Opinion
8:12CR417
07-16-2013
UNITED STATES OF AMERICA, Plaintiff, v. KEVIN CAVE, Defendant.
MEMORANDUM AND ORDER
This matter is before the court on the defendant Kevin Cave's objection, Filing No. 31, and supporting brief, Filing No. 32, to the Findings and Recommendation ("F&R") of the magistrate judge, Filing No. 30. The magistrate judge recommended denial of the defendant's motion to dismiss, Filing No. 22. The Superseding Indictment charges the defendant with a violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(2)(C) and (c)(2)(B)(i) for exceeding authorized access to a protected computer. Superseding Indictment, Filing No. 9. The defendant argues the court should dismiss this case because the Superseding Indictment fails to state an offense. Filing No. 22. Although the government pleads specific facts in the Superseding Indictment, the defendant claims these facts do not show an actual violation of the statute. Id. The court adopts the F&R of the magistrate judge, denying the defendant's motion to dismiss.
That statute provides, in relevant part:
(a) Whoever—
. . . .
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
. . . .
(C) information from any protected computer;
. . . .
(c) The punishment for an offense under subsection (a) or (b) of this section is—
. . . .
(2)(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if--
(i) the offense was committed for purposes of commercial advantage or private financial gain. . . .
Pursuant to 28 U.S.C. § 636(b)(1)(A), the court has conducted a de novo review of the F&R. United States v. Lothridge, 324 F.3d 599, 600-01 (8th Cir. 2003). The court examined the record, including the transcript of the motion hearing, Filing No. 29, and the parties' briefs, Filing No. 23, Filing No. 25, and Filing No. 32. In order to be successful on his motion to dismiss, the defendant must demonstrate that the indictment "is so defective that it cannot be said, by any reasonable construction, to charge the offense for which the defendant was [charged]. . . . An indictment is normally sufficient if its language tracks the statutory language." United States v. Sewell, 513 F.3d 820, 821 (8th Cir. 2008) (citations omitted).
In the Superseding Indictment, the government alleges that Cave was a police officer with the Omaha Police Department ("OPD") from September 23, 2002, until September 7, 2012. Superseding Indictment, Filing No. 9 at 3. In his position with OPD, the defendant used the Nebraska Criminal Justice Information System ("NCJIS"), a database used to search for information such as drivers' license information, criminal history, employment history, and probation and parole status. Filing No. 9 at 1.
In order to gain authorization to utilize NCJIS, the OPD executed a required memorandum of understanding acknowledging the confidentiality of the information contained in the database. Id. at 2-3. Only law enforcement personnel have access to NCJIS, and they may only do so in their official capacities. Id. at 2. Specifically, the memorandum of understanding provides that access "is restricted to persons directly involved in the professional use for which the information is obtained." Government Brief in Response to Motion to Dismiss, Filing No. 25 at 3. Cave received training on the appropriate purposes for and limitations on his use of NCJIS. Id. at 3-4.
From about March 2, 2010, to August 21, 2012, Cave allegedly conducted searches of NCJIS for the purpose of selling confidential information to car dealerships. Filing No. 9 at 3. The car dealerships sought this information in order to repossess vehicles. Cave lacked any official law enforcement purpose in executing these searches. Id.
In his motion to dismiss, Cave argues that the facts alleged "[tend] to show that the Defendant misappropriated information, not that he was without authorization or exceeded his authorization in accessing such information." Motion to Dismiss, Filing No. 22 at 1. The defendant argues that because he had authorization to access the entire database, he could not have exceeded that authorization by violating a confidentiality policy afterwards. See Defendant Memorandum in Support of Motion, Filing No. 23; Filing No. 32. In support of this assertion, the defendant cites cases from the United States Courts of Appeals for the Fourth and Ninth Circuits. Defendant Brief in Support of Objection to F&R, Filing No. 32 at 3-5 (citing WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199, 203 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc); LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1134-35 (9th Cir. 2009)).
The defendant also argues that legislative history supports his interpretation of CFAA. Filing No. 23 at 6. While the court disagrees, it does not reach this issue because it considers the language of the statute unambiguous.
--------
The government argues Cave had authorization to access NCJIS only for permitted purposes; therefore, he exceeded that authorization when he conducted a search for a prohibited purpose. Filing No. 25 at 8-13 (citing United States v. Teague, 646 F.3d 1119 (8th Cir. 2011); United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997); United States v. John, 597 F.3d 263 (5th Cir. 2010); International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)).
The magistrate judge recommends that the court deny Cave's motion to dismiss. Filing No. 30. The magistrate judge reasons that the NCJIS memorandum of understanding limited the purposes for which Cave could access the database. Id. at 5. Therefore, any access made outside of that purpose exceeded his authorization. Id. In his objection to the F&R, Cave claims that the magistrate judge's interpretation "adds the new element of access with 'bad intent' and ignores the plain meaning of the words and phrases employed in the statute." Filing No. 32 at 2.
Contrary to Cave's argument, the magistrate judge's analysis does not add an element of intent to the CFAA; it merely acknowledges the realities of Cave's authorization under the memorandum of understanding. In the F&R, the magistrate judge defines the outer limits of the authorization NCJIS and OPD granted the defendant—not the limits of the statute. Filing No. 30 at 5 ("OPD granted Cave access to NCJIS for the limited purposes set forth in the MOU . . . accessing confidential information for personal financial gain is not within the aforementioned purpose").
Cave has failed to meet his burden under Sewell. Sewell, 513 F.3d at 821 (citations omitted) (stating the defendant must demonstrate that the indictment "is so defective that it cannot be said, by any reasonable construction, to charge the offense for which the defendant was [charged]. . . . An indictment is normally sufficient if its language tracks the statutory language."). The language of the Superseding Indictment closely tracks the CFAA, and the facts as alleged, if proven, state an offense under CFAA. Compare Filing No. 9 at 4 ("KEVIN CAVE, defendant herein, intentionally exceeded authorized access to a computer and thereby obtained information from a protected computer and the offense was committed for private financial gain"), and id. at 3-4 (alleging that defendant conducted searches of protected information for unauthorized purposes on specific dates for financial gain), with 18 U.S.C. § 1030(a)(2)(C), and 18 U.S.C. § 1030(c)(2)(B)(i).
As the government notes, the United States Courts of Appeals for the First, Fifth, Seventh, and Eleventh Circuits have come to the conclusion that a person granted access for limited purposes exceeds authorization when he or she pursues other purposes. See, e.g., Czubinski, 106 F.3d at 1078 ("Czubinski unquestionably exceeded authorized access" when he used a database to which he had access for an unauthorized purpose); John, 597 F.3d at 272 ("the concept of 'exceeds authorized access' may include exceeding the purposes for which access is 'authorized'"); Citrin, 440 F.3d at 420-21 ("Citrin's breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship"); Rodriguez, 628 F.3d at 1263 ("the policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons . . . the plain language of [CFAA] forecloses any argument that Rodriguez did not exceed his authorized access" by accessing the database for other reasons). The court agrees with the magistrate judge that the Superseding Indictment properly states an offense.
THEREFORE, IT IS ORDERED:
1. The defendant's objection (Filing No. 31) to the F&R of the magistrate judge (Filing No. 30) is overruled.
2. The magistrate judge's F&R (Filing No. 30) is adopted.
3. The defendant's motion to dismiss criminal case (Filing No. 22) is denied.
BY THE COURT:
Joseph F. Bataillon
United States District Judge