers’ argument that he is not bound by those policies.
On these facts, then, FAU has carried its burden of showing that Parsont acted without authorization—or, at the very least, that he exceeded any authorization he was given—in accessing the student email accounts. FAU, in other words, is substantially likely to prove that Parsont knew about FAU's policies and procedures—which bound both his and the students’ actions—and that he violated those policies when he sent the Change.org petition.
c. Parsont obtained information
FAU is also substantially likely to show that Parsont "obtained information" during his unauthorized excursions into its computer systems. Specifically, Parsont "obtained" the FAU class lists and email addresses to which he then sent his mass-marketing emails. See Mot. at 11 ("In addition to obtaining FAU class lists, contact information for students and faculty members, and the ability to send mass communications to the students’ contracts using their accounts and FAU systems, Defendants also obtain access to the private and personal academic information of FAU's students."); Petition-Emails [ECF No. 51-3]; Composite Petition-Emails [ECF No. 51-4]; Change.org Petition [ECF No. 51-5]; FAU Account Login History [ECF No. 51-6]; Mui Login History [ECF No. 51-7].
The Defendants do not seriously dispute this proposition. In fact, by failing to challenge this prong of FAU's argument in their Response, the Defendants have waived any opposition. Cf. Hamilton , 680 F.3d at 1319 ("[T]he failure to make arguments and cite authorities in support of an issue waives it."); In re Egidi , 571 F.3d 1156, 1163 (11th Cir. 2009) ("Arguments not properly presented in a party's initial brief or raised for the first time in the reply brief are deemed waived."); Case v. Eslinger , 555 F.3d 1317, 1329 (11th Cir. 2009) ("A party cannot readily complain about the entry of a summary judgment order that did not consider an argument they chose not to develop for the district court at the time of the summary judgment motions.").
Either way, any argument that Parsont obtained nothing from his unauthorized access would (very likely) have failed. Parsont, after all, operates a tutoring business. Through his students’ email accounts, he obtained the email addresses of other students—together with their class rosters. And he took full advantage of that information by sending his Change.org petitions to those email addresses—email addresses that, it goes without saying, he could not have obtained without his unauthorized access.
d. FAU suffered a loss
FAU says that its investigation into the Defendants’ mass-mailings caused it to suffer a "loss" of more than $5,000. See Mot. at 11–12 ("As a result of Defendants’ violations of the CFAA, FAU has or will incur losses aggregating at least $5,000 in value during a one-year period, including in personnel resources, internally investigating the unlawful accessing of its Computers, and remedial efforts." (citing Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058, 1066 (9th Cir. 2016) )). During his testimony, Cooley confirmed that, as of the day of the hearing, his investigation had already cost more than $5,000 in employee time.
The Defendants do not contest this assertion. They did not oppose the point in their Response, and they presented no evidence against it at the hearing. Again, they have thus waived any opposition. Cf. Hamilton , 680 F.3d at 1319 ("[T]he failure to make arguments and cite authorities in support of an issue waives it."); In re Egidi , 571 F.3d at 1163 ("Arguments not properly presented in a party's initial brief or raised for the first time in the reply brief are deemed waived."); Eslinger , 555 F.3d at 1329 ("A party cannot readily complain about the entry of a summary judgment order that did not consider an argument they chose not to develop for the district court ....").
Nevertheless, and in the interest of fairness, the Court will assess whether FAU's expenses qualify as losses under the statute. The CFAA defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11). As the plain language of this section makes clear—and as the Eleventh Circuit has confirmed—the statute identifies two separate types of loss:
(1) reasonable costs incurred in connection with such activities as responding to a violation, assessing the damage done, and restoring the affected data, program system, or information to its condition prior to the violation; and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. The statute is written in the disjunctive, making the first type of loss independent of an interruption of service.... "Loss" includes the direct costs of responding to the violation in the first portion of the definition, and consequential damages resulting from interruption of service in the second.
Brown Jordan Int'l, Inc. v. Carmicle , 846 F.3d 1167, 1174 (11th Cir. 2017). In so holding, the court rejected a narrower interpretation of the statute that would require that "any loss under the CFAA be the result of an interruption of service." Id. A CFAA plaintiff, in other words, "may allege losses related to costs incurred in responding to the violation, assessing its damage, and restoring data and systems to their condition prior to the alleged violation, without having suffered an interruption of services." Id. ; accord Global Physics Solutions, Inc. v. Benjamin , 2017 WL 6948721, at *3 (S.D. Fla. June 26, 2017) ("loss" included the direct costs of responding to the violation, as well as consequential damages flowing from an interruption of services); TEC Serv, LLC v. Crabb , 2013 WL 12177342, at *3 (S.D. Fla. Jan. 14, 2013) (recognizing two ways for a CFAA plaintiff to show "loss": (1) lost revenues and costs as a result of interruption of service, and (2) costs incurred in responding to a CFAA violation).
Under this framework, FAU's expenses qualify as losses under the CFAA. While FAU has identified no "interruption in service," it has alleged "losses related to costs incurred in responding to the violation, assessing its damage, and restoring data." And, at the hearing, FAU submitted unrebutted testimony for the proposition that those losses have already exceeded $5,000. See Facebook , 844 F.3d at 1066 ("It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power's actions. Accordingly, Facebook suffered a loss under the CFAA.").
***
FAU has thus shown a substantial likelihood of success on its CFAA claim. It has established that Neil Parsont, in his capacity as the owner-operator of Owl Tutoring, (1) logged into an FAU computer server through a student account, (2) in violation of FAU's policies, and (3) thereby obtained information, (4) which caused FAU more than $5,000 to investigate. II. Irreparable Injury
FAU says that it will suffer "irreparable injury" if the Defendants’ conduct continues. It asserts, for example, that the Defendants' "illegal conduct has compromised, and continues to compromise, the security of FAU's Computers and student and University information," and that it causes "harm not only [to] FAU, but [ ] also [to] FAU students and their interest in maintaining the privacy of their personal and sensitive information." Mot. at 15. "Moreover," FAU continues, "federal law [requires FAU] to protect the privacy of its students’ education records"—an obligation, FAU insists, it cannot properly fulfill without an injunction. Id. (citing 20 U.S.C. § 1232g ).
The Defendants counter that "[t]here is no irreparable harm and no injunction is necessary because Defendants did not engage in the behavior that they are being accused of." Resp. at 12. In saying so, the Defendants appear to conflate the likelihood-of-success inquiry with the irreparable-injury analysis. But these two prongs ask different questions and require separate proof. Whereas the former tests whether the Plaintiff is likely to prevail on its claim—and, thus, whether the Defendants "engage[d] in the behavior that they are being accused of"—the latter asks whether, if an injunction does not issue, the Plaintiff will suffer an un-compensable injury. As the Supreme Court has explained,
The key word in this consideration is irreparable. Mere injuries, however substantial, in terms of money, time and energy necessarily expended in the absence of [an injunction], are not enough. The possibility that adequate compensatory or other corrective relief will be available at a later date, in the ordinary course of litigation, weighs heavily against a claim of irreparable harm.
Sampson v. Murray , 415 U.S. 61, 90, 94 S.Ct. 937, 39 L.Ed.2d 166 (1974) (cleaned up). It is for this reason that, when deciding whether an injunction should issue—scilicet, whether equitable , rather than legal , relief should be granted—the Eleventh Circuit has referred to the irreparable-injury inquest as "the sine qua non of injunctive relief." Siegel , 234 F.3d at 1176 (cleaned up).
If the Defendants continue to use student credentials to send mass-marketing emails to unwitting and unwilling FAU recipients, the University will "be irreparably harmed because [the Defendants’] actions, if allowed to persist, will continue to cause [FAU] to suffer harm by impairing the integrity of [FAU's] proprietary computer system." TracFone Wireless, Inc. v. Adams , 98 F. Supp. 3d 1243, 1256 (S.D. Fla. 2015) ; accord Facebook, Inc. v. Power Ventures, Inc. , 252 F. Supp. 3d 765, 782 (N.D. Cal. 2017), aff'd , 749 F. App'x 557 (9th Cir. 2019) (finding that, "in accessing [the Plaintiff's] computers without authorization, Defendants have interfered with [the Plaintiff's] right to control access to its own computers and have acquired data to which Defendants have no lawful right in violation of the CFAA and § 502," thus causing irreparable injury).
Unsurprisingly, federal courts around the country agree that the interference with an entity's control of its computer systems constitutes irreparable injury. See, e.g. , Adams , 98 F. Supp. 3d at 1256 ; Facebook , 252 F. Supp. 3d at 782 ; Reliable Prop. Servs., LLC v. Capital Growth Partners, LLC , 1 F. Supp. 3d 961, 965 (D. Minn. 2014) (finding "substantial threat of irreparable harm" based on the public dissemination of information after the defendant "unlawfully took volumes of detailed data" in violation of the CFAA); Enargy Power Co. v. Xiaolong Wang , 2013 WL 6234625, at *10 (D. Mass. Dec. 3, 2013) ("[P]revent[ing] Enargy from enjoying the uninterrupted use of its property ... constitutes irreparable harm. Furthermore, Plaintiffs’ inability to make use of the PH Project files has hampered Enargy ...." (cleaned up)).
Against this backdrop, and on the facts presented, the Court concludes that FAU has satisfied its burden of showing irreparable injury. Were the Court to permit the Defendants to continue accessing FAU's servers, FAU could never be certain that it was adequately protecting its students’ proprietary information. And, as FAU notes, its failure to protect that information could expose the University to liability. Moreover, because both Ms. Williams and Parsont testified that, even now, the Defendants maintain student login credentials on Owl Tutoring's computers, any injunction must require the Defendants to turn over the credentials they have already stored.
III. Balance of Hardships
Before issuing an injunction, the Court must balance the relative hardship to each side. But the Court need not consider the "hardship" to a defendant whose conduct is "unlawful." See, e.g. , Adams , 98 F. Supp. 3d at 1256 ("Adams has no legitimate interest in [violating the CFAA]. Adams has never been a TracFone employee, authorized to access TracFone's protected and proprietary systems, or permitted to sell TracFone products. Simply put, Adams has absolutely no interest whatsoever in continuing his conduct."); MediaOne of Delaware, Inc. v. E & A Beepers & Cellulars, 43 F. Supp. 2d 1348, 1354 (S.D. Fla. 1998) (a defendant suffers no hardship when an injunction "will merely enjoin [the defendant] from conducting a business which is already prohibited by state and federal law"); accord YourNetDating, Inc. v. Mitchell , 88 F. Supp. 2d 870, 872 (N.D. Ill. 2000) (the defendants "will suffer no legitimate harm of which they can complain if the [injunctive relief] is granted because they have no honest business hacking [the plaintiff's] system and diverting its customers to [their business]").
Here, the balance weighs decidedly in FAU's favor. On the one hand, if an injunction does not issue, FAU will face "significant harm to the security of its systems and data, theft of its secured, proprietary, and/or confidential information and systems, and privacy dangers to its students." Mot. at 16. On the other, an injunction would interfere only with the Defendants’ unlawful access of FAU's computer servers—without any concomitant interruption of the Defendants’ legitimate business.
The Defendants counter that "[o]rdering Defendants to immediately turn over their computers and any hard drives used by Defendants for a forensic examination, inspection and mirror image" would destroy their business. Resp. at 13 (quoting Mot. at 19). But the Defendants do not explain why this is so. After all, the students could easily bring their own laptops to the tutoring sessions and then log into their own Canvas accounts without giving their credentials to Parsont. And, to the extent that the Defendants want to view the Canvas screens simultaneously from their own computers, Parsont conceded at the evidentiary hearing that the students could always "share" their screens—through Zoom, Google, or any number of other widely-available platforms—with the Defendants.
On the other hand, the Court agrees that the Defendants should not have to "turn over" their computers and hard drives for indefinite inspection. After all, not every use of the Defendants’ computers violates the CFAA. Ordering the Defendants to do without their devices would thus divorce the injunction from the conduct it is meant to redress.
The "grant or denial of a preliminary injunction is within the sound discretion of the district court." Palmer v. Braun , 287 F.3d 1325, 1329 (11th Cir. 2002). And this discretion extends to the crafting of an appropriate injunction—even when that injunction is more limited than the relief the plaintiff has sought. See Hecht Co. v. Bowles , 321 U.S. 321, 329–30, 64 S.Ct. 587, 88 L.Ed. 754 (1944) ("The essence of equity jurisdiction has been the power of the Chancellor to do equity and to mould each decree to the necessities of the particular case. Flexibility rather than rigidity has distinguished it."); United States v. Cruz , 611 F.3d 880, 887 (11th Cir. 2010) (affirming district court's use of "traditional" equitable factors in issuing injunction that was more limited in scope than the one requested).
With these principles in mind, the Court agrees with the Defendants that ordering the immediate surrender of their computer devices would needlessly undermine their ability to conduct their business and would skew the balance of hardships in their favor. Rather than order them to surrender their devices, then, the Court will instruct the parties to arrange a time—within thirty days of this Order—for the Plaintiff to "mirror image" the Defendants’ devices without removing those devices from the Defendants’ office. This relief appropriately balances the Defendants’ right to operate their business with the Plaintiff's right to prevent future system intrusions.
The Court does not here decide which specific devices should be mirror imaged. The parties should resolve this question on their own. If they cannot, they should raise the issue promptly with the magistrate judge.
IV. The Public Interest
The final—or public interest—factor weighs heavily in FAU's favor. The CFAA is a criminal statute. And, it goes without saying, "the public interest is advanced by enforcing faithful compliance with the laws of the United States and the State of Florida." Adams , 98 F. Supp. 3d at 1256. Since the injunction does nothing more than prevent conduct that Congress has already deemed criminal, it necessarily advances the public interest.
The injunction also implicates the privacy rights and interests of FAU's students—nonparties to this action. In "exercising their sound discretion, courts of equity should pay particular regard for the public consequences in employing the extraordinary remedy of injunction." Weinberger v. Romero-Barcelo , 456 U.S. 305, 312, 102 S.Ct. 1798, 72 L.Ed.2d 91 (1982) (citing Railroad Comm'n. v. Pullman Co. , 312 U.S. 496, 500, 61 S.Ct. 643, 85 L.Ed. 971 (1941) ); see also M. Devon Moore, THE PRELIMINARY INJUNCTION STANDARD : UNDERSTANDING THE PUBLIC INTEREST FACTOR , 117 MICH. L. REV. 939, 954 (2019) ("[W]hen a nonparty—especially many nonparty individuals—will be affected by the preliminary injunction, the public interest factor is more likely to be determinative."); accord Bernhardt v. Los Angeles Cty. , 339 F.3d 920, 931–32 (9th Cir. 2003) ("The public interest inquiry primarily addresses impact on non-parties rather than parties. It embodies the Supreme Court's direction that in exercising their sound discretion, courts of equity should pay particular regard for the public consequences in employing the extraordinary remedy of injunction." (citation omitted)).
Because, in sum, this injunction enforces the laws of the United States and safeguards the rights and interests of nonparties, FAU has established that the injunction is in the "public interest."
V. Bond
FAU urges the Court not to impose a bond because the "Defendants will not sustain any damages by virtue of the Temporary Restraining Order and Preliminary Injunction enjoining them from engaging in unlawful conduct." Mot. at 17. The Defendants failed to respond to this argument—which, normally, would result in a waiver of any opposition.
But Federal Rule of Civil Procedure 65(c) makes clear that the "court may issue a preliminary injunction or a temporary restraining order only if the movant gives security in an amount that the court considers proper to pay the costs and damages sustained by any party found to have been wrongfully enjoined or restrained." FED. R. CIV. P. 65(c) (emphasis added). And FAU has identified no case in which the Eleventh Circuit has authorized district courts to ignore this bond requirement.
Instead, FAU cites Popular Bank of Fla. v. Banco Popular de P.R. , 180 F.R.D. 461, 465 (S.D. Fla. 1998), where the district court asked whether the posting of a bond is a "jurisdictional prerequisite" to the issuance of a preliminary injunction. Ultimately—citing Carillon Importers, Ltd. v. Frank Pesce Int'l Grp. Ltd. , 112 F.3d 1125, 1126 (11th Cir. 1997) —the court concluded that a bond was not a jurisdictional prerequisite and held that the bond could be posted after the injunction issued. See Popular Bank , 180 F.R.D. at 464–65. But the court never suggested that the plaintiff could get away with the posting of no bond.
Given the lack of binding precedent, the Court turns first—as always—to the language of the Rule itself. "[I]f the language at issue has a plain and unambiguous meaning, then that meaning controls, and the inquiry ends." United States v. Nelson , 334 F. App'x 209, 211 (11th Cir. 2009) ; cf. A. Scalia & B. Garner, READING LAW : THE INTERPRETATION OF LEGAL TEXTS 69 (2012) ("The ordinary-meaning rule is the most fundamental semantic rule of interpretation."). Rule 65 is pellucid that an injunction may issue " only if " a bond is posted. And the Court will not disregard that unambiguous directive—even though the Defendants have admittedly failed to contest it. See, e.g. , Black Warrior Riverkeeper, Inc. v. U.S. Army Corps of Eng'rs , 297 F.R.D. 633, 636 (N.D. Ala. 2014) ("There is not a hint of a suggestion in the language of Rule 65(c) that a bond can be set at a nominal amount or that the bond can be waived entirely ....").
The Court must therefore fashion an appropriate bond. Cf. Carillon Importers , 112 F.3d at 1127 ("The amount of an injunction bond is within the sound discretion of the district court."). That bond must be sufficient "to pay the costs and damages sustained by any party found to have been wrongfully enjoined or restrained." FED. R. CIV. P. 65(c). As FAU points out, however, much of the injunction is directed at preventing the Defendants from continuing to violate the law. And, given that the Defendants cannot—as a matter of law—be wrongfully enjoined from violating the law, most of this injunction requires very little security. Nevertheless, because the Defendants will likely suffer a slight disruption of their business while their devices are being "mirror imaged," some bond is necessary. The Court thus orders FAU to post a bond of $10,000 to protect the Defendants’ interests.
***
Accordingly, the Court hereby
ORDERS AND ADJUDGES that the Motion for Preliminary Injunction [ECF No. 34] is GRANTED as follows:
1. Under Federal Rule of Civil Procedure 65(c), FAU shall, by June 15, 2020 , post a $10,000.00 bond for damages, to which the Defendants may be entitled in the case of a wrongful injunction or restraint, during the pendency of this action, or until further Order of the Court. In the Court's discretion, the bond may be subject to increase, in the interest of justice, should an appropriate application be made;
2. The Defendants are hereby enjoined and restrained from accessing FAU's computers or computer servers, either directly or indirectly, for any purpose whatsoever;
3. The Defendants are hereby enjoined and restrained from obtaining any confidential, secured, federally protected, and/or proprietary information belonging to FAU, either directly or indirectly, for any purpose whatsoever;
4. The Defendants are hereby enjoined from destroying, erasing, altering, concealing, spoliating, or otherwise disposing of, in any manner whatsoever, any documents or records that relate to FAU's Computers, including computer data, electronically stored information, and electronic storage media, including flash drives, hard drives, backup tapes, and MP3s. The Defendants shall immediately take all steps necessary to preserve and retain such information;
5. The Defendants shall immediately disgorge and serve on FAU any confidential, secured, federally protected, and/or proprietary information of FAU's in their possession, custody, or control, in whatever form it exists, including any FAU class lists, FAU students’ NetID usernames and passwords, non-public contact information of students and faculty members;
6. FAU and the Defendants shall, by July 9, 2020 , meet at Owl Tutoring so that FAU can "mirror image" the Defendants’ computers.
Nothing in this Order should be construed to prevent Owl Tutoring from continuing to tutor FAU students by, for example, using FAU class syllabi or helping students with their problem sets and other assignments.
The parties shall work together on a protective order—as well as an agreed-upon list of search terms—that can be used to mine the data taken from the "mirror images" of these computers in a way that gets FAU the information it needs to prosecute this case without delving into irrelevant matters, such as (for instance) Parsont's personal affairs. If the parties are unable to agree on any such protective order—or on the scope of any such list—they must raise the issue promptly with the magistrate judge.
DONE AND ORDERED in Fort Lauderdale, Florida, this 9th day of June 2020.