Opinion
Civil Action 1:21-cv-822 RDA/IDD
12-27-2022
MICROSOFT CORPORATION, a Washington corporation, Plaintiff, v. JOHN DOES 1-2, Controlling a Computer Network and Thereby Injuring Plaintiff and Its Customers, Defendants.
REPORT AND RECOMMENDATION
IVAN D. DAVIS, UNITED STATES MAGISTRATE JUDGE
This matter is before the Court on Plaintiff Microsoft Corporation's (“Microsoft” or “Plaintiff”) Motion for Default Judgment against Defendants, John Does 1-2 (collectively “Defendants”). Pl.'s Mot. for Default J., Dkt. No. 36. After the Defendants failed to file an answer, plead, or otherwise defend this action, the undersigned Magistrate Judge took this matter under advisement to issue this Report and Recommendation. Upon consideration of the Complaint, Plaintiff's Motion for Default Judgment, the supporting memorandum, and relevant portions of the underlying record, the undersigned Magistrate Judge makes the following findings and recommends that Plaintiff's Motion be GRANTED as to Count I and DISMISSED without prejudice as to the remaining counts.
I. INTRODUCTION
Plaintiff filed its Complaint against Defendants on July 13, 2021. Dkt. No. 1. Plaintiff brought claims for: (1) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030; (2) violation of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq.; (3) violation of the Virginia Computer Crimes Act (Virginia Code Ann. § 18.2-152.1); (4) common law trespass to chattels; (5) and conversion. Compl. ¶ 1. Specifically, Plaintiff filed the lawsuit seeking “injunctive and other equitable relief and damages” against Defendants, to prevent Defendants from engaging in these alleged violations of law and causing Plaintiff further injury. Id.
A. Jurisdiction and Venue
For a court to render default judgment against a party, it must have subject matter jurisdiction, personal jurisdiction, and be the appropriate venue for the action.
This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. § 1331, because this case involves federal questions arising under the CFAA (18 U.S.C. § 1030) and the SCA (18 U.S.C. § 2701 et seq.). Further, federal courts may exercise supplemental jurisdiction over state claims that are so closely related to the original claim that said claims arise out of the “same case or controversy,” subject to exceptions that are inapplicable in this case. 28 U.S.C. § 1367(a). Here, in addition to the allegations of violations of the CFAA and SCA, Plaintiff brought state-law claims under the Virginia Computer Crimes Act (Virginia Code Ann. § 18.2-152.5:1) and for common law trespass to chattels and conversion. The undersigned finds that these statelaw claims arise from the same set of facts giving rise to Plaintiff's claims under the CFAA and SCA, and therefore arise out of the same case or controversy. As a result, this Court may properly exercise supplemental jurisdiction over the state-law claims. Accordingly, this Court has subjectmatter jurisdiction over all of Plaintiff's claims.
The Court must also be satisfied that it has personal jurisdiction over Defendants. For this Court to exercise personal jurisdiction, two requirements must be satisfied. First, Virginia's long- arm statute must authorize the exercise of jurisdiction. CFA Inst. v. Inst. of Chartered Fin. Analysts of India, 551 F.3d 285, 292 (4th Cir. 2009). Second, if that authorization exists, then the Due Process Clause of the Fourteenth Amendment requires that the defaulting defendants have sufficient minimum contacts with the forum state. Christian Sci. Bd. Of Dirs. of the First Church of Christ, Scientist v. Nolan, 259 F.3d 209, 205 (4th Cir. 2001). Particularly, the defendants' conduct must have such a connection with Virginia that it is fair for the defendants to be required to defend themselves in a court in the Commonwealth of Virginia. Helicopteros Nacionales de Colombia S.A. v. Hall, 466 U.S. 408, 414-15, 104 S.Ct. 1868, 80 L.Ed.2d 404 (1984).
In the online context, a state may exercise jurisdiction over a defendant when the defendant (1) directs electronic activity into the State; (2) with the manifest intent of engaging in business or other activities within the State; and (3) that activity gives rise to the plaintiff's claims. See ALS Scan, Inc., v. Digital Serv. Consultants, Inc., 293 F.3d 707, 714 (4th Cir. 2002). Regarding the Court's ability to exercise personal jurisdiction in a case involving the use of the internet, the Fourth Circuit has adopted the framework set forth in Zippo Manufacturing Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119 (W.D. Pa. 1997); see also ALS Scan, Inc., 293 F.3d at 707. Under Zippo, the exercise of personal jurisdiction is directly proportionate to the nature and quality of commercial activity that a defendant-entity conducts over the internet. Zippo, 952 F.Supp. at 1124.
Here, Plaintiff's Complaint alleges that Defendants' conduct justifies this Court's exercise of personal jurisdiction because Defendants directed electronic activity into the state of Virginia through domain names registered in the Eastern District of Virginia for the purpose of targeting Microsoft customers and their network. Compl. ¶13. Furthermore, these alleged actions form the basis of the claims in Plaintiff's Complaint. Accordingly, the undersigned finds this Court has personal jurisdiction over Defendants.
Venue is proper in “a judicial district in which any defendant resides, if all defendants are residents of the State in which the district is located” and in a judicial district where “a substantial part of the events or omissions giving rise to the claim occurred.” 28 U.S.C. §§ 1391(b)(1)-(2). Venue is also proper where a defendant “is subject to the court's personal jurisdiction with respect to such action.” 28 U.S.C. § 1391(b)(3). Here, a substantial part of the events giving rise to this lawsuit occurred in this District. Compl. ¶12. Furthermore, as discussed above, Defendants are subject to the Court's personal jurisdiction. Therefore, the undersigned finds that venue is proper in this district under 28 U.S.C. § 1391(b).
B. Service of Process
The Court must also be satisfied that the defaulting party has been properly served. Pursuant to Federal Rule of Civil Procedure 4(f)(3), a plaintiff may serve an individual who does not reside within a judicial district of the United States “by other means not prohibited by international agreement, as the court orders.” FED. R. CIV. P. 4(f)3). Here, Defendants' identities are unknown, and the Court previously ordered that Plaintiff could serve the Defendants ‘by any means authorized by law, including... publishing notice on a publicly available Internet website.” Dkt. 18 at p. 8, Dkt. 27 at p. 10-11. Plaintiff served Defendants by publication on the publicly available website, www.noticeofpleadings.com/maliciousdomains, on July 19, 2021. Ramsey Decl. ¶ 6. Therefore, the undersigned finds that service of process is proper in this action.
C. Grounds for Default Judgement
Plaintiff filed its Complaint on July 13, 2021. Dkt. No. 1. In accordance with the Court's July 16, 2021 Order authorizing service by Internet publication, Plaintiff served Defendants on July 19, 2021. Dkt. No. 33. Plaintiff then filed a Request for Clerk's Entry of Default on February 23, 2022, and the Clerk of the Court entered default on February 24, 2022. Dkt. Nos. 32, 35. On March 9, 2022, Plaintiff filed its Motion for Default Judgment and accompanying memorandum in support of its motion. Dkt. Nos. 36-37. Upon this matter's referral, a hearing was held before the undersigned on April 15, 2022. Dkt. No. 44. Because of Defendants' failure to appear at the hearing or otherwise defend this action, the undersigned Magistrate Judge took this matter under advisement to issue this Report and Recommendation. Id.
II. EVALUATION OF PLAINTIFF'S COMPLAINT
Rule 55 of the Federal Rules of Civil Procedure provides for the entry of default judgment when “a party against whom a judgment for affirmative relief is sought has failed to plead or otherwise defend.” A defendant in default concedes the factual allegations of the complaint. See, e.g., DIRECTV, Inc. v. Rawlins, 523 F.3d 318, 322 n.2 (4th Cir. 2008); Partington v. Am. Int'l Specialty Lines Ins. Co., 443 F.3d 334, 341 (4th Cir. 2006); Ryan v. Homecomings Fin. Network, 253 F.3d 778, 780 (4th Cir. 2001). Default does not, however, constitute an admission of the adversary's conclusions of law and is not to be “treated as an absolute confession by the defendant of his liability and of the plaintiff's right to recover.” Ryan, 253 F.3d at 780 (quoting Nishimatsu Constr. Co., Ltd. v. Hous. Nat'l Bank, 515 F.2d 1200, 1206 (5th Cir. 1975)). Instead, the Court must “determine whether the well-pleaded allegations in [the plaintiff's] complaint support the relief sought in [the] action.” Id.
Thus, in issuing this Report and Recommendation, the undersigned Magistrate Judge must evaluate Plaintiff's claims against the standards of Rule 12(b)(6) of the Federal Rules of Civil Procedure to ensure that the Complaint contains plausible claims upon which relief may be granted. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (explaining the analysis for examining a plaintiff's claims under a 12(b)(6) motion to dismiss). To meet this standard, a complaint must set forth “sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face.” Id. (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). In determining whether allegations are plausible, the reviewing court may draw on context, judicial experience, and common sense. Francis v. Giacomelli, 588 F.3d 186, 193 (4th Cir. 2009) (citing Iqbal, 556 U.S. at 679).
As noted above, Plaintiff brought claims for (1) violation of the CFAA, 18 U.S.C. § 1030; (2) violation of the SCA, 18 U.S.C. § 2701 et seq.; (3) violation of the Virginia Computer Crimes Act (Virginia Code Ann. § 18.2-152.1); (4) common law trespass to chattels; (5) and conversion. As discussed below, Plaintiff requests that the Court grant injunctive relief preventing Defendants from engaging in future similar conduct. For purposes of fashioning appropriate relief, it is therefore only necessary for the Court to analyze Plaintiff's claim under the CFAA.
A. Count One: Violation of the Computer Fraud and Abuse Act
To establish a claim under the Computer Fraud and Abuse Act, a plaintiff must demonstrate that the accused party: (1) intentionally accessed a computer without authorization or exceeded authorized access, 18 U.S.C. § 1030(a)(5)(C); (2) knowingly accessed a protected computer without authorization to further the intended fraud and obtains anything of value, 18 U.S.C. § 1030(a)(2)(C); or (3) intentionally accessed a protected computer without authorization, and as a result, recklessly causes damage and loss, 18 U.S.C. § 1030(a)(5)(A). See also WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 201 (4th Cir. 2012). A “protected computer” is a computer “used in interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B); see also SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593, 608 (E.D. Va. 2005). The phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” 18 U.S.C. § 1030(e)(6); see also SecureInfo Corp., 387 F.Supp.2d at 608.
Lastly, to establish a claim under the CFAA, a plaintiff must demonstrate loss or damage of more than $5,000. 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11)).
The Complaint has sufficiently alleged that Defendants knowingly and intentionally accessed, and continue to access, protected computers without authorization and knowingly caused the transmission of information, code, and commands that resulted in damage to the protected computers, the software, and Plaintiff. Compl. ¶ 67. Using internet domains registered in Reston Virginia, Defendants used credential phishing emails and social engineering to gain unauthorized access to the Microsoft 0365 credentials of Microsoft customers and their networks located in the Eastern District of Virginia. Id. at ¶ 13. With these credentials, Defendants impersonated legitimate domain names to solicit fraudulent financial transactions from Microsoft users. In response, Plaintiff directed their Microsoft 365 Team to investigate the compromised accounts. These investigations cost over $30,000. Keating Decl. ¶ 6. Plaintiff's Digital Crime Unit also expended over $30,000 investigating and remediating Microsoft customer's issues. Id. at ¶ 10. In total Plaintiff spent over $74,600 to investigate, monitor, and restore the compromised Microsoft 365 accounts.
This type of attack is precisely the type of activity that the CFAA is designed to prevent. See, e.g., Global Policy Partners, LLC v. Yessin, 686 F.Supp.2d 631, 635-37 (E.D. Va. 2009) (accessing an email account using credentials that did not belong to defendant was actionable under the CFAA); Physicians Interactive v. Lathian Systems, Inc., 2003 U.S. Dist. LEXIS 122472, at 14 *18-19 (E.D. Va. Dec. 5, 2003) (attacking websites and computer file servers to obtain proprietary information was actionable under the CFAA). Indeed, courts have observed that the CFAA was enacted to target “computer hackers (e.g., electronic trespassers).” State Analysis Inc. v. Am. Fin. Services Assoc., 621 F.Supp.2d 309, 315 (E.D. Va. 2009) (internal citations omitted). In similar cases, this court has arrived at the same conclusion. See, e.g., Microsoft Corp. v. Doe, 2015 U.S. Dist. LEXIS 109729, at *1-4 (E.D. Va. Aug. 17, 2015); Microsoft Corp. v. Doe, 2014 U.S. Dist. LEXIS 46951, at *1-2 (E.D. Va. Apr. 2, 2014). Accordingly, the undersigned recommends a finding that defendants have violated the CFAA.
B. Requested Relief: Permanent Injunction
Plaintiff seeks a default judgment and permanent injunction to prevent Defendants from continuing to use malicious “homoglyph” domains. Mem. in Supp. of Default J. at 1. To obtain a permanent injunction in the Fourth Circuit, a plaintiff must show that: (1) he suffered an irreparable injury; (2) that remedies available at law such as monetary damages are inadequate to compensate for that injury; (3) that, considering the balance of hardships between plaintiff and defendant, a remedy in equity is warranted; and (4) that the public interest would not be disserved by a permanent injunction. Christopher Phelps & Assocs., LLC v. Galloway, 492 F.3d 532, 543 (4th Cir. 2007). Here, the undersigned finds that Plaintiff has satisfied its burden in proving that injunctive relief is appropriate in this matter.
First, the Honorable United States District Judge Rossie D. Alston, Jr., in issuing a temporary restraining order against the Defendants, previously concluded that the harm caused to Plaintiff by the Defendants' operations and activities constituted irreparable harm. Dkt. No. 18 at ¶¶ 3-5. This finding is consistent with several cases within this District that found that fraudulent computer activities cause irreparable harm. See Microsoft Corp. v. Peng Yong et al., Case No. 1:12-cv-1004-GBL (E.D. Va. 2012) (Lee, J.) (injunction to dismantle botnet command and control servers); Microsoft v. Piatti, et al., Case No. 1:11-cv-1017 (E.D. Va. 2011) (Cacheris, J.) (injunction to dismantle botnet command and control servers). In that regard, the undersigned concludes that Plaintiff has suffered irreparable injury.
Second, the undersigned finds that monetary legal remedies are insufficient to address Plaintiff's injury here. Defendants are elusive parties, and therefore, their locations and identities are unknown. Further, since Defendants have failed to appear or respond to this lawsuit, it would be highly unlikely that Plaintiff would be able to enforce a judgment against Defendants. See Khepera-Bey v. Santander Consum. USA, Inc., 2013 U.S. Dist. LEXIS 87641, 13-14 (D. Md. June 21, 2013) (“unsatisfiability of a money judgment can show irreparable harm.”) Accordingly, this factor weighs in favor of awarding Plaintiff injunctive relief.
Third, the balance of the hardships weighs in favor of Plaintiff. On the one hand, Plaintiff has been harmed and continues to be harmed by Defendants' ongoing fraudulent scheme. Alternatively, Defendants would not suffer cognizable hardship because an injunction would require them to cease from engaging in illegal activities. See U.S. Airways, Inc. v. U.S. Airline Pilots Ass'n, 813 F.Supp.2d 710, 736 (W.D. N.C. 2011) (injunction appropriate where, in balance of the equities, denying injunction would result in “enormous disruption and harm” to plaintiff and the public, and granting injunction would only require defendant to comply with existing legal duties.) For these reasons, the undersigned finds that the balance of hardships weigh strongly in favor of Plaintiff.
Lastly, the undersigned finds that awarding injunctive relief is in the best interest of the public. In CFAA cases, the public interest typically weighs in favor of injunction to prevent the furtherance of and profit from false or misleading representations. See Microsoft Corp. v. Doe, 2014 U.S. Dist. LEXIS 48398, 32 (E.D. Va. Jan 6, 2014) (public interest weighed in favor of injunction to enforce CFAA). Absent the requested injunction, the public would be susceptible to Defendants' fraudulent and deceptive activities. Therefore, the undersigned finds a preliminary injunction against Defendants to be appropriate relief.
I. RECOMMENDATION
For the reasons stated above, the undersigned Magistrate Judge recommends entry of default judgment as to Count I in favor of Plaintiff against the Defendants John Does 1-2 for violation of the Computer Fraud and Abuse Act and dismissal, without prejudice, of the remaining counts. The undersigned further recommends that an Order be entered restraining and enjoining Defendants from infringing Plaintiff's trademarks and acting in any manner that suggests in any way that Defendants' activities, products, or services are conducted by or are affiliated with Plaintiff.
II. NOTICE
By means of the Court's electronic filing system and by mailing a copy of this Report and Recommendation to defendants at their address for service of process, the parties are notified as follows. Objections to this Report and Recommendation, pursuant to 28 U.S.C. § 636 and Rule 72(b) of the Federal Rules of Civil Procedure, must be filed within fourteen (14) days of service on you of this Report and Recommendation.
A failure to file timely objections to this Report and Recommendation waives appellate review of the substance of the Report and Recommendation and waives appellate review of a judgment based on this Report and Recommendation.