Summary
holding that defendants were not liable under the ECPA because they had authorization to password-protected areas of plaintiff's website
Summary of this case from Microsoft Corp. v. DoeOpinion
No. 1:08cv1333 (LMB/TCB).
March 31, 2009.
John Francis Mardula, Shauna Miller Wertheim, The Marbury Law Group PLLC, Reston, VA, for Plaintiff.
Charles Michael Sims, David James Sensenig, Leclair Ryan PC, Robert Michael Tyler, McGuirewoods LLP, Richmond, VA, Jodie Nicole Herrmann, McGuirewoods LLP, McLean, VA, for Defendants.
MEMORANDUM OPINION
The defendants have moved to dismiss several of the counts of the Complaint for failure to state a claim. For the reasons stated in open court and in this opinion, the defendants' motions will be granted in part and denied in part.
I. Background
Plaintiff State Analysis, Inc. d/b/a/ StateScape ("StateScape") is a Virginia government relations and analysis firm that owns and operates a searchable, proprietary database of local, state, and federal bills and regulations, and sells access to it on a subscription basis to its clients. It claims to be the first firm to offer tracking of state legislation and regulation, and has been in business since 1991. According to the Complaint, StateScape's software downloads bills and regulations from government websites, and its analysts then examine the bills, "tag" them according to issue areas, and put together customized listings of bills and regulations for StateScape's customers.
Co-defendant American Financial Services Association ("AFSA") is a business association headquartered in Washington, D.C. whose members are financial services companies. AFSA was a client of StateScape from 1998 through 2008 under a series of renewed one-year contracts. Under the terms of AFSA's contracts with StateScape, businesses that were members of AFSA were provided with access to StateScape's database and custom reports, and each AFSA member received a StateScape username and password.
In the Complaint, StateScape uses the terms "password" and "passcode" interchangeably. This opinion will use the term "password."
Co-defendant Kimbell Sherman Ellis ("KSE") is a government relations and public affairs firm located in Montpelier, Vermont whose services include monitoring legislative and regulatory developments. KSE was a customer of StateScape between March 1, 1999 and February 29, 2000; however, it is now a competitor of StateScape.
In December 2002, KSE offered to purchase StateScape's database. StateScape declined the offer and shortly thereafter fired its marketing director, co-defendant Leif Johnson. Johnson was subject to a non-compete and non-disclosure agreement that prohibited him, for one year from the date his employment with StateScape ended, from working for any entity or service similar to the services he performed for StateScape, and from performing similar services for any StateScape customer. Notwithstanding these agreements, Johnson was hired by KSE in or about July 2003 and began working in KSE's Washington office. KSE also hired at least one other StateScape employee, researcher Gia Biden, who had done research services for StateScape's contract with AFSA. Biden began working for KSE sometime after August 13, 2003.
On October 23, 2008, AFSA informed StateScape that it would not renew its contract and planned to switch to KSE's tracking database, FOCUS, beginning on January 1, 2009. StateScape claims it was surprised because AFSA had never complained to StateScape about its services or costs. StateScape began to investigate AFSA's activity logs in its database, and discovered that from October 2004 through November 2008, the database had been accessed 735 times from an internet protocol ("IP") address located in Montpelier, Vermont — the location of KSE's headquarters — using three usernames associated with AFSA employees who worked in AFSA's Washington office. According to the Complaint, KSE is not, and never has been, a member of AFSA.
StateScape further discovered, on AFSA's website, a number of "white papers . . . prepared for AFSA by KSE containing bill summaries markedly similar, if not identical, to those authored by StateScape." Compl. ¶ 21. In those white papers, it discovered "bill counts" — listings of the number of bills reported to exist on a topic — that were identical to the bill counts for subjects using the StateScape database. StateScape also discovered, on KSE's website, that a number of features of StateScape's proprietary database had been incorporated into KSE's FOCUS database.
StateScape concluded that KSE repeatedly accessed StateScape's database from 2004 through 2008, using usernames and passwords provided to KSE by AFSA, and downloaded and copied StateScape database records, including copyrighted works. On November 13, 2008, StateScape temporarily blocked AFSA's passwords and reminded AFSA of its obligations not to share its passwords and usernames with unauthorized persons. It also blocked access to its database from the Vermont IP address. One week later, after receiving a response from AFSA, StateScape reactivated the passwords but has continued to block access from the Vermont IP address.
StateScape's Complaint includes eleven counts, as follows:
Claims against AFSA and KSE
Count 1: Violations of the Copyright Act, 17 U.S.C. § 501, for reproducing StateScape's copyrighted works, and preparing derivative works based upon copyrighted works without authorization.
Count 2: Violations of the Computer Fraud and Abuse Act, for intentionally accessing StateScape's server without authorization, in violation of 18 U.S.C. § 1030(a)(2), and trafficking in passwords and access codes, in violation of 18 U.S.C. § 1030(a)(6).
Count 3: Violations of Title II of the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701 et seq., for intentionally accessing password-protected database areas, obtaining access to electronic communications stored in the database, and disclosing them to third parties not authorized to receive them.
Count 4: Violations of the Virginia Computer Crimes Act, Va. Code § 18.2-152.3 et seq., for using a computer or computer network without authority, and thereby obtaining property by false pretenses, embezzling or committing larceny, and/or converting StateScape's property.
Count 10: Misappropriation of Trade Secrets, for misappropriating the passwords StateScape gave to AFSA.
Claim against AFSA only
Count 5: Breach of Contract, for providing AFSA usernames and passwords for StateScape's database to persons who were not members of AFSA.
Claims against KSE only
Count 6: Trespass, for entering password-protected areas of StateScape's database without authorization and thereby-diminishing their value. Count 7, Unjust Enrichment, for profiting from StateScape's proprietary database despite knowing that StateScape was the author, developer, and source of the information that KSE posted under its own name, and benefitting from the time, money, and resources StateScape invested to create StateScape's database.
Count 8, Interference with Prospective Business Relations, for interfering with the business relationship between StateScape and AFSA.
Count 9, Interference with contract, for interfering with the contract between AFSA and StateScape, and causing AFSA to breach the agreement.
Claim Against Leif Johnson only
Count 11, Breach of Contract, for breaching his non-compete agreement with StateScape by commencing work with KSE less than one year after his termination from StateScape and for performing services for a StateScape customer that were similar to the services he performed at StateScape.
II. Standard of Review
In reviewing a motion to dismiss for failure to state a claim, a court reviews only the legal sufficiency of the complaint. See Eastern Shore Markets, Inc. v. J.D. Associates Ltd. Partnership, 213 F.3d 175, 180 (4th Cir. 2000). The Court must assume the truth of all facts alleged in the complaint and the existence of any fact that can be proved, consistent with the complaint's allegations, and construe the facts in the light most favorable to the plaintiff. See id. However, "[w]hile a complaint attacked by a Rule 12(b)(6) motion to dismiss does not need detailed factual allegations, a plaintiff's obligation to provide the ground of his entitle[ment] to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S.Ct. 1955, 1964-65 (2007) (internal quotation marks and citations omitted). A court need not accept legal conclusions drawn from the facts, or unwarranted inferences, unreasonable conclusions, or arguments. See Eastern Shore, 213 F.3d at 180.
III. Discussion
A. Count 2: Computer Fraud and Abuse Act.
StateScape has alleged that AFSA and KSE have violated two distinct provisions of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(2) and 18 U.S.C. § 1030(a)(6).
18 U.S.C. § 1030(a)(2) prohibits "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer . . ." "Exceeds authorized access" is explicitly defined as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Both AFSA and KSE have moved to dismiss this count on the grounds that they did not access StateScape's systems "without authorization" or "exceed authorized access."
Courts have differed as to how broadly or narrowly to construe 18 U.S.C. § 1030(a)(2). Some authorities have held that the CFAA was targeted at "computer hackers (e.g., electronic trespassers)," Sherman Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, 820 (E.D. Mich. 2000), and only applies to a situation "where an outsider, or someone without authorization, accesses a computer," In re AOL, Inc. Version 5.0 Software Litig., 168 F. Supp. 2d 1359, 1370 (S.D. Fla. 2001). These authorities have rejected attempts to apply the CFAA to cases where the defendants are not alleged to have "broken into" the system but to have abused the privileges of a license. Other courts have held that the CFAA does apply to authorized users who use programs in an unauthorized way, including employees who obtain and use proprietary information in violation of a duty of loyalty, Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), and licensees who breach an agreement restricting their use of the software, Modis v. Bardelli, 531 F. Supp. 2d 314, 319 (D. Conn. 2008). Taking these authorities into account, on the facts alleged in the Complaint, the Court finds that StateScape has stated a claim under § 1030(a)(2) against KSE, but not against AFSA.
According to the Complaint, KSE accessed StateScape's website using usernames and passwords that did not belong to it. StateScape has pled that under the terms of their contract, only clients were authorized to use StateScape's subscription services, and that KSE was not so authorized. KSE therefore acted "without authorization." KSE may not hide behind purported "authorization" granted to it by AFSA, particularly given that KSE, a former client of StateScape that employed StateScape's former marketing director, was presumably familiar with the terms of StateScape's agreement and with the scope of authority granted to licensees.
KSE relies on SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D. Va. 2005), in support of its Motion to Dismiss. InSecureInfo, a licensee of the plaintiff's software was alleged to have shared the software with a competitor of the plaintiff. The plaintiff sued the competitor for violations of § 1030(a)(2), and the court found that because the licensee had given the competitor permission to access the software using its license, the competitor could not have intentionally acted without authorization or in excess of its authority within the meaning of the statute. This Court finds, however, that even if AFSA granted KSE permission to access StateScape's database, KSE still may have acted "without authorization" if its access was not authorized by StateScape.
KSE has also moved for a partial dismissal of the CFAA claims on statute of limitations grounds. A two-year statute of limitations, which begins to run from "the date of the act complained of or the date of discovery of the damage," applies to this claim. 18 U.S.C. § 1030(g). "Damage" is defined in the CFAA as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). KSE correctly argues that StateScape has not pled that it suffered any "damage" as a result of the defendants' alleged conduct, as it has not alleged that the "integrity or availability of data, a program, a system, or information" has been impaired. The CFAA allows a plaintiff to recover for "loss," defined as "any reasonable cost to any victim . . ." as well as "damage;" however, it distinguishes between loss and damage in that the "discovery" provision that can lengthen the statute of limitations applies only to the discovery of damage, not loss.See Kluber Skahan Assoc., Inc. v. Cordogan, Clark Assoc., Inc., 2009 WL 466812, at *8 (N.D. Ill. Feb. 25, 2009). Because StateScape has alleged that it has suffered only loss, but not damage, the statute of limitations for the CFAA claim began to run from the date of the defendants' alleged violations and therefore bars any claims for violations occurring before December 24, 2006, two years before the Complaint was filed.
AFSA's Motion to Dismiss the § 1030(a)(2) claim will be granted. It is undisputed that AFSA itself never went beyond the areas that StateScape authorized AFSA to access. Rather, StateScape alleges that AFSA was "without authorization" because it breached its contract with StateScape in which it agreed to provide access to StateScape's services only to AFSA members. In its opposition to AFSA's Motion to Dismiss, StateScape relies on case law holding that employees who use their employers' computers to pass information to competitors act "without authorization." See, e.g., Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (E.D. Wash. 2000) (holding that an employee, who by virtue of his employment was authorized to access his employer's computers, became "without authorization" when he became an "agent" for the defendant, one of his employer's competitors, to whom he sent e-mails containing his employer's trade secrets and other proprietary information). These cases, however, are distinguishable because AFSA's contract with StateScape makes clear that in the event that AFSA breached the contract by providing its passwords to others, StateScape reserved the right to terminate AFSA's contract, but it was not automatically terminated. Compl. Ex. 1 ¶ 4. As such, at no point was AFSA's access "without authorization." AFSA's alleged offense was not an unauthorized access — which § 1030(a)(2) prohibits — but an unauthorized use or misappropriation.
AFSA's access also did not "exceed authorization" within the meaning of the CFAA. As explained supra, the CFAA explicitly defines "exceeds authorization" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Nowhere in the Complaint does StateScape allege that AFSA obtained or altered any information it was not entitled to; rather, the allegation is that AFSA used the information in an inappropriate way. Such allegations do not state a claim for a violation of § 1030(a)(2). Accordingly, AFSA's motion to dismiss those claims in Count 2 that fall under § 1030(a)(2) will be granted.
StateScape has also sued KSE and AFSA for violations of 18 U.S.C. § 1030(a)(6), which prohibits "knowingly and with intent. to defraud traffic[king] (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization." Only KSE has moved to dismiss this claim.
18 U.S.C. § 1029 defines "traffic" as "transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of." The Complaint does not allege that KSE transferred, or otherwise disposed of, AFSA's passwords; rather, it alleges that KSE received them from AFSA and used them without authorization. Such conduct does not constitute "trafficking" under § 1029. Therefore, KSE's motion to dismiss the § 1030(a)(6) trafficking claim will be granted.
B. Count 3: Electronic Communications Privacy Act.
The Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. §§ 2701 et seq., makes it an offense to "intentionally access[] without authorization a facility through which an electronic communication service is provided, or intentionally exceed[] an authorization to access that facility; and thereby obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage." 18 U.S.C. § 2701.
Both defendants have moved to dismiss the ECPA count on similar grounds as the motion to dismiss the CFAA count — that they were not "without authorization" to access StateScape's database and did not "intentionally exceed[] . . . authorization." KSE also argues that its conduct falls within a statutory exception to the ECPA, which provides that the statute does not prohibit "conduct authorized (1) by the person or entity providing a wire or electronic communications service [or] (2) by a user of that service with respect to a communication of or intended for that user." 18 U.S.C. § 2701(c)(2). Specifically, KSE argues that its conduct falls within the second exception, as its use of the database was authorized by AFSA, a "user of [StateScape's] service."
As with the CFAA count, StateScape has stated a claim against KSE by alleging that KSE, without any authorization from StateScape, accessed the password-protected areas of StateScape's site. KSE has cited no authority that supports the principle that a third party who intentionally accesses a system after being given a password by an authorized user cannot be liable under the ECPA; rather, in the case cited by KSE, Am. Computer Trust Leasing v. Jack Farrell Implement Co., 763 F. Supp. 1473, 1494-95 (D. Minn. 1991) (dismissing an ECPA count for failure to state a claim), the party alleged to have violated the ECPA was the authorized user or licensee, not an unauthorized third party. On the facts alleged here, the ECPA claim is adequately pled against KSE, which, according to the Complaint, was never authorized by StateScape to use the database.
The statutory exception relied on by KSE does not apply because the alleged conduct of KSE, although authorized by a user, AFSA, was not authorized "with respect to a communication of or intended for that user."
Conversely, StateScape has not alleged a viable ECPA claim against AFSA because AFSA falls within the first statutory exception for "conduct authorized by the person or entity providing a wire or electronic communications service." Although StateScape asserts that AFSA was not entitled, pursuant to its contract, to pass any information from StateScape's database along to KSE, it is undisputed that AFSA was contractually entitled to see all of the information it is alleged to have accessed. Accordingly, it cannot be liable under the ECPA. See Int'l Ass'n of Machinists Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 497 (D. Md. 2005) (holding that "the sort of trespasses to which the [ECPA] applies are those in which the trespasser gains access to information to which he is not entitled to see, not those in which the trespasser uses the information in an unauthorized way"). For these reasons, AFSA's motion to dismiss the ECFA claim will be granted.
C. Count 4: Virginia Computer Crimes Act.
AFSA and KSE have moved to dismiss the Virginia Computer Crimes Act, Va. Code § 18.2-152.3 et seq. ("VCCA"), on multiple grounds, including preemption of the VCCA by the Copyright Act. Section 301(a) of the Copyright Act states:
"all legal or equitable rights that are equivalent to any of the exclusive rights within the general scope of copyright as specified by section 106 [of the Copyright Act] in works of authorship that are fixed in a tangible medium of expression and come within the subject matter of copyright as specified by sections 102 and 103 . . . are governed exclusively by this title."17 U.S.C. § 301(a). A state law claim is preempted by the Copyright Act if (1) the work at issue is "within the scope of the `subject matter of copyright' as specified in 17 U.S.C.A. §§ 102, 103 and (2) the rights granted under state law are equivalent to any exclusive rights within the scope of federal copyright as set out in 17 U.S.C.A. § 106." Rosciszewski v. Arete Associates, Inc., 1 F.3d 225, 229 (4th Cir. 1993). A right under state law is "equivalent" to a right under federal copyright law if that right "may be abridged by an act which, in and of itself, would infringe one of the exclusive rights [granted in the Copyright Act]." Id. "However, if an extra element is required instead of or in addition to the acts of reproduction, performance, distribution or display, in order to constitute a state-created cause of action, there is no preemption . . . provided that the extra element changes the nature of the action so that it is qualitatively different from a copyright infringement claim." Id. (internal quotation marks and citations omitted).
The elements of a violation of the VCCA are that the defendant (1) uses a computer or computer network; (2) without authority; and (3) either obtains property or services by false pretenses, embezzles or commits larceny; or converts the property of another. Va. Code § 18.2-152.3. In Rosciszewski, the Fourth Circuit held that a claim under a prior, but similar, version of the VCCA based on unauthorized copying of copyrighted software was preempted by the Copyright Act. It concluded that the first element for preemption was satisfied because software is within the subject matter of copyright. Rosciszewski, 1 F.3d at 229. It next found that rights granted under the VCCA that protect against unauthorized copying of software are equivalent to those granted by the Copyright Act because none of the three elements of the VCCA were sufficient to "qualitatively chang[e] the state claim from one of unauthorized copying." Id. at 230. On these findings, the Fourth Circuit concluded that "the protection of computer programs from unauthorized copying granted under § 18.2-152.3 is equivalent to the exclusive right of the copyright owner to reproduce a copyrighted work under the Copyright Act," and that a cause of action under the VCCA "is preempted to the extent that it is based on reproduction of [a] copyrighted computer program." Rosciszewski, 1 F.3d at 230.
The court found that software programs are "original works of authorship fixed in [a] tangible medium of expression . . . from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device." 17 U.S.C.A. § 102(a).
The Rosciszewski court held that using a computer, the first element of a VCCA violation, is merely a "necessary condition" to the copying, and that the second element — lack of authority — is also, by definition, an element of copyright infringement. Regarding the third element, the version of the VCCA before the court in Rosciszewski did not require a defendant to actually embezzle, convert or obtain property by false pretenses, but only required the intent to do so. Accordingly, the Fourth Circuit found that "[a]n action will not be saved from preemption by elements such as awareness or intent, which alter `the action's scope but not its nature.'" Rosciszewski, 1 F.3d at 230. The current version of the VCCA differs in that to be held liable, the defendant must actually commit larceny, false pretenses, embezzlement, or conversion. Va. Code § 18.2-152.3. However, at least one court has found that the VCCA, in the context of a software copying case, is still preempted by the Copyright Act.See SecureInfo, 387 F. Supp. 2d at 610.
Given the Fourth Circuit's holding, the only basis for finding that the VCCA claim is not preempted would be if the VCCA violations alleged here are distinguishable from the software copying alleged in Rosciszewski. StateScape argues that the case at bar is distinguishable, because (1) unlike inRosciszewski, where the case was at summary judgment, discovery has not even begun, and it is not yet known whether all wrongful KSE database accesses constituted copyright infringement, (2) StateScape's proprietary database, which the defendants allegedly accessed, included both copyrighted and non-copyrighted materials, and (3) the VCCA claim here is "based on elements beyond mere copying, [including] false pretenses, embezzlement, and/or conversion."
As AFSA points out, however, the Complaint consistently alleges that "[e]ach of the reports generated by the StateScape proprietary database bears a copyright notice," Compl. ¶ 8, that "StateScape owns a copyright in the StateScape proprietary database in the organization of the information in a searchable format available in no other source," id. ¶ 30, and that "StateScape also owns copyrights in each of the bill summaries within the StateScape database that were original works of authorship," id. On those facts as pled by StateScape, it is difficult to see how any claim under the VCCA would contain any elements making it "qualitatively" different from the Copyright Act claims. As such, the VCCA claim is preempted by the Copyright Act and will be dismissed.
D. Count 6: Trespass
KSE has moved to dismiss the claim for trespass to chattels, which is based on the allegation that KSE accessed password-protected areas of StateScape's website without authorization. A trespass to chattels occurs "when one party intentionally uses or intermeddles with personal property in rightful possession of another without authorization," America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 451-52 (E.D. Va. 1998), and "if the chattel is impaired as to its condition, quality, or value," id. KSE has moved to dismiss on the ground that StateScape has not alleged that its website, the object of the trespass, was impaired. See SecureInfo, 387 F. Supp. 2d at 621 (dismissing a trespass claim for failure to allege that improperly downloaded software had been impaired)
In SecureInfo, the defendants allegedly downloaded the contents of a software system. Although the plaintiff claimed that this contributed to the loss of customers and goodwill, and caused "diminution in the value of its confidential information and other proprietary data," the court found that the plaintiff had not alleged "that the materials that were taken by the defendants were damaged or diminished in value." SecureInfo, 387 F. Supp. 2d at 621 (emphasis in original).
Notwithstanding the holding in SecureInfo, the trespass claim should not be dismissed. Here, the object of the alleged trespass was not the downloaded content, but "the part of [StateScape's] website that is password-protected." Pl.'s Opp. 17. StateScape has alleged that the trespass "diminished the value of these areas [of the website]" by using them without permission. Moreover, this Court has held that senders of bulk e-mail committed a trespass to chattels when they "caused contact with [the plaintiff's] computer network . . . and . . . injured [the plaintiff's] business goodwill and diminished the value of its possessory interest in its computer network." America Online, Inc. v. IMS, 24 F.Supp.2d 548, 550 (E.D. Va. 1998). Although KSE's use of StateScape's resources is not alleged to have affected StateScape's network capacity and performance, given that StateScape charges fees for its passwords, the "value of [StateScape's] possessory interest in its computer network" is diminished if unauthorized users access its password-protected areas. As such, StateScape has adequately pled a trespass to chattels claim.
E. Count 10: Misappropriation of Trade Secrets.
AFSA and KSE have moved to dismiss the claim under the Virginia Uniform Trade Secrets Act ("VUTSA"), which StateScape bases on AFSA's unauthorized sharing of its passwords for StateScape's database with KSE. The defendants argue that passwords, as a matter of law, are not trade secrets.
A "trade secret" under the VUTSA is defined as follows:
"Trade secret" means information, including but not limited to, a formula, pattern, compilation, program, device, method, technique, or process, that:
1. Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and
2. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
Both defendants argue that passwords lack "independent economic value," but are instead a security mechanism designed to control access to information, and therefore are not trade secrets. Although they concede that there is no Virginia holding directly on point, they rely on a footnote in Microstrategy, Inc. v. Bus. Objects, S.A., 331 F. Supp. 2d 396, 429 n. 4 (E.D. Va. 2004):
The court also voices its skepticism that a CD Key can constitute a trade secret. A trade secret is information and a CD Key, a series of random numbers, is not information. Instead, it is a lock — a barrier — to the access of information that might properly be considered a trade secret.
Defendants' argument that a password is "simply a series of random numbers and letters that is a barrier to its alleged copyrighted material," AFSA Mem. 16, and not a trade secret, has merit. Although the passwords at issue clearly have economic value given that they are integral to accessing StateScape's database, they have no independent economic value in the way a formula or a customer list might have. Where a plaintiff has not alleged that its passwords are the product of any special formula or algorithm that it developed, the passwords are not trade secrets. Accordingly, Count 10 will be dismissed in its entirety as to both defendants.
F. Count 11: Breach of Contract (Johnson).
StateScape alleges that Johnson was a party to a non-compete agreement that prohibited him, for one year from the date of his termination, from working for any entity or service similar to the services he performed for StateScape, and from performing similar services for StateScape customers. Johnson stopped working for StateScape on March 19, 2003, and began working for KSE less than one year later, in July 2003.
Johnson has moved to dismiss this claim on statute of limitations grounds, arguing that the contract is subject to Virginia's five-year statute of limitations on written contracts, Va. Code Ann. § 8.01.246(2), and that because he started working for KSE no later than July 2003 and this suit was filed on December 24, 2008 — more then five years later — the claim is completely time-barred.
StateScape has opposed the motion on the grounds that Virginia law provides "[a]n exception to strict application of the statute of limitations . . . in the case of an `indivisible' contract, where a non-breaching party can `elect between pursuing his remedy when an action which would constitute a breach occurs or awaiting the time fixed by the contract for full and final performance. If he elects the latter course, the statute of limitations does not begin to run against his right of action until the time for final performance fixed by the contract has passed.'"American Inn, L.P. v. Suntrust Banks, Inc., 28 Fed. Appx. 316, 319-20, (4th Cir. 2002), quoting Suffolk City Sch. Bd. v. Conrad Bros., Inc., 495 S.E.2d 470, 472-73 (Va. 1998). StateScape argues that the non-compete agreement was an indivisible contract, and that because its term expired on March 19, 2004, the statute did not begin to run until that date.
Under Virginia law, the "indivisible contract" or "continuing undertaking" doctrine is an exception to the normal rule that a statute of limitations runs from the moment the breach occurs. This exception applies "only with regard to a continuous or recurring course of professional services related to a particular undertaking." Harris v. K K Ins. Agency, Inc., 453 S.E.2d 284, 286 (1995). The Virginia Supreme Court has applied it "in cases stating claims of breach of contract or negligence involving the professional services of physicians, attorneys, and accountants."Id.
The exception does not apply here because Johnson's non-compete contract cannot be considered indivisible. StateScape offers no evidence that the contract was indivisible. Conversely, Johnson has pointed to specific language in the contract — a clause stating that "each of the rights and remedies enumerated above shall be independent of the other, and shall be severally enforceable . . ." to show that the contract was not indivisible. In addition, unlike the "continuing undertaking" types of contracts discussed in Harris, Johnson's contract is a contractnot to do certain things. It is clearly distinguishable from the types of contracts for which the "continuing undertaking" exception has been applied by Virginia courts.
However, StateScape's contract claims against Johnson allegetwo types of breaches. The first is the alleged breach of Johnson's agreement not to work for an entity similar to StateScape within the one year following termination. This claim began to accrue in July 2003, when, according to the Complaint, Johnson began working for KSE. Because StateScape did not sue Johnson within five years of July 2003, this claim is time-barred. StateScape also alleges that Johnson breached his agreement not to perform services for StateScape customers for one year. It is unclear from the Complaint — and will not become clear until discovery — whether and when Johnson began to solicit AFSA business, and perhaps other StateScape customers. If StateScape discovers that Johnson breached this provision of the contract between December 24, 2003 (five years before StateScape filed suit) and March 19, 2004 (one year after Johnson's termination from StateScape), those claims would not be time-barred. For these reasons, Johnson's Motion to Dismiss Count 11 will be granted in part and denied in part.
G. KSE's Motions to Dismiss Counts 1 (Copyright) and 7 (Unjust Enrichment) on Statute of Limitations Grounds.
KSE has moved for a partial dismissal of StateScape's copyright claims, arguing that any claims for violations before December 24, 2005 are time-barred. The statute of limitations for copyright claims is three years after the claim accrues. 17 U.S.C. § 507(b). A claim for copyright infringement accrues "when one has knowledge of a violation or is chargeable with such knowledge." Lyons Partnership, LP v. Morris Costumes, Inc., 243 F.3d 789, 797 (4th Cir. 2001) (internal citations omitted). StateScape has represented in the Complaint that it first learned of KSE and AFSA's alleged violations of copyright law in 2008, after AFSA terminated its relationship with StateScape, and that KSE hid its activities by using AFSA usernames to engage in its unauthorized accesses. StateScape has adequately pled that it did not know and had no reason to know about any of the conduct in question before 2008. Whether or not StateScape had actual or constructive knowledge of previous violations is a question of fact to be resolved after discovery, not on a motion to dismiss. Accordingly, the motion for partial dismissal of the copyright claim will be denied.
KSE has also moved to partially dismiss StateScape's Count 7 claim for unjust enrichment to the extent that the claim arose before December 24, 2005, arguing that unjust enrichment claims in Virginia are subject to a three-year time bar. See Belcher v. Kirkwood, 383 S.E.2d 729, 731 (Va. 1989). StateScape responds that equitable estoppel defeats the statute of limitations defense. Equitable estoppel applies where one party "reasonably relied on the words and conduct of the person to be estopped in allowing the limitations period to expire." City of Bedford v. James Leffel Co., 558 F.2d 216, 218 (4th Cir. 1977). Here, StateScape has pled that KSE, for an extended period of time, used the passwords of AFSA to disguise its accesses into StateScape's system. This allegation is sufficient to defeat dismissal of the unjust enrichment claim on statute of limitations grounds.
IV. Conclusion
For the above-stated reasons:
As to Count 1, KSE's partial motion to dismiss the copyright claim on statute of limitations grounds will be DENIED.
As to Count 2, AFSA's motion to dismiss the § 1030(a)(2) portion of the CFAA claim against it will be GRANTED. KSE's motion to dismiss the § 1030(a)(6) portion of the CFAA claim against it will also be GRANTED. KSE's motion to dismiss the § 1030(a)(2) claim in its entirety will be DENIED. However, due to the running of the statute of limitations, StateScape may only recover against KSE under § 1030(a)(2) for violations occurring on or after December 24, 2006.
As to Count 3, AFSA's motion to dismiss the ECPA claim will be GRANTED and KSE's motion to dismiss it will be DENIED.
As to Counts 4 and 10, both parties' motions to dismiss will be GRANTED.
As to Counts 6 and 7, KSE's motions to dismiss will be DENIED.
As to Count 11, Johnson's motion to dismiss the breach of contract claims will be GRANTED IN PART, such that any claims against him for commencing work with KSE are time-barred, but any claims against him for breach of his agreement not to do business with StateScape customers are allowed to the extent that the breaches occurred between December 24, 2003 and March 19, 2004.
A separate order consistent with this opinion will be entered.