Opinion
Civil No. 05-5179.
March 28, 2006
ORDER
Now on this 28th day of March, 2006, comes on for consideration defendant's Motion To Dismiss (document #6), and from said motion, and the response thereto, the Court finds and orders as follows:
1. Plaintiff Nilfisk-Advance, Inc. ("Nilfisk") brings this suit under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the "CFAA" or the "Act"). The gravamen of the Complaint is that defendant Kevin Mitchell ("Mitchell"), an engineer developing certain new products for Nilfisk, transmitted confidential information and trade secrets from his work computer to his home computer, with the intent of conveying that information to Nilfisk's competitors. State law claims for violation of the Arkansas Trade Secrets Act and breach of contract are appended to the federal claim.
2. Mitchell moves the Court to dismiss the federal claim for failure to state a claim, pursuant to F.R.C.P. 12(b)(6), and to dismiss the state law claims over which it has supplemental jurisdiction pursuant to 28 U.S.C. § 1367. Nilfisk objects to such dismissal.
3. It is well settled that a complaint should not be dismissed under Rule 12(b)(6) unless — viewing the complaint in the light most favorable to the plaintiff — it appears beyond doubt that he can prove no set of facts in support of his claim that would entitle him to relief. Krentz v. Robertson Fire Protection District , 228 F.3d 897 (8th Cir. 2000).
Mitchell contends that he meets this high standard, in that the factual allegations of the Complaint would not, even if proven, establish a violation of the CFAA.
4. The Complaint specifically alleges that Mitchell violated 18 U.S.C. § 1030(a)(5)(B)(i), but in its briefing, Nilfisk asserts that the factual allegations are sufficient to also put Mitchell on notice of a claim under 18 U.S.C. § 1030(a)(4). The Court agrees with this proposition, and has so addressed the issues.
5. While the CFAA is basically a criminal statute, it provides a civil remedy, in the form of a suit for recovery of economic damages and injunctive relief, against a person who causes certain kinds of loss. 18 U.S.C. § 1030(g).
The prohibited conduct alleged by Nilfisk falls into the following categories established by the Act:
* that Mitchell knowingly, and with intent to defraud, accessed a protected computer either without authorization, or in excess of authorization, and thereby obtained something of value other than the use of the computer itself (the § 1030(a)(4) claim);
* that Mitchell knowingly caused the transmission of a program, information, code, or command, and as a result, intentionally caused damage, without authorization, to a protected computer;
* that Mitchell intentionally accessed a protected computer without authorization, and as a result of such conduct, recklessly caused damage; or
* that Mitchell intentionally accessed a protected computer without authorization, and as a result caused damage.
The Act defines "protected computer" to include a computer which is used in interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2). It defines the term "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
6. The factual allegations of the Complaint, as they go to Nilfisk's claim under the CFAA, may be briefly summarized as follows:
* Mitchell worked for Nilfisk as a Project Engineer, in which position he had access to proprietary and confidential technical data, design drawings, pictures, and other information regarding an orbital scrubber under development at Nilfisk. He was under a duty not to disclose such information to anyone outside Nilfisk's organization without Nilfisk's express authorization.
* On or about May 9, 2005, Mitchell submitted a letter to Nilfisk's Human Resources Manager, indicating dissatisfaction with a performance review and an intent to leave his employment as soon as he found other work.
* On his work computer's hard drive, Mitchell had a number of zip files pertaining to the orbital scrubber and to another research project then under development, known as the Encore 17 project. Zip files are files in a compressed format primarily used to facilitate the transmission of large quantities of data by e-mail or by downloading to a portable storage device. The data in zip files is not directly accessible.
* On May 10, 2005, Mitchell e-mailed to his personal e-mail address numerous electronic documents and files containing confidential information and trade secrets relating to the orbital scrubber.
* On May 16, 2005, Mitchell was terminated.
* Following his termination, Mitchell was unwilling to allow Nilfisk to conduct an unlimited inspection of his personal computer to ascertain whether it contained any of Nilfisk's confidential information.
* Nilfisk's computers are used to communicate with plaintiff's offices, customers, and suppliers in other states and countries, thus meeting the definition in the CFAA for "protected computers."
7. Mitchell contends that these allegations, even if proven, would not constitute a violation of the CFAA because, at all times when he accessed Nilfisk's protected computers, he was employed by Nilfisk and had authorization for such access.
Nilfisk does not, however, allege that Mitchell had no authority to access his computer at work, or that the data he obtained went beyond what he was authorized to obtain. Instead, it takes the position that Mitchell exceeded any authorization he had when he e-mailed the files to his personal computer with the alleged purpose of misappropriating the information contained in them. Nilfisk points to its allegation that the zip files were not in a form used by Mitchell at work, and that the transmission occurred after Mitchell had decided to resign, as allegations that Mitchell's access exceeded such authorization as he had for use of the data.
8. Taking the allegations of the Complaint as true, and giving them the inferences favorable to Nilfisk, the Court believes Nilfisk has stated a claim under the CFAA. In Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc. , 119 F.Supp.2d 1121 (W.D. Wash. 2000), the plaintiff was held to have stated a CFAA claim on the allegation that an employee with authorization to access files exceeded his authority when he accessed the files for the purpose of sending information to his employer's competitor. In Personalized Brokerage Services, LLC, v. Lucius , 2006 WL 208781 (D.Minn. 2006), the plaintiff was held to have stated a CFAA claim on the allegation that an employee used his company computer to set up competing companies, e-mail competitors, distribute employer's proprietary information to software developers, and negotiate contracts to sell products to employer's competitors. The allegations here are of the same nature.
IT IS THEREFORE ORDERED that defendant's Motion To Dismiss (document #6) is denied.
IT IS SO ORDERED.