Summary
recognizing "a split within the Circuit" but allowing CFAA claim to proceed where plaintiff alleged that it paid $5,000 in "investigation and security assessment costs associated with the intrusion" notwithstanding a lack of allegations regarding damage or disruption to the system
Summary of this case from Nejla K. Lane & Lane Legal Servs., P.C. v. Le BrocqOpinion
No. 14 C 7943
2014-12-09
Pascal Pour Elle, Ltd., Plaintiff, v. Eliza Jin, et al., Defendants.
Matthew Bart Schiff, Sugar Felsenthal Grais & Hammer LLP, Leland H. Chait, Sugar & Felsenthal LLP, Chicago, IL, for Plaintiff. Michael H. Moirano, Claire Gorman Kenny, Nisen & Elliott, Edward T. Joyce, Jennifer Lynne Doherty, Kenneth David Flaxman, Edward T. Joyce & Associates P.C., Chicago, IL, for Defendants.
Matthew Bart Schiff, Sugar Felsenthal Grais & Hammer LLP, Leland H. Chait, Sugar & Felsenthal LLP, Chicago, IL, for Plaintiff. Michael H. Moirano, Claire Gorman Kenny, Nisen & Elliott, Edward T. Joyce, Jennifer Lynne Doherty, Kenneth David Flaxman, Edward T. Joyce & Associates P.C., Chicago, IL, for Defendants.
MEMORANDUM OPINION AND ORDER
Honorable THOMAS M. DURKIN, United States District Judge
Plaintiff Pascal Pour Elle (“Plaintiff”) brings this action by way of an amended complaint against Eliza Jin (“Jin”), Paul Rehder (“Rehder”), Paul Rehder Salon, Inc. (“PRS”), Kelly Oldham, Jenna Kutska, Rachel Lagerhausen, Marissa Castillon, Priscilla Schiaffino, and Kristin Hallahan (collectively, “Defendants”). R. 22. Plaintiff's amended complaint contains numerous counts against the many Defendants. However, for purposes of this motion, the only relevant counts are I and II, which allege violations of § 2701 of the Stored Communications Act (“SCA”) and the Computer Fraud and Abuse Act (“CFAA”), respectively, against Jin. R. 22. These counts form the basis for federal jurisdiction. The Defendants have filed a motion to dismiss the amended complaint contending that Plaintiff has not adequately pled violations of the SCA and the CFAA, and that the Court should decline to exercise supplemental jurisdiction over the remaining state law claims.
R. 28. Specifically, Defendants assert that Plaintiff's SCA cause of action should be dismissed for two reasons: 1) Plaintiff has not adequately pled that Rosy Salon, a cloud-based
Defendants incorrectly assert that their motion is filed pursuant to Rule 12(b)(1). However, Defendants' motion attacks the sufficiency of the pleadings with regard to the federal causes of action. As such, Defendants' motion will be analyzed pursuant to Rule 12(b)(6). Furthermore, because the Court denies Defendants' motion to dismiss pursuant to 12(b)(6), the Court accordingly denies Defendants' 12(b)(1) motion to dismiss for lack of subject matter jurisdiction.
salon management software program, is an electronic communication service provider such that its servers are “facilit [ies] through which [that] service is provided”; and 2) Plaintiff has not adequately pled that the data at issue was in electronic storage when it was accessed. Defendants further contend that Plaintiff's CFAA cause of action should be dismissed because Plaintiff has not adequately pled loss as defined by the CFAA. For the following reasons, the Defendants' motion to dismiss is granted in part and denied in part.
“Cloud-based” means that the services are provided online through the internet. See http://www.merriam-webster.com/dictionary/cloud.
BACKGROUND
For the purposes of this motion pursuant to Federal Rule of Civil Procedure 12(b)(6), the following facts are taken from Plaintiff's Amended Complaint, R. 22, and are taken as true, with reasonable inferences construed in Plaintiff's favor. See Mann v. Vogel, 707 F.3d 872, 877 (7th Cir.2013). The facts are limited to those relevant to the pending motion.
Plaintiff, a hair salon with multiple locations in the northern suburbs of Chicago, Illinois, has been owned and operated by Pascal Ibgui (“Pascal”) for over thirty years. R. 22, at 2. Jin worked for Plaintiff for approximately fifteen years as Salon Director. Id. As Salon Director, Jin was responsible for overseeing the day-to-day operations of the salon. Id. In doing so, Jin was given access to Plaintiff's proprietary information, as well as various computer programs utilized by Plaintiff in the running of the salon, including a management program called Spa Salon. Id. Plaintiff provided Jin with login credentials for Plaintiff's Spa Salon account, as well as the other computer programs utilized by Plaintiff in the management of the salon. R. 22 ¶ 21. In late 2013, Plaintiff considered transitioning its salon management system from Spa Salon to Rosy Salon, the salon management program at issue. R. 22 ¶¶ 28–29. As a result, Plaintiff inputted some of its data into the Rosy Salon program at that time. Id.
On February 13, 2014, Jin sent Pascal a text message asking that he fire her. R. 22 ¶ 22. Pascal complied and fired Jin. Id. Pascal then deactivated Jin's computer passwords for its salon management computer programs. Id. Sometime thereafter, Jin began working with Defendants Rehder and PRS. Defendant PRS opened for business on September 2, 2014, and is located a short distance from two of Plaintiff's salon locations. R. 22 ¶ 24.
In early September 2014, Plaintiff discovered that Jin had remotely accessed Plaintiff's data stored on the Rosy Salon software servers subsequent to her employment ending with Plaintiff. R. 22 ¶ 26. Jin initially tried to access Plaintiff's data on the Spa Salon software. R. 22 ¶ 27. However, Jin's password had been deactivated, so she was unable to access Spa Salon. Id. Jin then attempted to log on to Plaintiff's account on Rosy Salon, which Plaintiff had transitioned to at that point, and was successful in doing so. R. 22 ¶¶ 27–30. Jin gained access to Plaintiff's client's contact information, client's hair service information including types of services, cost and frequency, as well as deals Plaintiff had offered to its clients. R. 22 ¶¶ 32–33. Jin then used this information to solicit Plaintiff's clients and induce them to schedule their next appointments with Defendant PRS. R. 22 ¶ 35.
LEGAL STANDARD
A Rule 12(b)(6) motion challenges the sufficiency of the amended complaint. See, e.g., Hallinan v. Fraternal Order of Police of Chi. Lodge No. 7, 570 F.3d 811, 820 (7th Cir.2009). A complaint must provide “a short and plain statement of the claim showing that the pleader is entitled to relief,” Fed. R. Civ. P. 8(a)(2), sufficient to provide defendant with “fair notice” of the claim and the basis for it. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). This “standard demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). While “detailed factual allegations” are not required, “labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555, 127 S.Ct. 1955. The complaint must “contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Ashcroft, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955). “A claim has facial plausibility when the plaintiff pleads factual content that allows courts to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Mann v. Vogel, 707 F.3d 872, 877 (7th Cir.2013) (quoting Iqbal, 556 U.S. at 678, 129 S.Ct. 1937) (internal quotation marks omitted). In applying this standard, the Court accepts all well-pleaded facts as true and draws all reasonable inferences in favor of the non-moving party. Mann, 707 F.3d at 877.
ANALYSIS
I. Stored Communications Act Claim
“Congress passed the SCA to protect privacy interests in personal and proprietary information.” Int'l Brotherhood of Elec. Workers, Local 134 v. Cunningham, No. 12 C 7487, 2013 WL 1828932, at *3 (N.D.Ill. April 29, 2013) (citing Bloomington–Normal Seating Co. v. Albritton, No. 09–1073, 2009 WL 1329123, at *4 (C.D.Ill. May 13, 2009)). The SCA prohibits anyone from “intentionally access[ing] without authorization a facility through which an electronic communication service is provided ... and thereby obtain[ing], alter [ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a). “Electronic communication service” is defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2501(15). “Electronic storage” is defined as “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17).
Defendants move to dismiss Plaintiff's SCA cause of action on two grounds: (1) that Plaintiff failed to adequately plead that Rosy Salon is an electronic communication service provider such that its servers are facilities through which an electronic communication service is provided; and (2) that Plaintiff failed to plead that the data at issue was in electronic storage when it was allegedly accessed. R. 28.
A. Plaintiff Has Adequately Pled That The Rosy Salon Servers Are Facilities
Plaintiff's opposition contends that Defendants' motion to dismiss asserts that the Rosy Salon software is not a facility through which an electronic communication service is provided. R. 29 at 9. Plaintiff incorrectly characterizes Defendants' argument. Defendants contend that Plaintiff has failed to adequately allege that the Rosy Salon servers are facilities. Plaintiff's opposition also includes a heading which seems to assert that the Rosy Salon software is a facility pursuant to 18 U.S.C. § 2501. However, Plaintiff's amended complaint does not contain any such factual allegations. Accordingly, the Court will only address whether Plaintiff has adequately pled that the Rosy Salon servers, as opposed to the software, are facilities.
Defendants contend that Rosy Salon is not an electronic service provider under the SCA, and therefore, its servers cannot be facilities through which that service is provided. R. 28. Specifically, Defendants argue that courts have generally only found telecommunication companies, internet or e-mail service providers, or bulletin board services to be electronic communication service providers under the SCA. Plaintiff counters that because the Rosy Salon software, which is allegedly run through the Rosy Salon servers, provides its users with the ability to send email and text messages, Rosy Salon is an electronic communication service provider. R. 29. Both parties cite to decisions from this jurisdiction to support their arguments, highlighting the fact that there is currently a split in this jurisdiction regarding what constitutes an electronic communication service provider. For the reasons discussed below, the Court is persuaded that Plaintiff has set forth sufficient factual allegations to support its contention that Rosy Salon is an electronic communication service provider under the SCA.
Defendants rely primarily on In re: Michaels Stores Pin Pad Litigation, 830 F.Supp.2d 518 (N.D.Ill.2011) to support their argument that only telecommunication companies and internet service providers meet the definition of an electronic service provider. In Michaels, the court limited the definition of an electronic communication service provider to those who provide “the underlying service which transports the data, such an internet service provider or a telecommunications company whose cables and phone lines carry internet traffic,” excluding from the definition those that simply provide “a product or service which facilitates the data transport.” Michaels, 830 F.Supp.2d at 524. Therefore, the court ruled that because the plaintiff failed to allege that Michaels provided the internet or phone service through which the pin pad at issue communicated, the plaintiff had failed to allege that Michaels was an electronic communication service provider. Id. Following this logic, Defendants argue that Plaintiff has failed to adequately allege that Rosy Salon is an electronic service communication provider because it has not alleged that Rosy Salon is a provider of phone or internet services. R. 28. Rather, Plaintiff admits that users of Rosy Salon must independently access the internet to access the Rosy Salon software. Id.
Defendants also rely on Shefts v. Petrakis, No. 10 CV 1104, 2013 WL 489610 (C.D.Ill. Feb. 8, 2013), to support their contention that Rosy Salon is not an electronic communication service provider. R. 28 at 7. In doing so, Defendants accurately recite the court's finding that a “facility as defined by consistent caselaw, does not include computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers.” Shefts, 2013 WL 489610, at *4 (citing Garcia v. City of Laredo, Tx., 702 F.3d 788 (5th Cir.2012)) (internal quotation marks omitted). However, Defendants fail to recite the court's conclusion that because the plaintiff's company provided him, along with the company's other employees, with an email service, it was a provider of an electronic communication service. Id. at *5. Other courts within the Circuit have interpreted “electronic communication service provider” similarly. See Devine v. Kapasi, 729 F.Supp.2d 1024, 1028 (N.D.Ill.2010) (finding plaintiff sufficiently alleged the existence of an electronic communication service provider where it alleged that the network at issue “provide[d] authorized users with the ability to transmit and receive electronic communication by on-site or remote access, through password protected accounts—including ... the ability to send and receive e-mail.”); see also Cunningham, 2013 WL 1828932, at *4 (finding plaintiff adequately alleged that it was an electronic communication service provider by alleging that defendant “accessed a database stored on Plaintiff's computer network and servers,” and “unlike a simple hard drive, networks and servers can provide an electronic communication service. For example, the server could run an e-mail client.”).
While not binding, the Court finds persuasive the thorough analysis in the highly factually similar case Kaufman v. Nest Seekers, LLC, No. 05 CV 6782, 2006 WL 2807177 (S.D.N.Y. Sept. 26, 2006). The defendants in Kaufman argued, similarly to this case, that the subject website was “simply a database website that limit[ed] access and afford[ed] subscribers a place to store information on the Website's server.” Id. at *3. In moving for dismissal, the defendant contended that even though the website had an email function for registered users, that function “[was] a process, which [was] provided to Plaintiffs by their ISP, separate from the operation of the website.” Id. at *4. As such, the defendant argued that “[p]laintiffs are not an e-mail service provider, but rather they merely provide access through their website to an e-mail service provider.” Id. (internal quotation marks omitted). The court disagreed. It held that the plaintiff had adequately pled that it was an electronic communication service provider because it alleged “that subscribers have the ability to use the Website's email function.” Id. at *6. The court went on to say that “[a]n on-line business which provides its customers, as part of its commercial offerings, the means by which the customers may engage in private electronic communications with third-parties may constitute a facility through which electronic communication service is provided.” Id. The court acknowledged that after discovery it might become apparent that the subject website did not truly act as an email provider, but to dismiss on the pleadings would have required “speculation about the nature of [the website's] role in electronic communications.” Id.
Ultimately, the Court finds the rationale espoused in Shefts, Devine, Cunningham, and Kaufman more persuasive than the rationale in Michaels. Notably, the operative provision of the SCA at issue in Michaels was § 2702, not § 2701, which is the provision at issue here. Section 2702 prohibits “a person or entity providing an electronic communication service to the public” from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” § 2702(a)(2) (emphasis added). The court in Devine expressly declined to impose a “to the public” requirement on § 2701. This Court agrees and declines to impose so narrow a construction of the definition of an electronic communication service provider in this case.
Turning to Plaintiff's Amended Complaint, Plaintiff alleges that “Rosy Salon is a cloud-based management software program, which provides salons the ability to ... communicate with customers by email using Rosy Salon, send email or text reminders about upcoming appointments to both customers and staff.” R. 22 ¶ 29. Further, “[a]ccess to a Rosy Salon account requires a user name and password entered through its online portal.” R. 22 ¶ 30. “The Rosy Salon servers which host the Rosy Salon online program, are facilities through which an electronic communication service is provided, as defined by the SCA, because the servers are connected to the internet and run programs which provide the ability to send or receive wire or electronic communications, including ... email.” R. 22 ¶ 69.
Taking Plaintiff's allegations as true, as is required under Rule 12(b)(6), the Court finds that Plaintiff has adequately alleged that Rosy Salon is an electronic communication service provider, and that its servers are facilities through which that service is provided. The Court questions whether Plaintiff will ultimately be able to establish that the Rosy Salon website truly acts as an email or text message provider as intended by the SCA. However, that is a question more appropriately left for summary judgment or trial. At this stage, it is sufficient that Plaintiff has alleged that the Rosy Salon website restricts its access to registered users and provides its users with an email and text messaging function. The fact that users must independently connect to the internet to access the site and its offered functions is not fatal to Plaintiff's complaint.
B. The Data At Issue Is Adequately Alleged To Have Been In Electronic Storage
As previously discussed, the SCA requires that the data at issue be in “electronic storage” when it is accessed. 18 U.S.C. § 2701(a). This means that the data must be stored in the facility either temporarily, incidental to transmission, or as backup protection by the electronic communication service provider. 18 U.S.C. § 2510(17). Defendants contend that Plaintiff has not adequately pled that the data, when accessed, was in electronic storage as defined by the SCA because it has not alleged that the data was being stored temporarily, incidental to its transmission, or that it was stored as backup by Rosy Salon. R. 28.
Federal Rule of Civil Procedure 8(a)(2) requires only that a complaint contain a short and plain statement of the claims demonstrating that the pleader is entitled to relief. The Court notes that there is not an abundance of precedent substantively analyzing the adequacy of pleading that data was in electronic storage for purposes of the SCA. However, the courts that have addressed the issue, albeit obliquely, have sustained claims containing somewhat vague allegations regarding electronic storage. See Devine, 729 F.Supp.2d at 1028 (“[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff's electronic facilities, the plaintiff states a claim under § 2701 of the SCA.”); see also Bloomington–Normal Seating Comp., Inc. v. Albritton, No. 09–1073, 2009 WL 1329123, at *4 (C.D.Ill. May 13, 2009) (finding plaintiff adequately pled a violation of the SCA where plaintiff alleged that defendant “accessed [plaintiff's] protected computer and, without authorization, obtained an electronic communication ... while it was in electronic storage”) (internal quotation marks omitted).
Again, the Court finds the thorough analysis contained in Kaufman helpful. In Kaufman, the court explained the distinction between the two types of storage described in 18 U.S.C. § 2510(17). The “temporary, intermediate storage incidental to the electronic transmission is specifically targeted at communications temporarily stored by electronic communication services incident to their transmission—for example, when an email service stores a message until the addressee downloads it.” 2006 WL 2807177, at *6 (citing In re DoubleClick, Inc. Privacy Litig., 154 F.Supp.2d 497, 512 (S.D.N.Y.2001)). The backup storage aspect of “electronic storage,” on the other hand, “pertains to both the backup storage of messages pending delivery, as well as post-transmission storage.” Id. at *7 (citing Theofel v. Farey–Jones, 359 F.3d 1066, 1075–76 (9th Cir.2004)). However, “mere retention of the messages alone will not satisfy the requirements of subdivision (B). It must be established that the purpose for the retention was to serve as a backup protection.” Id.
Like the case presently before the Court, the defendants in Kaufman argued that the plaintiffs failed to adequately allege that the data at issue was in electronic storage when accessed. The defendants contended that the plaintiffs' allegation that the defendants hacked into the website and accessed the subject electronic communications “after they had been stored so that they could be accessed and viewed when accessing the [website] subscriber's account” was insufficient. Id. at *7. Because the plaintiffs had not alleged that the communications were stored temporarily or for backup purposes, they had failed to sufficiently allege that the communications were in storage as defined by the SCA. Id. Again, the Kaufman court disagreed, ruling that the plaintiffs' allegations that the “subscriber's emails are stored and can be accessed and viewed when accessing the [website] subscriber's account” and “that the defendants accessed, without authorization, electronic communications stored on [the website's server],” were sufficient to make out the element of “electronic storage.” Id. The court went on to say that “[t]he intricacies of the Website's operational systems need not be specifically pled.” Id. The plaintiffs' allegations were enough to put the defendants on notice “as to the nature of the claims asserted against them, as well as the grounds upon which they rest,” which is all that Fed. R. Civ. P. 8(a)(2) requires. Id.
Likewise, in this case, Plaintiff has alleged that “[a]ll of PPE's client and payroll data (including client contact information, historical and prospective scheduling information, credits, incentives and promotions available to PPE customers, and payroll information), that is stored in, and provided through, the Rosy Salon software, are “electronic communications” within the meaning of the SCA as they are housed in, and transmitted to, servers connected to the internet.” R. 22 ¶ 68. Further, Plaintiff has alleged that “[t]he Rosy Salon servers are “electronic storage” facilities as defined by the SCA because they provide a means for the storage of electronic communications incidental to the transmission of PPE's electronic communications, and provide a backup copy of those communications, including electronic communications kept for, and provided to, authorized PPE account users.” R. 22 ¶ 70. Finally, Plaintiff alleges that Jin accessed the Rosy Salon servers without authorization, and obtained PPE's electronic communications stored therein. R. 22 ¶¶ 71–74. Based on the cases cited above, the Court finds that these allegations are sufficient to put Defendants on notice of the nature of the claims asserted against them and the grounds upon which they rest, which is all that is required at this stage. Defendants have not cited to, and the Court is unaware of, a case which requires Plaintiff to specifically allege the category of storage the data at issue was in when accessed. As such, Plaintiff's failure to do so is not fatal to its claims. As was the case with the electronic communication service provider element, the Court questions whether the Plaintiff will ultimately be able to prove that the electronic communications at issue were in electronic storage when accessed. It is unclear whether the Plaintiff will be able to prove that the data, when accessed, was stored temporarily incidental to transmission. That question, along with whether the data was stored for back-up purposes, is also more appropriately left for summary judgment or trial.
II. Computer Fraud and Abuse Act
Count II of Plaintiff's Amended Complaint pleads violations of three different provisions of the CFAA: (1) 18 U.S.C. § 1030(a)(2)(c), which prohibits people from “intentionally access[ing] a computer without authorization and thereby obtain[ing] information from any protected computer; (2) 18 U.S.C. § 1030(a)(4), which prohibits people from “knowingly and with intent to defraud access[ing] a protected computer without authorization and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value; and (3) 18 U.S.C. § 1030(a)(5)(C), which prohibits people from “intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.” R. 22. Subsection (g) of the CFAA creates a private right of action for anyone who suffers damage or loss in the amount of $5000 as a result of a violation of any of the substantive provisions of the CFAA, including § 1030(a)(2)(c) and § 1030(a)(4). 18 U.S.C. § 1030(g). Accordingly, in general, to plead a civil cause of action based on a violation of a substantive provision of the CFAA, a plaintiff need only plead damage or loss, not both. However, § 1030(a)(5)(C) is distinct in that the language of the provision itself requires the existence of both damage and loss in order to constitute a violation. In other words, a violation of § 1030(a)(5)(C) does not occur when a defendant's conduct has not caused both damage and loss. Motorola, Inc. v. Lemko Corp., 609 F.Supp.2d 760, 768–69 (N.D.Ill.2009). “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
Defendants move to dismiss Plaintiff's CFAA cause of action arguing that Plaintiff failed to adequately allege loss and damage as defined by the CFAA. R. 28. Defendants are correct that Plaintiff has not alleged damage as defined by the CFAA. Plaintiff's amended complaint does not contain any allegations substantiating a claim of damage. Specifically, Plaintiff's allegations regarding Jin's illegal accessing of PPE data are insufficient to plead the existence of damage. The case law is abundantly clear that the mere accessing of data does not meet the definition of damage under the CFAA. Farmers Ins. Exchange v. The Auto Club Group, 823 F.Supp.2d 847, 852–53 (N.D.Ill.2011); Mintel Int'l Group, Ltd. v. Neergheen, No. 08 C 3939, 2010 WL 145786, at *9 (N.D.Ill. Jan. 12, 2010). Plaintiff's additional assertion that Jin's representation to the Court that she destroyed her PPE-issued laptop substantiates its claim for damage is likewise unavailing. R. 29 at 7. Again, the CFAA is aimed at preventing damage or impairment to data. Even if the Court accepts as true the representation that Jin destroyed the PPE-issued laptop, a fact which is not currently contained in Plaintiff's amended complaint, Plaintiff's amended complaint does not allege that the destruction of the laptop resulted in destruction or impairment of data. Accordingly, because Plaintiff has failed to plead a required element of § 1030(a)(5)(C) of the CFAA (damage), the Court dismisses without prejudice the alleged violation of § 1030(a)(5)(C) from Count II. See Motorola, Inc., 609 F.Supp.2d at 769.
Turning to Plaintiff's alleged violations of § 1030(a)(2)(c) and § 1030(a)(4), as previously discussed, Plaintiff need only plead damage or loss to adequately plead a private right of action for violations of these provisions. Plaintiff alleges that it incurred “a loss of over $5000 in investigation and security assessment costs associated with [Jin's] intrusion.” R. 22 ¶ 88. Relying on Instant Tech. LLC v. DeFazio, No. 12 C 491, 40 F.Supp.3d 989, 2014 WL 1759184 (N.D.Ill. May 2, 2014), Defendants argue that this is insufficient because Plaintiff has not alleged that its loss relates to computer impairment, damage, or interruption of service. Plaintiff, relying primarily on Motorola v. Lemko, 609 F.Supp.2d 760 (N.D.Ill.2009), asserts that its allegation that it spent over $5000 on security assessments performed in response to Jin's unauthorized access of Plaintiff's data is enough to survive Defendants' motion to dismiss.
The Parties' contrasting positions show the existence of a split within the Circuit as to what constitutes loss under the CFAA. Ultimately, the Court is more persuaded by the plain language of the statute which defines loss as “ any reasonable cost to any victim, including the cost of responding to an offense.” § 1030(e)(11). (emphasis added). The statute clearly states that loss includes any reasonable cost to the victim, and then provides examples of costs that could be considered reasonable under the statute. However, the definition, by its use of the word “including,” does not state that the list is exhaustive. In addition, the Court finds that the “cost of responding to an offense” includes the costs associated with conducting investigation and security assessments in response to a suspected violation of the CFAA. Ultimately, the Court is satisfied that for purposes of ruling on a motion to dismiss, Plaintiff has adequately pled loss by alleging that it incurred costs over $5000 in “investigation and security assessment costs associated with the intrusion.” R. 22 ¶ 88; Motorola, 609 F.Supp.2d at 768.
CONCLUSION
For the foregoing reasons, Defendants' motion to dismiss, R. 28, is granted without prejudice with respect to Plaintiff's alleged violation of § 1030(a)(5)(C) of Count II, and denied in all other respects. Plaintiff is granted 14 days to amend its complaint if there are facts which would support an allegation of damage in light of Jin's representation that she destroyed the PPE-issued laptop.