Opinion
CIVIL ACTION No. 10-1029.
September 23, 2011
MEMORANDUM
Plaintiff Grant Manufacturing Alloying, Inc. (Grant) brings claims against former Grant employees Gregory McIlvain and Darryl Williams pursuant to the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and Pennsylvania law. McIlvain and Williams have each filed a motion for summary judgment as to all claims. For the reasons set forth below, summary judgment will be granted in Defendants' favor as to Grant's CFAA claims. Grant's remaining state law claims will be dismissed without prejudice pursuant to 28 U.S.C. § 1367(c)(3).
FACTS
"On a motion for summary judgment, a district court must view the facts in the light most favorable to the non-moving party and must make all reasonable inferences in that party's favor." Hugh v. Butler Cnty. Family YMCA, 418 F.3d 265, 267 (3d Cir. 2005).
Grant is a primary manufacturer of tin, tin alloys, and specialty products servicing the electronics, plating, and tin chemical industries. Grant sells its products both to end-users of the products and to distributors who resell the products to end-users. Although Grant does not have long-term contracts with its customers, the majority of Grant's business is from repeat customers.
McIlvain and Williams began working for Grant as sales representatives in 1986 and 1988, respectively. Neither had a written employment agreement or a non-compete agreement with Grant. No Grant employees have such agreements with the company.
Grant maintains an Alpha 5 computer database system, which includes an order entry system and a purchase order system. McIlvain developed the order entry system, which was later refined by Grant's independent IT consultant, Jeffrey Fried. Fried set up the purchase order system. Both systems are password-protected, and, during McIlvain's and Williams's tenure at Grant, each of the company's sales representatives had passwords for both systems. In addition, McIlvain and Williams each had the other's password so they could cover for one another when one of them was on vacation.
In addition to the Alpha 5 system, Grant maintains a password-protected customer database for which most of Grant's employees have passwords.
During the relevant time period, Grant had four sales representatives: McIlvain, Williams, Jeff Tyler, and Jack Russell, who was part of the sales force but was not a Grant employee. McIlvain supervised the other members of Grant's sales force.
Grant's purchase order system includes a function which prepares and sends automatic price updates to Grant's customers by email, providing the recipient with current pricing information for the products it typically purchases on a scheduled basis. Grant did not require its sales representatives to use the automatic price update function. Rather, individual sales representatives would determine, in consultation with their customers, whether and how often a customer received automatic price updates. McIlvain used the purchase order system to send automatic price updates to some of his customers, but Williams did not.
Because the price of tin changes frequently throughout the day and from day to day, Grant's pricing also changes frequently.
The pricing reflected in Grant's automatic price updates is a function of several factors, including raw material costs, the premium on raw materials, manufacturing costs, transportation costs, and a gross profit factor. Assigning a value to pricing factors such as gross profit or manufacturing cost was a sales representative's function. McIlvain, Williams, and Tyler each had the ability to change these factors for their customers' accounts. Only McIlvain (and Fried) had the ability to change the pricing factors for distributor pricing.
Grant's controller Joseph Guarini testified Grant's sales representatives had discretion to change these pricing components. Guarini Dep. 238, 301, Jan. 3, 2011. Guarini recalled that at some point in late 2008 or early 2009, Kenneth Thompson, Grant's owner, told McIlvain "he didn't want prices affected. He wanted to leave everything status quo." Id. Thompson recalled that on one occasion — possibly in the summer of 2009 — McIlvain asked him about raising pricing, to which Thompson responded "not at this time." Thompson Dep. 246, Dec. 23, 2010.
In the spring or summer of 2008, McIlvain and Williams began preliminary discussions with representatives of Nathan Trotter and Company, Inc. (Trotter), one of Grant's major competitors, regarding the possibility of going to work for Trotter. On February 19, 2010, McIlvain and Williams resigned from Grant and accepted sales positions with Trotter.
Prior to resigning, McIlvain asked Fried how to remove his name from the automatic price updates that were scheduled to go out under his name, in the event he left Grant. Fried told McIlvain he did not feel he could remove McIlvain's name for him. On February 18, 2010, the night before he resigned, McIlvain accessed Grant's purchase order system and marked for deletion 63 distributor and customer records. By marking the records for deletion, McIlvain rendered them inactive by suppressing them from view. He did not permanently delete the records from the system, a process known as "packing," Fried. Dep. 51-52, although he knew how to "pack" data from the system. At his deposition, McIlvain testified he marked the records for deletion to prevent automatic price updates from going out with his name on them because he was going to work for a competitor and did not want to have his name associated with two different companies in the same industry. McIlvain Dep. 98, 104, Dec. 28, 2010. Both Thompson and Guarini testified that had McIlvain asked them to take his name off of the automatic price updates, they would have done so. Thompson Dep. 279; Guarini Dep. 358.
McIlvain did not have the ability to remove his name from the emails by himself; only Fried could do it.
The same day McIlvain and Williams resigned, Fried came to Grant's offices to work on transitional issues relating to their departure. As part of this work, Fried discovered the distributor and customer records that McIlvain had marked for deletion. Fried was able to restore all of the records marked for deletion by simply entering the command "recall all." By Fried's account, this undeletion process was "simple," taking only "15 seconds." Fried Dep. 94. He discovered no evidence any records had been permanently deleted from the system.
Fried testified it was immediately apparent there was a problem with the distributor records because he could not see any distributors on the purchase order system. Fried Dep. 81, Dec. 20, 2010. Because McIlvain had not marked all customer records for deletion, however, Fried could still see some customers on the system, and it was not immediately obvious to him that customer records had been marked for deletion. Id.
Fried also undertook various other projects relating to the transition, including changing the passwords and security settings within the system, removing or changing McIlvain's and Williams's names within the system, and assisting Grant in sending out an announcement to customers regarding McIlvain's and Williams's departure and implementing a blanket price reduction. Grant also asked Fried to look at the data in the Alpha 5 system, including the pricing data in the accounts managed by McIlvain and Williams, to determine whether there had been any changes over time. Fried compiled a number of reports for Grant showing the available historical data regarding changes in the manufacturing cost and gross profit pricing factors for distributors and customers, and showing changes in the number of customers marked for deletion at various points in time. Fried's reports reflect that in some instances the gross profit and/or manufacturing cost factors were increased for certain products and certain Grant customers between February 15 and 19, 2010, in the week before McIlvain and Williams left Grant. See Fried Dep. Ex. 15. Because of the limitations of the data, Fried could not determine exactly when during that period the changes were made or who made the changes. Grant believes McIlvain or Williams increased the pricing in these categories just before resigning to make Grant's pricing less competitive.
Because of limitations of Grant's computer system, the only data available for Fried's analysis consisted of periodic backups of the data on the system at various points in time. While these snapshots allowed Fried to identify changes in the data over time, from one backup file to another, they did not permit him to pinpoint exactly when or by whom a particular change was made.
Fried billed Grant $9,312.50 for the work he performed in response to McIlvain's and Williams's departure. Fried's bill covered the work he did to restore records marked for deletion and to verify the integrity of Grant's pricing data, as well as work undertaken to facilitate the transition.
On March 3, 2010, Grant filed the instant lawsuit, alleging McIlvain and Williams violated the CFAA and the Pennsylvania Uniform Trade Secrets Act, and asserting claims against them for breach of the duty of loyalty, unfair competition, tortious interference with actual and prospective business relations, and civil conspiracy.
DISCUSSION
Summary judgment shall be granted "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). "Material" facts are those facts "that might affect the outcome of the suit under the governing law." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). A factual dispute is "genuine" if "the evidence is such that a reasonable jury could return a verdict for the nonmoving party." Id. "Where the record taken as a whole could not lead a rational trier of fact to find for the non-moving party, there is no `genuine issue for trial.'" Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986) (citation omitted).
The CFAA is a criminal statute which penalizes a range of computer offenses and also provides a civil remedy in certain circumstances to persons who suffer damage or loss as a result of a violation of its provisions. See 18 U.S.C. § 1030(g) (specifying the circumstances in which a plaintiff may bring a civil action under the CFAA). Grant contends McIlvain and Williams violated three provisions of the CFAA — 18 U.S.C. §§ 1030(a)(2)(C), (a)(4), and (a)(5) — when McIlvain marked for deletion 63 records in Grant's purchase order system and when one or both Defendants increased certain pricing factors in the purchase order system in the week before they resigned.
Section 1030(a)(2)(C) prohibits a person from "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer." Section 1030(a)(4) makes it unlawful to
knowingly and with intent to defraud, access[] a protected computer without authorization, or exceed[] authorized access, and by means of such conduct further[] the intended fraud and obtain[] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.
Section 1030(a)(5) has three subsections, which prohibit
(A) knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer;
(B) intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly caus[ing] damage; or
(C) intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.
McIlvain and Williams argue summary judgment is warranted as to Grant's CFAA claim because there is no evidence in the record from which a reasonable jury could find (1) Grant suffered a loss of $5,000 or more as a result of the alleged CFAA violations; (2) Grant suffered any damage as a result of the marking for deletion of computer files; (3) either of them accessed Grant's computer system without authorization or exceeded their authorized access to the system; (4) either of them obtained any information or anything of value as a result of the alleged violations; or (5) either of them acted with fraudulent intent. McIlvain and Williams also argue the alleged alteration of pricing data cannot support a CFAA claim because Grant cannot show either of them was responsible for the alterations or that pricing data was altered for reasons unrelated to market conditions. Grant opposes the motion, arguing the evidence is sufficient to create a genuine issue of material fact as to each element of each of its CFAA claims.
To bring a civil action for a violation of any provision of § 1030, Grant must show the conduct at issue caused "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value." Id. § 1030(c)(4)(A)(i)(I). The CFAA defines the term "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11).
Section 1030(g) provides a civil remedy for a CFAA violation "only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)." Because the factors set forth in subclauses (II) through (V) are plainly inapplicable to this case, Grant must show Defendants' conduct involves the factor in subclause (I), which requires a loss of at least $5,000.
In this case, it is undisputed that Fried billed Grant more than $9,000 for work he performed in February 2010 in connection with McIlvain's and Williams's departure. What is disputed, however, is the amount of the bill attributable to Fried's efforts to investigate and respond to the alleged CFAA offenses (i.e., the marking for deletion of the 63 computer records and the alteration of certain pricing data), as opposed to his work on routine transitional matters, which would have required attention even in the absence of any alleged misconduct.
Grant relies solely on Fried's bill in arguing it has produced sufficient evidence to withstand summary judgment on the issue of whether it sustained a qualifying loss under the CFAA. See Pl.'s Opp'n to McIlvain's Mot. for Summ. J. 15.
Both the bill and Fried's and Guarini's deposition testimony reflect that Fried undertook a number of different projects for Grant in the week or so following McIlvain's and Williams's resignations. Fried testified the work covered by his bill included undeleting the 63 records marked for deletion; removing McIlvain's and Williams's names from Grant's computer system and from documents distributed to third parties; giving Grant's remaining sales representative access to all accounts; changing passwords on various aspects of the system; assisting in preparation and distribution of a mass email/fax regarding the transition; implementing a blanket price reduction; and reviewing and analyzing the available historical data to determine what changes had been made to certain pricing factors over time. See Fried Dep. 85-141. Guarini agreed Fried worked on "many things" during the weekend after the resignations, including "security issues, changing passwords, changing access points, changing names because you don't want price updates going out with former employees' names on them[,] . . . [a]s well as . . . fix[ing] the database back to where it was." Guarini Dep. 171.
Some of these projects — most notably, Fried's work to restore the records marked for deletion and to identify and repair changes to the pricing factors — clearly represent efforts to respond to the alleged CFAA offenses, and the costs associated with these projects would therefore qualify as loss within the meaning of the CFAA. Other projects undertaken by Fried, however, were routine transitional matters unrelated to the alleged offenses, the cost of which should not be included in calculating Grant's loss. Guarini admitted, for example, that changing passwords and deleting McIlvain's and Williams's names from the system were necessary tasks following any employee's departure. Guarini Dep. 171-72. Additionally, Grant conceded at oral argument that Fried's work on the mass email to customers regarding the transition was unrelated to the alleged offenses.
The summary judgment record provides scant information regarding the amount of Fried's bill attributable to responding to the alleged CFAA offenses. Although the bill includes one or more separate entries for each day from February 19 to 26, 2010, specifying the number of hours Fried worked and the tasks he performed, most entries appear to include some tasks that could properly be considered damage assessment and data restoration and others that could not. For example, the February 20, 2010, entry states Fried spent a total of 14 hours "[c]ontinu[ing] work on transitional matters, especially in fixing data for running price updates on Monday and preparing lists for Joe to distribute marketing message regarding transition." Fried Dep. Ex. 3. While time spent on the former task is includable as loss, time spent on the latter task is not. The deposition testimony also sheds little light on how much of Fried's bill can properly be counted as loss. Fried testified the task of restoring the records marked for deletion took only 15 seconds and was worth less than $100 of his time. Id. at 143. However, Fried was not asked, and did not state, how much of his bill was attributable to his efforts to determine whether pricing data had been altered or to reverse any such alterations. Guarini simply agreed Fried would be the best person to explain "the amount of time and effort spent in investigating the alleged misconduct." Guarini Dep. 350.
Grant's counsel was unable to attend Fried's deposition because of a scheduling conflict. Although this Court declined Grant's request to quash the deposition, the Court noted the parties remained free to agree to reschedule the deposition to a mutually agreeable date, consistent with the existing discovery deadline in the case.
The $5,000 loss amount is an element of Grant's CFAA claim on which Grant bears the burden of proof at trial. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131-32 (9th Cir. 2009) (holding a plaintiff must prove a CFAA violation caused "a loss to one or more persons during any one-year period aggregating at least $5,000 in value"). Therefore, to survive summary judgment, Grant must produce evidence from which a reasonable jury could conclude at least $5,000 of Fried's bill is attributable to "the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense." 18 U.S.C. § 1030(e)(11). In the absence of any evidence showing how much time, or the overall proportion of his time, Fried spent on these activities, there is no basis on which a reasonable jury could reach such a conclusion. Therefore, Grant has failed to create a genuine issue of material fact as to the loss amount, and McIlvain and Williams are entitled to summary judgment as to Grant's CFAA claim on this basis. Cf. Cash Energy, Inc. v. Weiner, 81 F.3d 147 (1st Cir. 1996) (unpublished) (affirming summary judgment for defendants in a suit for damages for groundwater contamination from an adjacent property, even though it was likely that solvents from the defendants' property accounted for some of the contamination on the plaintiff's property, because the plaintiff produced no admissible evidence isolating the harm allegedly caused by the defendants from the contamination caused by other sources).
At oral argument, Grant conceded it was not possible, based on Fried's bill and the deposition testimony, to allocate Fried's time between tasks performed in response to the alleged offenses and routine transitional matters, but argued this weighed against granting summary judgment for McIlvain and Williams. While Grant is correct that this Court must draw all reasonable inferences in Grant's favor at the summary judgment stage, the fact that Fried's time entries list tasks that are both includable and excludable from the loss calculation, standing alone, does not permit the reasonable inference that all or even most of the time listed should count toward the $5,000 loss amount.
Even if Grant's evidence were sufficient to create a genuine factual issue as to the loss amount, summary judgment would still be warranted as to Grant's claims under §§ 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C) because Grant has not produced evidence from which a reasonable jury could conclude McIlvain or Williams accessed Grant's computers "without authorization" or exceeded their authorized access to such computers, as required to prove a violation of those subsections. A person "exceeds authorized access" to a computer for purposes of the CFAA by "access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Although the statute does not define the term "without authorization," interpreting the term in accordance with its ordinary meaning, numerous courts have held a person accesses a computer without authorization when he does so "without sanction or permission." Pulte Homes, Inc. v. Laborers' Int'l Union of N. Am., 648 F.3d 295, 304 (6th Cir. 2011); see also Brekka, 581 F.3d at 1133 (holding "a person who uses a computer `without authorization' has no rights, limited or otherwise, to access the computer in question"); Bro-Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378, 407 (E.D. Pa. 2009).
Grant concedes McIlvain and Williams were permitted to access its purchase order system. Moreover, Grant does not dispute that McIlvain had the ability to mark records for deletion and make changes to distributor pricing, and that both McIlvain and Williams had the ability to make changes to customer pricing factors. Rather, Grant argues McIlvain and Williams accessed Grant's computer system without authorization or exceeded their authorized access to the system because the marking of files for deletion and alteration of pricing data were done for the purpose of interfering with Grant's business, in violation of the Defendants' duty of loyalty to Grant.
See, e.g., Guarini Dep. 146 (stating Williams had unique passwords for Grant's order entry and purchase order systems), 213 (agreeing there was no part of Grant's computer system McIlvain was not permitted to access while he was a Grant employee); Thompson Dep. 185 (acknowledging McIlvain had password access to all of Grant's computer databases up to the time he resigned); accord Fried Dep. 63 (stating each sales representative had a password for Grant's order entry and purchase order systems), 110 (agreeing McIlvain had a password to each and every area of the Grant database and server he needed a password to access).
See Guarini Dep. 147 (stating McIlvain's passwords were the only ones capable of making changes within the pricing structures), 238 (agreeing that assigning a value to a pricing component such as gross profit was "a salesman's function"), 301 (acknowledging McIlvain and Williams had discretion to change the manufacturing cost component of pricing); accord Fried Dep. 45 (stating McIlvain had "total control" over whether his customers received automatic price updates), 102-03, 105 (stating McIlvain had the authority to change or delete his own customer accounts and could change a number of things, including pricing, on distributor accounts), 111 (stating Fried was aware of no limitations on what McIlvain could to with the information to which he had access on Grant's computer system).
Grant relies primarily on International Airport Center, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), in which the Seventh Circuit held an employee who used a secure-erasure program just prior to his resignation to permanently delete all of the data from a laptop he had borrowed from his employer accessed the laptop "without authorization." The court reasoned that because the employee's destruction of data amounted to a breach of his duty of loyalty to his employer, the employee thereby terminated his agency relationship with the employer "and with it his authority to access the laptop, because the only basis of his authority had been that relationship." Id.
This view — that authorization turns on the purpose for which an employee accesses a computer rather than the employer's actions to permit or restrict such access — has been rejected by numerous courts, including courts in this District, as inconsistent with the plain language of the statute and the rule of lenity, which requires courts to resolve any ambiguity concerning the reach of a criminal statute in favor of the defendant. In Brekka, for example, the court found no language in the CFAA to support an employer's argument "that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest." 581 F.3d at 1133. The court first noted the ordinary meaning of the term authorization — i.e., "`permission or power granted by an authority'" — suggests "an employer gives an employee `authorization' to access a company computer when the employer gives the employee permission to use it." Id. (quoting Random House Unabridged Dictionary 139 (2001)). The court also concluded this interpretation was reinforced by the statute's definition of the term "exceeds authorized access," which makes clear a person "who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has `exceed[ed] authorized access,'" rather than someone without authorization to access the computer. Id. To give effect to both the phrase "without authorization" and the phrase "exceeds authorized action," the court held a person accesses a computer without authorization under the CFAA "when the person has not received permission to use the computer for any purpose . . ., or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway," id. at 1135, while a person who exceeds authorized access "has permission to access the computer, but accesses information on the computer that the person is not entitled to access," id. at 1133. Finally, the court observed nothing in the CFAA suggests liability for accessing a computer without authorization turns on whether the defendant breached a state law duty, and it would therefore be improper, in light of the rule of lenity, to interpret the statute in such an unexpected manner. Id. at 1135.
The rule of lenity applies to the construction of the CFAA in a civil setting because the statute has criminal applications. Brett Senior Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *4 (E.D. Pa. July 13, 2007).
This Court finds persuasive the reasoning of the cases holding an employee accesses a computer "without authorization" when he "has no rights, limited or otherwise, to access the computer in question," Brekka, 581 F.3d at 1133, as have other courts in this District. See Integrated Waste Solutions, Inc. v. Goverdhanam, No. 10-2155, 2010 WL 4910176, at *8 n. 3 (E.D. Pa. Nov. 30, 2010) (declining to apply Citrin's analysis "based on the weight of contrary authority from within [the Third Circuit]"); Bro-Tech Corp., 651 F. Supp. 2d at 407 (finding persuasive and therefore adopting the reasoning of cases holding "an employee who may access a computer by the terms of his employment is `authorized' to use that computer for purposes of CFAA even if his purpose in doing so is to misuse or misappropriate the employer's information"); accord Pulte Homes, Inc., 648 F.3d at 304. Thus, because it is undisputed both McIlvain and Williams were permitted to access Grant's computer system, there is no evidence from which a reasonable jury could find McIlvain or Williams accessed Grant's computers "without authorization," and summary judgment is therefore appropriate as to Grant's claims under §§ 1030(a)(5)(B) and (C).
Sections 1030(a)(2)(C) and (a)(4) are not limited to situations in which a defendant accesses a computer without authorization, but also permit liability where the defendant "exceeds authorized access." Whether an employee has exceeded authorized access depends on the computer access restrictions imposed by his employer. Where an employer places limitations on the computer information an employee is entitled to obtain or alter or the manner in which the employee is entitled to obtain or alter such information, and notifies employees of such limitations, an employee who runs afoul of the limitations exceeds his authorized access under the CFAA. See, e.g., United States v. Nosal, 642 F.3d 781, 787-88 (9th Cir. 2011) (holding employees exceeded authorized access by obtaining and distributing information from their employer's database in violation of the employer's computer use policy, which restricted the use and disclosure of such information to legitimate business purposes); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding a Social Security Administration (SSA) employee exceeded authorized access by accessing SSA database records of various individuals for nonbusiness reasons in violation of an SSA policy prohibiting employees from obtaining information from its databases without a business reason); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir. 2001) (holding a plaintiff was likely to prove a former employee exceeded authorized access to the plaintiff's web site where the former employee used proprietary information about the web site to obtain data from it in violation of a confidentiality agreement).
Grant has produced no evidence of any computer access restrictions to which McIlvain and Williams were subject. Grant admits neither Defendant had a written employment agreement, Guarini Dep. 83, there was no part of Grant's computer system McIlvain was not permitted to access while employed by Grant, id. at 213, and Williams had password access to Grant's order entry and purchase order systems, id. at 146. Indeed, the only evidence of any restrictions on either Defendant's access is Thompson's statement that on one occasion during the summer of 2009, McIlvain "said something about raising pricing," and Thompson responded, "not at this time." Thompson Dep. 245-46; see also Guarini Dep. 301 (stating that sometime in late 2008 or early 2009, Thompson told McIlvain "he didn't want prices affected[;] [h]e wanted to leave everything status quo"). This alleged directive, which was not in writing, did not address McIlvain's computer access, and, by Thompson's own account, consisted simply of his denial of McIlvain's 2009 request to raise prices "at this time," is simply too vague and indefinite to amount to a computer use restriction, and no reasonable jury could find otherwise. Because there is no evidence from which a reasonable jury could find McIlvain and Williams were subject to any computer access restrictions which they exceeded by marking files for deletion or making changes to pricing factors, summary judgment is also appropriate as to Grant's claims pursuant to §§ 1030(a)(2)(c) and (a)(4). See Nosal, 642 F.3d at 787 (noting the employee in Brekka "did not exceed his authorized access any more than he acted without authorization" because he did not have a written employment agreement and his employer did not promulgate employee guidelines prohibiting employees from emailing company documents to personal computers); Clarity Servs., Inc. v. Barney, 698 F. Supp. 2d 1309, 1316 (M.D. Fla. 2010) (holding an employee who enjoyed unrestricted access to all of the information on his employerissued laptop throughout his employment did not exceed his authorized access to the laptop by permanently deleting all information from the laptop); Hoover v. Fla. Hydro, Inc., No. 07-1100, 2009 WL 2391220, at *5 (E.D. La. July 31, 2009) (granting summary judgment for an employee on an employer's CFAA counterclaim based on the employee's deletion of files the day before he quit because the employer failed to produce evidence "of what specific files [the employee] was not authorized to delete").
Moreover, even if the evidence were sufficient to create a genuine issue of material fact as to whether McIlvain and Williams exceeded their authorized access by marking files for deletion and altering pricing data, summary judgment would still be appropriate as to Grant's claims pursuant to §§ 1030(a)(2)(C) and (a)(4) because Grant has produced no evidence that McIlvain and Williams thereby obtained any "information from any protected computer," as required to show a violation of § 1030(a)(2)(C), or "anything of value," as required to show a violation of § 1030(a)(4). Grant argues "there is strong circumstantial evidence that [McIlvain] downloaded a significant portion of Grant's customer list and other confidential and proprietary customer information in order to facilitate sales for Trotter." Pl.'s Opp'n to McIlvain's Mot. for Summ. J. 15. But even assuming this is true, McIlvain did not obtain such information as a result of the conduct by which he is alleged to have exceeded his authorized access, namely his marking of files for deletion and alteration of pricing data. See Clarity Servs., 698 F. Supp. 2d at 1316 (holding an employee who "reset" his employer-issued laptop before returning it, permanently deleting all information stored thereon, did not violate § 1030(a)(2)(C) because he did not obtain any information from the laptop by doing so). Further, insofar as Grant suggests the downloading of customer information is an independent CFAA violation, there is no evidence Grant imposed any restrictions on McIlvain's or Williams's ability to do so. See Fitzgerald, 2007 WL 2043377, at *3 (holding an employee did not exceed his authorized access by copying client information from his employer's computer system and emailing it to a new employer where the employee "was allowed full access to information contained in the [employer's] computer system until his departure").
Grant's claim under § 1030(a)(5)(A) presents a closer question. Unlike the other CFAA provisions Grant invokes, § 1030(a)(5)(A) does not require access of a protected computer without authorization or in excess of authorized access, but prohibits a person from "knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer." For purposes of the CFAA, the term "damage" includes "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). Insofar as Grant's claim is based on McIlvain's marking for deletion of computer records, summary judgment is appropriate because pressing a delete key does not constitute a "transmission" within the meaning of the CFAA, and, in this instance, the records marked for deletion were still available and accessible, so the act of marking them caused no damage. The same is not true, however, with respect to the alteration of pricing data, which at least arguably involved a transmission of information that impaired the integrity or availability of the data. Nevertheless, because Grant has not produced evidence from which a reasonable jury could find Grant suffered the requisite $5,000 loss as a result of any alleged CFAA violation, summary judgment is appropriate as to Grant's CFAA claim in its entirety.
See Citrin, 440 F.3d at 419 (noting that while "[p]ressing a delete or erase key in fact transmits a command, . . . it might be stretching the statute too far . . . to consider any typing on a computer keyboard to be a form of `transmission' just because it transmits a command to the computer"); Dedalus Found. v. Banach, No. 09-2842, 2009 WL 3398595, at *3 (S.D.N.Y. Oct. 16, 2009) (same).
See Cheney v. IPD Analytics, L.L.C., No. 08-23188, 2009 WL 1298405, at *6 (S.D. Fla. Apr. 16, 2009) (holding that while permanent deletion of files from a computer may constitute damage under the CFAA, deletion does not constitute damage "if the deleted data is still available . . . through other means"), report recommendation adopted, 2009 WL 2096236 (S.D. Fla. May 8, 2009).
Accordingly, McIlvain's and Williams's motions for summary judgment will be granted as to Count I of the Complaint. Having dismissed Grant's sole federal claim, this Court declines to exercise supplemental jurisdiction over Grant's remaining state law claims. See 28 U.S.C. § 1367(c)(3) (providing a district court may decline to exercise supplemental jurisdiction if "the district court has dismissed all claims over which it has original jurisdiction"). Therefore, Counts II-VI of the Complaint will be dismissed without prejudice.
An appropriate Order follows.