Opinion
Civil No. 3:19-cv-504 (DJN)
11-12-2019
MAUREEN HAINS, Plaintiff, v. DAWN M. ADAMS, Defendant.
MEMORANDUM OPINION
Plaintiff Maureen Hains ("Plaintiff") brings this action against Defendant Dawn M. Adams ("Defendant"), alleging that Defendant violated federal and state law by accessing Plaintiff's personal e-mails, documents and accounts without authorization. Plaintiff further alleges that Defendant unjustly enriched herself by requiring Plaintiff to perform duties outside of her job description without compensation. This matter comes before the Court on Defendant's Motion to Dismiss or, in the Alternative with Respect to Count VI, For a More Definite Statement (ECF No. 9) ("Defendant's Motion"), moving for partial or complete dismissal of the counts in Plaintiff's Complaint for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6) or, in the alternative, for a more definite statement in support of Plaintiff's unjust enrichment claim pursuant to Rule 12(e). For the reasons set forth below, the Court DENIES Defendant's Motion (ECF No. 9).
The Court finds that it may exercise subject matter jurisdiction over Counts I and II of Plaintiff's Complaint pursuant to 28 U.S.C. § 1331, because those counts raise claims under the laws of the United States. The Court may exercise jurisdiction over Counts III, IV and V of Plaintiff's Complaint pursuant to 28 U.S.C. § 1367, because those Counts raise claims based on the same operative facts as Plaintiff's federal claims. And the Court may exercise supplemental jurisdiction over Plaintiff's unjust enrichment claim in Count VI, because the value of Plaintiff's work for Defendant gives rise to both Plaintiff's right to relief in Count II — namely, her right to relief pursuant to 18 U.S.C. §§ 1030(a)(5)(B) and (C), which requires proof of damages or losses — and her right to relief in Count VI, which requires proof that Plaintiff conferred a benefit on Defendant.
I. BACKGROUND
In deciding a motion to dismiss pursuant to Rule 12(b)(6), the Court must accept Plaintiff's well-pleaded factual allegations as true, though the Court need not accept Plaintiff's legal conclusions. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Based on this standard, the Court accepts the following facts.
A. Underlying Relationship
Defendant has served as Delegate for the Sixty-Eighth House of Delegates District since her election in November 2017. (Compl. (ECF No. 1) ¶ 8.) Defendant first hired Plaintiff as the manager and communications director for her 2017 campaign. (Compl. ¶ 9.) Once elected, Defendant hired Plaintiff as her legislative assistant. (Compl. ¶ 10.)
In June 2018, Defendant started Integrated Health Consulting, LLC ("IHC"), serving as its owner and chief executive officer. (Compl. ¶ 8.) In this capacity, from July 2018 until December 2018, Defendant reviewed patient charts at rehabilitation facilities operated by Laurel Health Care Company ("Laurel") and classified and coded the diagnoses, symptoms and procedures described in the charts according to the International Classification of Diseases, Tenth Revision ("ICD-10"). (Compl. ¶¶ 12-14.) Plaintiff assisted Defendant with her coding work and with obtaining medical liability and workers' compensation insurance for IHC. (Compl. ¶ 14.) As part of this work, Plaintiff corresponded with Defendant using her personal e-mail account and created files using the Google Drive features connected to that account. (Compl. ¶¶ 15-17.) Plaintiff sent e-mails to Defendant's IHC and personal e-mail addresses. (Compl. ¶ 16.) By the end of 2018, Plaintiff worked as Defendant's paid legislative assistant, unpaid medical ICD-10 coder and unpaid campaign manager and communications director. (Compl. ¶ 18.)
B. Alleged Hacking of Plaintiff's Accounts
In April 2019, Plaintiff experienced health issues that required her hospitalization from April 22, 2019 until April 29, 2019, during which time Plaintiff had no access to her computer or cell phone. (Compl. ¶ 19.) Before her hospitalization, Plaintiff also deleted the Facebook and Facebook Messenger applications on her cell phone. (Compl. ¶ 19.) On April 22, 2019, Defendant learned of Plaintiff's hospitalization and asked Plaintiff to inform her by May 1, 2019 if she would continue to work for Defendant or either apply for short-term disability insurance or quit her jobs. (Compl. ¶ 20.)
On April 26, 2019, Defendant requested Plaintiff's Facebook authorization code from Plaintiff's girlfriend, representing to Plaintiff's girlfriend that she needed to remove Plaintiff as an administrator on the "Delegate Adams" Facebook page. (Compl. ¶ 21.) However, Defendant did not need Plaintiff's Facebook login credentials to remove Defendant as an administrator. (Compl. ¶ 22.) After returning home on April 29, 2019, Plaintiff logged in to her personal e-mail account and noticed an e-mail from Facebook dated April 26, 2019 at 10:27 a.m., with the subject line "Login alert for Safari on Mac OS X." (Compl. ¶ 24.) The e-mail described a login on April 26, 2019 at 10:27 a.m. from "Near Richmond, VA, United States" using "Safari on Mac OS X," and listed the internet-protocol ("IP") address for the device as 71.62.244.252. (Compl. ¶¶ 24, 28.) Neither Plaintiff nor anyone with her Facebook login credentials owns or uses a device running on the Mac OS X operating system, but at the time of the login, Defendant owned an Apple MacBook. (Compl. ¶¶ 25-26.)
An IP address represents the ten-digit "identification tag used by computers to locate specific websites." Internet-Protocol Address, Black's Law Dictionary (11th ed. 2019).
After logging in to her Facebook account, Defendant reviewed more information on the unusual login described in the alert e-mail. (Compl. ¶ 28.) The information provided by Facebook showed that the suspicious device logged out of Plaintiff's Facebook account at 10:39 a.m. on April 26, 2019. (Compl. ¶ 29.) Plaintiff became concerned, because she used the same login credentials for Facebook as her other accounts, including her personal e-mail, Google Drive and Wells Fargo online banking accounts. (Compl. ¶ 30.) Plaintiff also used the same login credentials to create Defendant's website through the website host Wix.com. (Compl. ¶ 31.) Defendant had access to Plaintiff's login credentials for Wix.com. (Compl. ¶ 31.)
While checking her personal e-mail on April 29, 2019, Plaintiff also noticed an e-mail from Google dated April 22, 2019 at 3:02 p.m. with the subject line "Security alert." (Compl. ¶ 32.) The e-mail advised that a Mac device had logged in to Plaintiff's Google account. (Compl. ¶ 32.) After reviewing the information collected by Google regarding the suspicious login, Plaintiff noticed that the login occurred at 3:02 p.m. on April 22, 2019, from a Mac device with the IP address 71.62.244.252, which matched the address of the device that had logged in to Plaintiff's Facebook account. (Compl. ¶¶ 33-35.) Subsequently, Plaintiff changed the passwords for her online accounts. (Compl. ¶ 36.)
Suspecting that Defendant was the source of the suspicious logins, Plaintiff checked the source code for e-mails sent from Defendant's personal e-mail address and discovered that those e-mails originated from a device with the same IP address as the device used to log in to Plaintiff's Facebook and Google accounts. (Compl. ¶¶ 38-39.) Upon further investigation, Plaintiff also discovered that nearly all of the e-mails in her Google account regarding her ICD- 10 coding work had been deleted, including the folder she had created for IHC-related e-mails. (Compl. ¶ 41.) In total, Plaintiff's review of the past activity on her Google account revealed the following: (1) a search for Defendant's personal e-mail address at 3:02 p.m. on April 22, 2019; (2) a search for "got print" at 3:03 p.m. on April 22, 2019; (3) a visit to "Sign in to the Admin console - G Suite Admin Help" at 1:57 p.m. on April 23, 2019; (4) a search for "ihc" at 5:21 p.m. on April 25, 2019; (5) the movement of thirty-one items to the trash folder in Plaintiff's Google Drive account, including billing sheets for Defendant and IHC's work for Laurel, at 5:20 p.m. on April 25, 2019; (6) the deletion of the e-mail folder named "Integrated Health Care" at 5:29 p.m. on April 25, 2019; (7) the movement of two additional documents to the trash folder in Plaintiff's Google Drive account, including a spreadsheet named "Campaign donor mail 5.xlt" and a logo that Plaintiff had created in 2015 and that did not relate to her work for Defendant, at 4:12 p.m. on April 26, 2019; and, (8) the permanent deletion of the items in Plaintiff's Google Drive trash folder. (Compl. ¶ 42.)
After discovering the above information, Plaintiff began consulting with an attorney regarding a possible separation of her employment with Defendant. (Compl. ¶ 44.) Plaintiff used her Google e-mail address to correspond with the attorney, believing that by changing her password she had secured the account. (Compl. ¶ 44.) On May 3, 2019, Plaintiff received an e-mail with the subject line "Your Wells Fargo Online access has been suspended." (Compl. ¶ 45.) The e-mail advised Plaintiff that her Wells Fargo access had been suspended due to "a possible unauthorized attempt to sign on to [Plaintiff's] account." (Compl. ¶ 45 (internal quotations omitted).)
Soon thereafter, on May 6, 2019, Plaintiff checked her Google e-mail account settings and noticed that someone had designated Defendant's campaign e-mail address to receive automatic forwards of any e-mails sent to Plaintiff's Google account. (Compl. ¶ 48.) The campaign address awaited verification to enable the forwarding. (Compl. ¶ 48.) Plaintiff's e-mail settings also designated Plaintiff's work e-mail address to receive automatic forwards. (Compl. ¶ 49.) During Plaintiff's hospital stay, Defendant had removed Plaintiff's authorization for her work e-mail address, preventing Plaintiff from viewing the e-mails that were automatically forwarded to that account. (Compl. ¶ 50.)
C. Plaintiff's Complaint
Based on the above allegations, on July 11, 2019, Plaintiff filed a Complaint setting forth six counts for relief. (Compl. ¶¶ 56-106.) In Count I, Plaintiff seeks relief pursuant to the Stored Communications Act ("SCA") — specifically, 18 U.S.C. §§ 2701(a) and 2707 — alleging that Defendant knowingly, intentionally and without authorization accessed electronically stored e-mails, including delivered and opened e-mails, in Plaintiff's personal e-mail account. (Compl. ¶¶ 56-60.) Plaintiff further alleges that Defendant altered her e-mails by deleting nearly all of the e-mails relating to Plaintiff's work for IHC, thereby preventing Plaintiff from accessing those e-mails in the future. (Compl. ¶ 60.)
In Count II, Plaintiff seeks relief under the Computer Fraud and Abuse Act ("CFAA") — namely, 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(5)(B)-(C) and 1030(g) — alleging that Defendant intentionally accessed or attempted to access the computer data associated with Plaintiff's Facebook, Google and Wells Fargo accounts without authorization. (Compl. ¶¶ 65-69.) Plaintiff alleges that this unauthorized access and attempted access caused her to sustain a "loss" as defined by the CFAA, because the unauthorized access resulted in at least $5,000 in aggregated losses during a one-year period and actual or potential modification or impairment of her medical conditions, treatment and care, including the need for counseling and therapy. (Compl. ¶¶ 73-74.)
In Count III, Plaintiff alleges that Defendant's conduct violated the Virginia Computer Crimes Act ("VCCA"). (Compl. ¶¶ 76-85.) Specifically, Plaintiff alleges that Defendant violated Virginia Code § 18.2-152.3 by: using Plaintiff's password without authorization to access Plaintiff's Google accounts under false pretenses; obtaining Plaintiff's property, including her e-mails and files; and, deleting some of Plaintiff's e-mails and files. (Compl. ¶¶ 79-82.) From this violation, Plaintiff seeks damages pursuant to Virginia Code § 18.2-152.12(A). (Compl. ¶ 77.) Relatedly, in Count IV, Plaintiff seeks relief under § 18.2-152.4 of the VCCA, which prohibits the removal, copying or disablement of data from a computer or computer network. (Compl. ¶¶ 86-90.) And, in Count V, Plaintiff alleges that Defendant violated § 18.2-152.5 of the VCCA by using a computer to intentionally examine Plaintiff's financial, employment and identifying information without authorization. (Compl. ¶¶ 91-95.)
Finally, in Count VI, Plaintiff raises a claim for unjust enrichment under Virginia common law, alleging that she provided benefits to Defendant by: (1) performing unpaid or underpaid work for IHC and Defendant's campaigns; (2) paying to store yard signs from Defendant's campaign for delegate for over a year without reimbursement; (3) paying for materials and supplies for Defendant's campaign without reimbursement; and, (4) performing personal tasks for Defendant. (Compl. ¶¶ 98-102.) Plaintiff asserts that she had a reasonable expectation of payment for these services and materials, all of which she claims exceeded the scope of her duties as Defendant's legislative assistant and campaign manager. (Compl. ¶ 103.) Plaintiff further asserts that Defendant knew or had reason to know of the benefits that Plaintiff provided and Plaintiff's expectation of payment, adding that it would be inequitable to allow Defendant to retain those benefits without payment. (Compl. ¶¶ 104-05.)
Based on the above counts, Plaintiff seeks a declaratory judgment that Defendant's conduct violated the SCA, compensatory and punitive damages, attorneys' fees and costs, and pre- and post-judgment interest. (Compl. at 19.)
D. Defendant's Motion to Dismiss
On August 30, 2019, Defendant filed her Motion to Dismiss, moving for partial or complete dismissal of the counts in Plaintiff's Complaint for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6) or, in the alternative, for a more definite statement in support of Plaintiff's unjust enrichment claim pursuant to Rule 12(e). (Mot. to Dismiss (ECF No. 9) at 1.) Specifically, in response to Count I, Defendant argues that Plaintiff fails to allege sufficient facts to state a plausible claim as to Defendant's attempted access to Plaintiff's Wells Fargo account. (Br. in Supp. of Mot. to Dismiss ("Def.'s Mem.") (ECF No. 10) at 5.) Defendant contends that a failed attempt to access an online account does not constitute a violation of the SCA, so even if Defendant had attempted to access Plaintiff's Wells Fargo account, the SCA provides Plaintiff with no recourse. (Def.'s Mem. at 5.)
Defendant moves to dismiss the entirety of Count II, arguing that Plaintiff fails to allege sufficient facts to prove the $5,000 in qualifying losses required to sustain a cause of action under the CFAA. (Def.'s Mem. at 6.) Defendant contends that Plaintiff's allegation that she spent sixty-five to eighty hours responding to the unauthorized access to her accounts does not reach the CFAA's loss threshold based on Plaintiff's salary in 2018. (Def.'s Mem. at 7.) Defendant also maintains that Plaintiff's allegations regarding her medical costs proves insufficient, because Plaintiff fails to allege that those costs resulted from an interruption in service or her response to the unauthorized access to her accounts, as required by the CFAA. (Def.'s Mem. at 7-8.) And Defendant asserts that Plaintiff's allegations of exacerbated medical conditions likewise lacks sufficient factual support. (Def.'s Mem. at 8.)
As for Count III, Defendant argues for dismissal as to her alleged access to Plaintiff's Facebook account and attempted access to Plaintiff's Wells Fargo account. (Def.'s Mem. at 9.) Specifically, Defendant contends that as to the Facebook and Wells Fargo accounts, Plaintiff has not alleged sufficient facts to support a theory that Defendant used a computer network without authority to obtain Plaintiff's property or services by false pretenses or to embezzle/commit larceny. (Def.'s Mem. at 9.) Without sufficient facts to support a false-pretense or embezzlement/larceny theory, Defendant maintains that Plaintiff must show that she converted Plaintiff's property using a computer or computer network. (Def.'s Mem. at 9.) To that end, Defendant argues that Plaintiff's facts fail to plead any deprivation of access to the information in Plaintiff's Facebook and Wells Fargo accounts. (Def.'s Mem. at 9.) Indeed, Defendant points out that Plaintiff alleges only an attempt to access her Wells Fargo account, which would not deprive Plaintiff of the information in that account. (Def.'s Mem. at 9.)
Similarly, in response to Count IV, Defendant argues for dismissal of Plaintiff's claims as to her Facebook and Wells Fargo accounts, because computer trespass within the meaning of Virginia Code § 18.2-152.4 requires more than merely accessing or attempting to access an online account. (Def.'s Mem. at 10-11.) And Defendant moves to dismiss Count V in its entirety, because Plaintiff's assertion that her Facebook and Google accounts contained financial, employment and identifying information proves insufficient to state a claim that Defendant intentionally examined such information in violation of Virginia Code § 18.2-152.5. (Def.'s Mem. at 12.) Defendant argues that Plaintiff fails to plead sufficient facts to show that Defendant intentionally viewed information protected by § 18.2-152.5 and continued to view it after realizing that she should not do so. (Def.'s Mem. at 13.) Finally, Defendant moves to dismiss Count VI or, in the alternative, requests a more definite statement, arguing that Plaintiff fails to sufficiently plead facts to support the damages claimed under that Count. (Def.'s Mem. at 13-14.)
On September 9, 2019, Plaintiff filed her Brief in Opposition to Defendant's Motion, (Pl.'s Br. in Opp. to Def.'s Mot. to Dismiss & Mot. for a More Definite Statement ("Pl.'s Resp.") (ECF No. 11)), and, on September 16, 2019, Defendant filed her Reply, (Reply to Pl.'s Br. in Opp. to Def.'s Mot. to Dismiss ("Def.'s Reply") (ECF No. 12)), rendering the matter now ripe for review.
II. STANDARD OF REVIEW
A motion to dismiss pursuant to Rule 12(b)(6) tests the sufficiency of a complaint or counterclaim; it does not serve as the means by which a court will resolve contests surrounding the facts, determine the merits of a claim or address potential defenses. Republican Party of N.C. v. Martin, 980 F.2d 943, 952 (4th Cir. 1992). In considering a motion to dismiss, the Court will accept a plaintiff's well-pleaded allegations as true and view the facts in a light most favorable to the plaintiff. Mylan Labs., Inc. v. Matkari, 7 F.3d 1130, 1134 (4th Cir. 1993). However, "the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions." Iqbal, 556 U.S. at 678.
Under the Federal Rules of Civil Procedure, a complaint or counterclaim must state facts sufficient to "'give the defendant fair notice of what the . . . claim is and the grounds upon which it rests[.]'" Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)). As the Supreme Court opined in Twombly, a complaint or counterclaim must state "more than labels and conclusions" or a "formulaic recitation of the elements of a cause of action," though the law does not require "detailed factual allegations." Id. (citations omitted). Ultimately, the "[f]actual allegations must be enough to raise a right to relief above the speculative level," rendering the right "plausible on its face" rather than merely "conceivable." Id. at 555, 570. Thus, a complaint or counterclaim must assert facts that are more than "merely consistent with" the other party's liability. Id. at 557. And the facts alleged must be sufficient to "state all the elements of [any] claim[s]." Bass v. E.I. Dupont de Nemours & Co., 324 F.3d 761, 765 (4th Cir. 2003) (citing Dickson v. Microsoft Corp., 309 F.3d 193, 213 (4th Cir. 2002) and Iodice v. United States, 289 F.3d 270, 281 (4th Cir. 2002)).
III. ANALYSIS
Because Plaintiff raises each count of her Complaint under different statutory or common-law causes of action, the Court will analyze the plausibility of each count in turn. The statutory provisions upon which Plaintiff relies in each count will govern the plausibility of Plaintiff's respective claims. And Virginia law will govern the plausibility of Plaintiff's claim in Count VI, because the alleged benefits provided to Defendant and Defendant's failure to provide payment for those benefits both occurred in Virginia. (Compl. ¶¶ 96-106); see Quillen v. Int'l Playtex, Inc., 789 F.2d 1041, 1044 (4th Cir. 1986) (holding that, in Virginia, "the place of the wrong (lex loci delicti) . . . determines which State's substantive law" governs actions that sound in tort (citing McMillan v. McMillan, 253 S.E.2d 662, 663 (Va. 1979))); G41 Consulting, Inc. v. Nana Servs., LLC, 2012 WL 1677985, at *4 (E.D. Va. May 14, 2012) (applying lex loci delicti principle to determine governing law over unjust enrichment claim).
A. The Parties Agree that Defendant's Alleged Attempt to Access Plaintiff's Wells Fargo Account Does Not Form the Basis of Count I, Rendering Moot Defendant's Motion as to Count I.
In Count I, Plaintiff seeks relief pursuant to the SCA — specifically, 18 U.S.C. §§ 2701(a) and 2707 — alleging that Defendant knowingly, intentionally and without authorization accessed electronically stored e-mails, including delivered and opened e-mails, in Plaintiff's personal e-mail account. (Compl. ¶¶ 56-60.) Plaintiff further alleges that Defendant altered her e-mails by deleting nearly all of the e-mails relating to Plaintiff's work for IHC, thereby preventing Plaintiff from accessing those e-mails in the future. (Compl. ¶ 60.)
As mentioned, in response to Count I, Defendant argues that Plaintiff fails to allege sufficient facts to state a plausible claim as to Defendant's attempted access to her Wells Fargo account, because an attempted access to an account does not constitute a violation of the SCA. (Def.'s Mem. at 5.) Plaintiff responds that Count I relates only to Defendant's unauthorized access to her personal e-mail account, mooting Defendant's contention. (Pl.'s Resp. at 4.) Because the parties agree that Defendant's alleged attempt to access Plaintiff's Wells Fargo account does not form the basis of Count I, the Court denies as moot Defendant's Motion as to Count I.
B. Plaintiff Has Pled Sufficient Facts to State a Plausible Claim in Count II.
In Count II, Plaintiff seeks relief under the CFAA, alleging that Defendant intentionally accessed or attempted to access the computer data associated with Plaintiff's Facebook, Google and Wells Fargo accounts without authorization. (Compl. ¶¶ 65-69.) Plaintiff alleges that this unauthorized access and attempted access caused her to sustain a "loss" as defined by the CFAA, because she sustained at least $5,000 in aggregated losses during a one-year period and actual or potential modification or impairment of her medical conditions, treatment and care, including the need for counseling and therapy. (Compl. ¶¶ 73-74.)
Defendant moves to dismiss the entirety of Count II, arguing that Plaintiff fails to allege sufficient facts to support the $5,000 in losses required to sustain a cause of action under the CFAA. (Def.'s Mem. at 6.) Plaintiff responds that despite Defendant's contention that the CFAA limits losses to only those costs associated with responding to the unauthorized access to an account or a service interruption, the CFAA in fact includes a broad definition of "loss," with the cost of responding to an offense or losses from service interruptions serving merely as examples. (Pl.'s Resp. at 4-5.) Plaintiff asserts that her allegations regarding the estimated number of hours spent investigating the unauthorized access to her accounts and her mental and emotional distress prove sufficient to reach the CFAA's loss threshold. (Pl.'s Resp. at 5.) And Plaintiff adds that the CFAA does not require a monetary threshold for losses stemming from the modification or impairment of her medical care — medical care that Plaintiff argues she has sufficiently alleged at this stage in the proceedings. (Pl.'s Resp. at 5-6 (citing 18 U.S.C. § 1030(c)(4)(A)(i)(II)).)
Congress limited the availability of civil actions under the CFAA to certain circumstances. See Hancock v. Cty. Of Rensselaer, 882 F.3d 58, 63 (2d Cir. 2018) ("The scope of civil actions permitted under [CFAA], however, has always been limited."). "A civil action for a violation of [the CFAA] may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV) or (V) of subsection (c)(4)(A)(i)." 18 U.S.C. § 1030(g). Plaintiff attempts to bring her claim only under Subclauses (I) and (II). (Pl.'s Resp. at 4).
i. Plaintiff Has Pled Sufficient Facts Under Subclause (I).
Subclause (I) requires a plaintiff to show that the alleged violation "caused . . . (I) loss to [one] or more persons during any [one] year period . . . aggregating at least $5,000 in value. . ." 18 U.S.C. § 1030(c)(4)(A)(i)(I). The Act defines "loss" as:
any reasonable cost to any victim, including [1] the cost of responding to an offense, [2] conducting a damage assessment, and [3] restoring the data, program, system, or information to its condition prior to the offense, and [4] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.§ 1030(e)(11). For civil actions arising only under Subclause (I), § 1030(g) further provides that a plaintiff may obtain only economic damages. Thus, to sustain a cause of action under only Subclause (I), a plaintiff must plead facts supporting a plausible inference that the defendant's alleged violations of the CFAA resulted in at least $5,000 in aggregate economic damages within a one-year period. See Hancock, 882 F.3d at 63-64 (holding that the plaintiffs' "inability to plead economic damages . . . dooms their attempt to apply Subclause (I)"). Notably, economic damages excludes damages "for death, personal injury, mental distress, and the like." Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004), cited favorably by A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009).
Here, Plaintiff alleges she "expend[ed] an estimated 65-80 hours" investigating the alleged violation and attempting to secure the compromised accounts. (Compl. ¶ 54.) She details many of these actions in her Complaint. (See, e.g., Compl. ¶¶ 38-48). Further, Plaintiff alleges that the deleted files related to her unpaid work for Defendant, rendering it more difficult for Plaintiff to obtain compensation for that work. (See Compl. ¶¶ 53, 60-61, 72.) According to Plaintiff, she "suffered at least $5,000 in aggregate losses during a 1-year period." (Compl. ¶ 53.)
Defendant argues these damages do not add up to $5,000. To support this argument, Defendant requests that the Court take judicial notice of Plaintiff's salary and base the damages calculations on that pay rate. (Def.'s Mem. at 7.) Yet, Defendant ignores the damages arising from the deletion of files that Plaintiff may need to seek compensation for her work. More importantly, Defendant's argument presumes that Plaintiff's state salary provides the proper yardstick for measuring her damages, even though Plaintiff held positions in addition to her salaried position. (Compl. ¶¶ 14, 18.) In any case, Defendant may more appropriately raise her arguments regarding the calculation of damages at the summary judgment stage. See Hately v. Watts, 917 F.3d 770, 782 (4th Cir. 2019) (rejecting argument that plaintiff "improperly valued his time spent assessing and rectifying the unauthorized access" because if the damages "are unsubstantiated . . . then these claims are appropriately dismissed at summary judgment — not under Rule 12(b)(6)").
Plaintiff alleges that she suffered at least $5,000 in losses and alleges sufficient detail to render this figure plausible on its face. Accordingly, drawing all inferences in her favor, as the Court must at this stage, Plaintiff has alleged a cause of action under Subclause (I) of the CFAA. To be sure, Plaintiff will need to develop proof of the time that she spent responding to the alleged violation and that that time amounted to $5,000 in losses to survive a motion for summary judgment, but she need not clear that bar at this stage.
ii. Plaintiff Has Not Pled Sufficient Facts Under Subclause (II).
Although Plaintiff has alleged sufficient facts under Subclause (I), she has not alleged sufficient facts to bring a claim under Subclause (II). Plaintiff bases her claims under Subclause (II) on the allegation that Defendant's alleged violation caused her emotional distress which required her to seek counseling and therapy.
Subclause (II) requires a plaintiff to plead facts sufficient to support an inference that the defendant's alleged violation of the CFAA caused "the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of [one] or more individuals." 18 U.S.C. § 1030(c)(4)(A)(i)(II). Unlike Subclause (I), Subclause (II) does not contain a $5,000 threshold, nor does § 1030(g) limit the recoverable damages to only economic damages. However, a plaintiff must still allege that a violation caused the modification or impairment of an individual's medical examination, diagnosis, treatment or care. Plaintiff has not done so, because the Court does not read Subclause (II) as allowing for recovery any time a violation of the CFAA results in a medical condition leading to treatment.
The CFAA does not define the terms in Subclause (II) and a search of relevant caselaw yields few results, but those cases directly addressing Subclause (II) have interpreted the Subclause by the plain meaning of its terms. See, e.g., Hancock, 882 F.3d at 64 (recognizing that, with better facts, the plaintiffs could have stated a cause of action under Subclause (II) on the theory that the defendant's ability to access their medical records would impair the plaintiffs' inclination to seek medical care). Black's Law Dictionary defines "modification" as "[a] change to something; an alteration or amendment" and "impairment" as "[t]he quality, state, or condition of being damaged, weakened or diminished." (11th ed. 2019). The statute defines the "something" that a violation changes, alters or amends or damages, weakens or diminishes not as the plaintiff's general medical condition, but rather as the examination, treatment, diagnosis, or care of the plaintiff. Thus, to recover under Subclause (II), a defendant's alleged violation must modify or impair an individual's medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care. Indeed, Subclause (III) allows for recovery for a violation that results in a physical injury. 18 U.S.C. § 1030(c)(4)(A)(i)(III). A broad reading of Subclause (II) to allow for recovery for new medical conditions resulting from a violation would render Subclause (III) superfluous, which the Court must avoid. See Francis v. Booz, Alien & Hamilton, Inc., 452 F.3d 299, 304 (4th Cir. 2006) ("We are loath to read one statutory provision so as to render another provision of the same statute superfluous." (quotations omitted).)
Plaintiff expressly states that she does not seek to recover under Subclause (III). (Pl.'s Mem. at 4 n.1.)
In sum, Subclause (II) targets violations that have an effect on a plaintiff's existing medical care or treatment. See Boane v. Boane, 2012 WL 4344090, at *8 (W.D. Tenn. July 3, 2012) (interpreting Subclause (II) as requiring allegations that the alleged violation of the CFAA "resulted in . . . actual or potential modification or impairment of [the] plaintiff's medical care or treatment"), report and recommendation rejected in part on other grounds, 2012 WL 4340838 (W.D. Tenn. Sept. 21, 2012). Plaintiff bases her Subclause (II) claim on medical conditions allegedly created or exacerbated by Defendant's violation; she does not allege that Defendant's alleged violations of the CFAA caused a change in or impaired her existing medical treatment. (Pl.'s Resp. at 5-6.) Therefore, Plaintiff has failed to allege facts sufficient to bring a claim under Subclause (II).
However, regardless of whether Plaintiff can bring a claim under Subclause (II), Plaintiff's allegations that her losses meet or exceed $5,000 under Subclause (I) suffice to sustain a cause of action under the CFAA at this stage. Accordingly, the Court denies Defendant's Motion as to Count II.
Because Plaintiff has alleged sufficient facts to meet the $5,000 threshold under the CFAA, the Court need not address Plaintiff's right to recover her other alleged damages, including medical costs, until after the parties have engaged in discovery.
C. The Parties Agree that Defendant's Alleged Access or Attempted Access to Plaintiff's Facebook and Wells Fargo Accounts Do Not Form the Basis of Plaintiff's Claims in Counts III and IV, Rendering Moot Defendant's Motion as to Those Counts.
In Count III, Plaintiff alleges that Defendant violated Virginia Code § 18.2-152.3 by: using Plaintiff's password without authorization to access Plaintiff's Google accounts under false pretenses; obtaining Plaintiff's property, including her e-mails and files; and, deleting some of Plaintiff's e-mails and files. (Compl. ¶¶ 79-82.) Relatedly, in Count IV, Plaintiff seeks relief under § 18.2-152.4 of the VCCA, which prohibits the removal, copying or disablement of data from a computer or computer network. (Compl. ¶¶ 86-90.)
Defendant argues for dismissal of Counts III and IV as to her alleged access to Plaintiff's Facebook account and attempted access to Plaintiff's Wells Fargo account. (Def.'s Mem. at 9-11.) Plaintiff responds that Counts III and IV do not relate to Defendant's alleged access to her Facebook account or attempted access to her Wells Fargo account, mooting Defendant's Motion as to both Counts. (Pl.'s Resp. at 7, 11.) Because the parties agree that Defendant's alleged access or attempted access to Plaintiff's Facebook and Wells Fargo accounts do not form the basis of Plaintiff's claims in Counts III and IV, the Court denies as moot Defendant's Motion as to those Counts.
D. Plaintiff Has Stated a Plausible Right to Relief in Count V.
In Count V, Plaintiff alleges that Defendant violated § 18.2-152.5 of the VCCA by using a computer to intentionally examine Plaintiff's financial, employment and identifying information without authorization. (Compl. ¶¶ 91-95.) Defendant moves to dismiss Count V in its entirety, because Plaintiff's assertion that her Facebook and Google accounts contained financial, employment and identifying information proves insufficient to state a claim that Defendant intentionally examined such information in violation of Virginia Code § 18.2-152.5. (Def.'s Mem. at 12.) Defendant argues that Plaintiff fails to plead sufficient facts to show that she intentionally viewed information protected by § 18.2-152.5 and continued to view it after realizing that she should not do so. (Def.'s Mem. at 13.)
Plaintiff responds that her allegations clearly state a plausible claim under the VCCA, because they show that Defendant searched Plaintiff's Google accounts for information related to her work for IHC and Defendant's campaign, which qualify as "employment information" under the Act. (Pl.'s Resp. at 12.) Plaintiff adds that her allegations regarding Defendant's attempted access to her Wells Fargo account supports the plausible inference that Defendant viewed protected financial information in Plaintiff's Google accounts, because Defendant would have obtained the information on Plaintiff's Wells Fargo account from her search of Plaintiff's Google accounts. (Pl.'s Resp. at 13.) And Plaintiff argues that her allegations regarding the extent of Defendant's access to her accounts, including the deletion of files and e-mails in those accounts, proves sufficient at this stage to support a plausible inference that Defendant intentionally examined protected information. (Pl.'s Resp. at 13.)
Virginia Code § 18.2-152.5 prohibits the use of a computer or computer network to intentionally and without authorization examine "any employment, salary, credit or any other financial or identifying information . . . relating to any other person." Pursuant to § 18.2-186.3, "identifying information" includes, but is not limited to, a person's:
(i) name; (ii) date of birth; (iii) social security number; (iv) driver's license number; (v) bank account numbers; (vi) credit or debit card numbers; (vii) personal identification numbers (PIN); (viii) electronic identification codes; (ix) automated or electronic signatures; (x) biometric data; (xi) fingerprints; (xii) passwords; or (xiii) any other numbers or information that can be used to access a
person's financial resources, obtain identification, act as identification, or obtain money, credit, loans, goods, or services.To "examine" protected information, a defendant must "review the information relating to any other person after the time at which the offender knows or should know that he is without authority to view the information displayed." Va. Code Ann. § 18.2-152.5(A)(2019). "While [the VCCA] is a criminal statute, Virginia Code section 18.2-152.12 grants civil recourse to a party aggrieved under section 18.2-152.5." S.R. v. Inova Healthcare Servs., 49 Va. Cir. 119, 128 (1999). In Virginia, a cause of action for computer invasion of privacy "consists of the following four elements: (1) the use of a computer or computer network by the offender; (2) with the intent to examine another's records; (3) in an unauthorized context when the offender knew or should have known that [s]he was without authority to examine the records; and, (4) the records so examined contain employment, financial or personal information of the pleader." Id.
The Court finds that Plaintiff has alleged sufficient facts to support the plausible inference that Defendant used a computer to access Plaintiff's Facebook and Google accounts. Plaintiff alleges that the device that logged in to her Facebook and Google accounts had the same IP address as the device from which Defendant sent personal e-mails, directly supporting the inference that Defendant used her computer to log in to Plaintiff's accounts. (Compl. ¶¶ 27, 35, 38-39.) Plaintiff also alleges sufficient facts to support the plausible inference that Defendant accessed Plaintiff's Facebook and Google accounts when she knew or should have known that she did not have authority to do so. Indeed, the initial logins to Plaintiff's Facebook and Google accounts occurred while Plaintiff remained hospitalized and could not have provided any authorization. (Compl. ¶¶ 19, 21, 33-35.) Plaintiff also alleges that her Google accounts were personal, supporting the inference that Defendant — Plaintiff's boss — did not have a blanket authorization to access those accounts. (Compl. ¶ 23.)
Thus, the remaining question becomes whether Plaintiff has sufficiently alleged that Defendant possessed the intent to examine Plaintiff's records and in fact examined protected information. Defendant argues that Plaintiff fails to plead that she intended to specifically view protected information when accessing Plaintiff's accounts, requiring dismissal. (Def.'s Mem. at 12.) Yet, Plaintiff alleges a series of intentional actions taken by Defendant with respect to the email account, including multiple searches, moving e-mails and files, and deleting e-mails and files. (Compl. ¶¶ 41-42.) These actions give rise to the inference that Defendant intentionally viewed the information.
Likewise, Plaintiff alleges that her accounts contained employment, personal, and financial information, including information about her debts, efforts to pay down her debts, and income, as well as username and password information for other accounts. (Compl. ¶ 94.) Thus, Plaintiff has plausibly alleged the protected nature of the information viewed by Defendant. Moreover, considering the nature of personal e-mail and Facebook accounts, Defendant's clear lack of authority to access those accounts, Plaintiff's allegations that her accounts contained employment, financial and identifying information, Plaintiff's allegations regarding the extent of Defendant's activity at least within her Google accounts, the allegations supporting Defendant's attempted access to Plaintiff's Wells Fargo account, and the broad scope of the information protected by § 18.2-152.5, at this early stage in the proceedings, the Court finds that Plaintiff has sufficiently alleged a cause of action for computer invasion of privacy. (Compl. ¶¶ 42, 94.) Accordingly, the Court denies Defendant's Motion as to Count V.
E. Plaintiff Has Stated a Plausible Claim in Count VI.
In Count VI, Plaintiff raises a claim for unjust enrichment under Virginia common law, alleging that she provided benefits to Defendant by: (1) performing unpaid or underpaid work for IHC and Defendant's campaigns; (2) paying to store yard signs from Defendant's campaign for delegate for over a year without reimbursement; (3) paying for materials and supplies for Defendant's campaign without reimbursement; and, (4) performing personal tasks for Defendant. (Compl. ¶¶ 98-102.) Defendant moves to dismiss Count VI or, in the alternative, requests a more definite statement, arguing that Plaintiff fails to plead sufficient facts to support the damages claimed under that Count. (Def.'s Mem. at 13-14.) Plaintiff responds that she has sufficiently pled facts to support the damages claimed in Count VI. (Pl.'s Resp. at 14.)
In Virginia, to recover for unjust enrichment, a plaintiff must demonstrate that: "(1) [she] conferred a benefit on [the defendant]; (2) [the defendant] knew of the benefit and should reasonably have expected to repay [the plaintiff]; and (3) [the defendant] accepted or retained the benefit without paying for its value." Schmidt v. Household Fin. Corp., II, 661 S.E.2d 834, 838 (Va. 2008). The Court finds that Plaintiff has stated a plausible claim for relief under these elements.
For one, Plaintiff has alleged the exact nature of the benefits she allegedly conferred on Defendant. (Compl. ¶¶ 99-102.) Plaintiff also alleges sufficient facts to support the plausible inference that Defendant knew of the benefits conferred by Plaintiff and should have expected to repay Plaintiff for those benefits. Indeed, Plaintiff alleges that Defendant personally asked her to provide many of the benefits listed, (Compl. ¶¶ 98-102), and several of the alleged benefits conferred by Plaintiff, including the work for IHC and Defendant's campaigns, plausibly fell beyond the scope of Plaintiff's duties as Defendant's legislative aide and campaign manager, (Compl. ¶¶ 98-102). Moreover, Plaintiff's allegations that Defendant failed to pay or underpaid her for her services satisfies the third element. (Compl. ¶¶ 98-102.)
As for Defendant's contention that Plaintiff's allegations cannot support the $100,000 in damages claimed in Count VI, the Court finds that Plaintiff has met her burden at this stage in the proceedings. Courts considering unjust enrichment claims pursuant to Rule 12(b)(6) motions have generally required only sufficient allegations for the court to infer that the plaintiff provided a benefit that enriched the defendant; courts have not required facts claiming specific damages with a reasonable degree of certainty. See, e.g., Riley v. Barringer, 337 F. Supp. 3d 647, 655 (W.D. Va. 2018) (dismissing unjust enrichment counterclaim, because the counterclaimant failed to "state facts suggesting that [he] conferred any services or benefits on [the counterdefendant]"). Indeed, "[a]t the motion to dismiss stage, [a claim that a defendant's conduct resulted in damages] is adequate to establish a plausible right to relief." Henry v. Synchrony Bank, 2016 WL 6871269, at *2 (S.D. W. Va. Nov. 21, 2016); see also Three Rivers Landing of Gulfport, LP v. Three Rivers Landing, LLC, 2012 WL 1598130, at *6 (W.D. Va. May 4, 2012) ("[T]he motion to dismiss stage is not the appropriate phase of litigation to challenge [a p]laintiff's damages calculation."). Because Plaintiff's allegations have put Defendant on sufficient notice as to the benefits that Plaintiff allegedly conferred such that Defendant may now prepare a defense to those claims, Plaintiff has satisfied the pleading requirements of Rule 8. Whether Plaintiff may recover for the benefits that she allegedly conferred and the exact amount of that recovery are best determined through discovery, summary judgment and trial. Accordingly, the Court denies Defendant's Motion as to Count VI.
Defendant also moves pursuant to Rule 12(e) for a more definite statement in support of Plaintiff's damages claim in Count VI. Notably, "Rule 12(e) must be read in connection with Rule 8, which sets minimum pleading requirements," and a plaintiff who satisfies Rule 8 generally will not be required to provide a more definite statement. Hodgson v. Va. Baptist Hosp., Inc., 482 F.2d 821, 822 (4th Cir. 1973). Moreover, "courts will generally deny a motion for a more definite statement where the information sought can be obtained in discovery." Hilska v. Jones, 217 F.R.D. 16, 21 (D.D.C. 2003). Plaintiff has satisfied the pleading requirements of Rule 8, and Defendant can obtain more information about Plaintiff's damages claim through discovery. Accordingly, the Court denies Defendant's motion for a more definite statement.
IV. CONCLUSION
For the reasons set forth above, the Court DENIES Defendant's Motion (ECF No. 9). An appropriate Order shall issue.
Let the Clerk file a copy of this Memorandum Opinion electronically and notify all counsel of record.
/s/_________
David J. Novak
United States District Judge Richmond, Virginia
Date: November 12, 2019