Summary
holding that plaintiff was required to, but did not, specifically allege CFAA damages and explain how defendant caused them
Summary of this case from Combier v. PortelosOpinion
Case No. 17 C 8893
04-24-2018
KEVIN TAMLYN, Plaintiff, v. BLUESTONE ADVISORS, LLC, an Illinois Limited Liability Company; ANDREW ROYCE, Individually; and TRACIE RASMUSSEN, Individually, Defendants.
MEMORANDUM OPINION AND ORDER
Defendants BlueStone Advisors and Andrew Royce (collectively, "BlueStone") move to dismiss Counts III and IV of the Complaint for failure to state a claim [ECF No. 12]. For the reasons stated herein, the Court grants the Motion in full and dismisses both Counts without prejudice.
I. BACKGROUND
Kevin Tamlyn ("Tamlyn") sold commercial insurance for BlueStone from July 2016 to June 2017. According to the parties' shared employment agreement, Tamlyn generated new clients for BlueStone and also renewed existing ones. For those services, BlueStone paid Tamlyn a base salary plus commissions. At some point, Tamlyn began to suspect that BlueStone was not paying him all of the commissions he had earned. He asked BlueStone for an accounting but did not receive one. Toward the end of his employment with BlueStone, Tamlyn courted a company called Framarx Corp. to become a new BlueStone client. But Tamlyn alleges that on June 19, 2017, before he could put a bow on the Framarx negotiations, BlueStone advised him that he would not receive any commission for the Framarx account nor for "any other clients [he] had already acquired." (Compl., Dkt. 1-1 ¶ 12.) On June 23, 2017, Tamlyn's employment with BlueStone terminated. The details of this termination are not clear from the complaint; Tamlyn simply states that his employment terminated "as a result of BlueStone's breach of the [employment] Agreement." (Id. ¶ 15.) Regardless, Tamlyn explains that BlueStone did not pay him any commission for the Framarx account nor for several other accounts Tamlyn either generated or renewed.
In a July 9, 2017 letter confirming Tamlyn's termination, BlueStone asked that Tamlyn turn over his username and password to his SHOP Marketplace account. According to the Complaint, such accounts are hosted by Healthcare.gov and are used by licensed insurance brokers to maintain corporate insurance accounts, manage client relationships, conduct renewals, vet plan options, and provide quotes. At the time of Tamlyn's termination, he was the only BlueStone employee with a SHOP account. Yet BlueStone ostensibly needed to access the SHOP Marketplace even after Tamlyn's termination, however, so on July 7, 2017, a BlueStone employee allegedly phoned the Marketplace Call Center and pretended to be Tamlyn to secure the Call Center's assistance in changing Tamlyn's log-in credentials, thus transitioning the client information stored there into BlueStone's hands. As a result of these behaviors, Tamlyn sued BlueStone in Illinois state court. BlueStone removed that action and now moves to dismiss two of the Complaint's five counts for failure to state a claim.
II. DISCUSSION
Specifically, BlueStone moves to dismiss Count III, for violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq., and Count IV, for tortious interference with prospective economic advantage. On this Motion to Dismiss, the Court accepts all well-pleaded allegations as true and draws all reasonable inferences in favor of the plaintiff. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
A. The CFAA (Count III)
To state a claim under the CFAA, a plaintiff must allege (1) damage or loss; (2) caused by (3) a violation of one of the substantive provisions set forth in § 1030(a), and (4) conduct involving one of the factors of harm set forth in § 1030(c)(4)(A)(i)(I)-(VI). Maximum Indep. Brokerage, LLC v. Smith, 218 F.Supp.3d 630, 636 (N.D. Ill. 2016) (citations omitted). In this case, Tamlyn alleges BlueStone violated § 1030(a)(3), which prohibits:
intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, access[ing] such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States[.]18 U.S.C. § 1030(a)(3). Finally, of the six possible "factors of harm" required in the fourth CFAA element, only one could possibly be present here based on the current allegations. That is "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value" in economic damages. 18 U.S.C. § 1030(c)(4)(A)(i)(I), (g).
Tamlyn argues that when BlueStone accessed the SHOP Marketplace using Tamlyn's wrongly-begotten log-in credentials, BlueStone intentionally and without authorization accessed a nonpublic, governmental computer and that said access harmed Tamlyn by depriving him of his valuable access to the Marketplace. There are several problems with this allegation. As a threshold matter, however, Tamlyn is correct that BlueStone's access of the Marketplace through Healthcare.gov, which is allegedly hosted on U.S. government servers, constituted accessing a government computer. See, 18 U.S.C. § 1030(a)(3). As the Eighth Circuit summarized: "The language of 18 U.S.C. § 1030(e)(1) [(which defines "computer")] is exceedingly broad. If a device is 'an electronic . . . or other high speed data processing device performing logical, arithmetic, or storage functions,' it is a computer. This definition captures any device that makes use of a[n] electronic data processor, examples of which are legion." United States v. Kramer, 631 F.3d 900, 902-03 (8th Cir. 2011) (citations omitted) (noting that coffeemakers, microwave ovens, watches, telephones, children's toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players fit within the statutory definition of "computer"). The Kramer court further recognized that while this definition might have a broad sweep, possible over-breadth is a matter for Congress, not the courts, to correct: "As more devices come to have built-in intelligence, the effective scope of [§ 1030(e)(1)] grows. This might prompt Congress to amend the statute but does not authorize the judiciary to give the existing version less coverage than its language portends." Id. at 904 (quoting United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005)). BlueStone's alleged access of a government server fits within that expansive definition. Accord, United States v. Drew, 259 F.R.D. 449, 461 (C.D. Cal. 2009) (treating access of a private company's server through use of that company's website as accessing a computer under the CFAA); but cf. Fidlar Techs. v. LPS Real Estate Data Sols., Inc., 810 F.3d 1075, 1084 (7th Cir. 2016) (finding that a three-tiered system comprising county databases, a user-interface, and a "middle tier" that facilitated communication between the databases and the interface did not meet the definition of "computer").
Beyond this, however, Tamlyn's CFAA allegations largely fall short. He maintains that BlueStone accessed the government server "without authorization" because BlueStone secured that access only by recovering Tamlyn's log-in credentials through misrepresentation. On this score, the parties argue over whether, notwithstanding BlueStone's telephonic misrepresentations, Tamlyn's employment agreement vested in BlueStone a right to all of the data Tamlyn created in his SHOP account and thus, by definition, BlueStone was authorized to access the account irrespective of Tamlyn's consent. But Tamlyn's "without authorization" argument is hamstrung by his failure to allege plausibly that the server in question is "nonpublic." These two elements—"without authorization" and "nonpublic"—are related, because if a computer is public, the public is de facto authorized to access it. See, Int'l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) (remarking in dicta that the public is authorized to access websites open to the public). Here, neither party cites any authority defining "nonpublic" in the CFAA context, and the Court's own efforts have turned up little. However, the DOJ's Office of Legal Education has explained that "nonpublic" includes "most government computers, but not [government] Internet servers that, by design, offer services to members of the general public." U.S. Dep't of Justice Office of Legal Education, Prosecuting Computer Crimes (2015), https://www.justice.gov/ sites/default/files/criminal-cips/legacy/2015/01/14/ccmanual.pdf. Here, Tamlyn alleges that any member of the public with a broker's license can create a SHOP account and use it to access the government server. It is not clear, however, that a mere licensure requirement renders a computer "nonpublic" under subsection (a)(3), and absent any guiding authority, the Court is doubtful that it would. Ultimately, though, the Court need not decide whether Tamlyn has plausibly alleged that the accessed server was nonpublic; his CFAA claim fails for another reason.
Simply enough, Tamlyn stumbles in alleging the requisite damages. Because none of the other "factors of harm" set forth in § 1030(c)(4)(A)(i) could plausibly fit the facts here, Tamlyn must allege that he suffered at least $5,000 in economic damages within one year. Id.; 18 U.S.C. § 1030(g). He does not do so. Tamlyn argues the Court should simply infer that the loss of access to his SHOP account "meet[s] the requirements for a damages claim under [the] CFAA." (Compl., Dkt. 22 at 2.) But the Twombly/Iqbal pleading standard is not so forgiving. See, Iqbal, 556 U.S. at 678; Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). Tamlyn must specifically allege damages as well as an explanation for how BlueStone's conduct caused them. He cannot hope to limp into court on inference alone. See, e.g., Modrowski v. Pigatto, No. 09 C 7002, 2010 WL 2610656, at *2 (N.D. Ill. June 25, 2010) (dismissing a CFAA § (a)(2) claim for lack of requisite specificity in alleging damages). Tamlyn fails to state a CFAA claim, and Count III is accordingly dismissed without prejudice.
B. Tortious Interference (Count IV)
To state a claim under Illinois law for intentional interference with prospective economic advantage, "a plaintiff must allege (1) a reasonable expectancy of entering into a valid business relationship, (2) the defendant's knowledge of the expectancy, (3) an intentional and unjustified interference by the defendant that induced or caused a breach or termination of the expectancy, and (4) damage to the plaintiff resulting from the defendant's interference." Foster v. Principal Life Ins. Co., 806 F.3d 967, 971 (7th Cir. 2015) (citations omitted). Tamlyn alleges that his SHOP account held information related to his former clients and that BlueStone's seizure of his account prevented him from continuing to service those clients. First of all, BlueStone points out that Tamlyn's employment agreement forbade him from "engag[ing] in any other gainful employment," so Tamlyn could not, while still employed, have developed any client relationships independent of those he cultivated for BlueStone. (Employment Agreement, Ex. A to Compl., Dkt. 1-1.) Further, the agreement restricted Tamlyn from servicing any former BlueStone clients for at least two years after his termination. That two-year proscription does not end until June 2019. As such, BlueStone argues that the only SHOP account client data to which Tamlyn would be entitled access would be data for clients whose relationships predated—and then presumably were paused during—Tamlyn's employment. Tamlyn does not dispute this reading of the agreement, though he argues in response that the agreement, or at least portions of it, is not enforceable. This argument is new. The Complaint nowhere alleges unenforceability.
Either way, Tamlyn's claim does not pass muster because he fails to allege plausibly that BlueStone knew of any reasonable business expectancy. There are two groups of possible clients to consider: those clients Tamlyn serviced while in BlueStone's employ, and those clients Tamlyn worked with prior to, and not during, his year in BlueStone's employ. Tamlyn argues that the post-employment restrictive covenant contained in his employment agreement is not enforceable, and so he was free to service former BlueStone clients after his termination. This argument misses the mark. The question in the tortious interference analysis is not whether Tamlyn was bound by the covenant, but rather whether BlueStone believed he was. If BlueStone believed as much, BlueStone would also believe Tamlyn could not have any reasonable business expectancy with former BlueStone clients. But Tamlyn never alleges that BlueStone had reason to doubt the enforceability of the post-employment covenant or the agreement generally, so his tortious interference claim has no legs vis-à-vis the first group of clients. Next, Tamlyn's allegations fare no better regarding the second group of possible clients. He alleges that: "Defendants knew of [his] reasonable expectations of continuing his existing business relationships with the clients serviced through on [sic] his SHOP account." (Compl., Dkt. 1-1 ¶ 49.) But even if Tamlyn means to refer to pre- BlueStone-employment clients, he has not explained who these clients are, why he reasonably expected to be able to work with them after an ostensible year without professional contact, or how BlueStone came to know about such an expectation. His Complaint on this score is threadbare, and threadbare allegations do not suffice. Firestone Fin. Corp. v. Meyer, 796 F.3d 822, 827 (7th Cir. 2015) (citing Iqbal, 556 U.S. at 678). Count V is dismissed without prejudice
III. CONCLUSION
For the reasons stated herein, BlueStone's Motion to Dismiss [ECF No. 12] is granted. Counts III and IV are dismissed without prejudice.
IT IS SO ORDERED.
/s/_________
Harry D. Leinenweber, Judge
United States District Court Dated: 4/24/2018