Civil No. 12-cv-111-LM
General Linen Service, Inc. brings suit against General Linen Service Company, Inc., asserting various state law claims and a claim under the Computer Fraud and Abuse Act (the "CFAA"). Defendant moves for summary judgment on plaintiff's CFAA claim. Plaintiff objects. On October 5, 2015, the court heard oral argument on defendant's motion.
Standard of Review
A movant is entitled to summary judgment where he "shows that there is no genuine dispute as to any material fact and [that he] is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). In reviewing the record, the court construes all facts and reasonable inferences in the light most favorable to the nonmovant. Kelley v. Corr. Med. Servs., Inc., 707 F.3d 108, 115 (1st Cir. 2013).
Plaintiff, General Linen Service, Inc., is a company located in Newburyport, Massachusetts, which provides linen and uniform rental services to the healthcare, restaurant, and hospitality communities in New England. For purposes of this order, the court will refer to plaintiff as "GLN." Defendant, General Linen Service Company, Inc., is a company located in Somersworth, New Hampshire, which provides similar services in New England. The court will refer to defendant as "GLS."
GLN maintains customer information in digital format, as does GLS, and both companies use the same software vendor, Alliant Systems, Inc. ("Alliant"). In addition, GLN allows its customers to access their accounts and transact business online, through a "web portal."
On April 1, 2010, one of GLN's customers, 1640 Hart House ("Hart House"), reported to GLN that it had received a sales pitch from a GLS representative who, during the course of his presentation, provided Hart House with a package of GLN's invoices. GLN deduced that at least one of the invoices had been obtained through the web portal.
GLN's General Manager, Scott Van Pelt, learned through Alliant that the web portal had been accessed on several occasions by the username "admin." Alliant explained to Van Pelt that it had created the "admin" user account to allow for maintenance and troubleshooting of GLN's accounts.
On April 8, 2010, Van Pelt traced the "admin" user to an IP address registered to GLS. He then had Alliant change the password for the "admin" username. He worked "to determine how the breach occurred, who was responsible and what information may have been compromised." Van Pelt Decl. (doc. no. 58-2) at ¶ 5.
From April 1, 2010 (the date Van Pelt first learned that there may have been a network intrusion) through the following two weeks, Van Pelt dedicated himself "on a full-time basis" to investigating the data breach. See id. at ¶¶ 4-5. In his deposition, Van Pelt described himself as working "around the clock" during this time period. Van Pelt Dep. (doc. no. 56-4) at 17. The investigation "took valuable time away from [Van Pelt's] day-to-day responsibilities." Doc. no. 58-2 at ¶ 5. Van Pelt also shut down the web portal for anywhere from five days to two weeks during the investigation.
In addition, GLN's sales manager, Jason Proulx, assisted Van Pelt with the investigation. Proulx also dedicated two weeks "on a full-time basis" to investigating the data breach. See id. at ¶ 8. The work "took valuable time away from  Proulx's day-to-day activities." Id. Van Pelt also met with attorneys over the next several months "to assist in the investigation and (among other things) stop [GLS] from using stolen information." Id. at ¶ 9. Van Pelt states that he dedicated a substantial amount of time during the year following the breach to the investigation. In answers to interrogatories, GLN broke down Van Pelt's and Proulx's salaries into hourly wages, excluding overtime, as follows: Van Pelt earned $24 per hour and Proulx $19.25 per hour. Pl.'s Resps. to Interrogs. (doc. no. 56-10) at 5.
This action followed. GLN asserts claims against GLS under the CFAA, New Hampshire's Consumer Protection Act, New Hampshire's Trade Secret Act, and New Hampshire common law. GLS moves for summary judgment on the CFAA claim.
GLS, in turn, asserted counterclaims arising under the Lanham Act, the New Hampshire Consumer Protection Act, and New Hampshire common law.
GLS moves for summary judgment on the grounds that GLN did not sustain a "loss" recognized by the CFAA and that, even if it did, any loss did not amount to at least $5,000, as required under the CFAA. GLN objects, arguing that it has sustained an actionable loss that exceeds the threshold amount.
The CFAA provides a private right of action for compensatory damages and equitable relief to any person who suffers damage or loss because another "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). Under 18 U.S.C. § 1030(g), a civil action under the CFAA "may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)." Relevant to this action, those factors include: "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value." § 1030(c)(4)(A)(i)(I). The statute further provides that:
the term "loss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.§ 1030(e)(11).
The CFAA also provides a definition for the term "damage." See § 1030(e)(8) ("the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information"). Here, GLN has alleged that it incurred "loss" under the CFAA, not "damage."
GLS argues that CFAA loss must relate to interruption of service. GLS contends, simply, that GLN does not have evidence that it sustained any such loss. GLS further argues that, even if GLN could recover for loss not arising out of the interruption of service, GLN cannot show loss of at least $5,000.
In response, GLN concedes that it does not claim loss arising out of an interruption of service. GLN argues, however, that the CFAA does not limit loss to costs arising out of an interruption of service. It contends that loss under the CFAA can be established by showing costs incurred while responding to or investigating a violation, regardless of an interruption of service. GLN further argues that evidence in the record shows that it sustained loss of at least $5,000 in responding to and investigating the CFAA violation.
During its investigation, GLN voluntarily shut down the web portal for somewhere between five days and two weeks. GLN does not argue that a plaintiff's voluntary shut down of its own system constitutes an interruption of service under the CFAA.
I. Interruption of Service
As the parties acknowledge, there is a split of authority as to the proper interpretation of the definition of "loss" in § 1030(e)(11). A number of courts hold that loss applies only to costs incurred because of an interruption of service. See, e.g., Von Holdt v. A-1 Tool Corp., 714 F. Supp. 2d 863, 876 (N.D. Ill. 2010) (holding that any loss under the CFAA "must be as a result of 'interruption of service'") (internal citation omitted). Other courts, however, hold that loss is defined as costs reasonably incurred in responding to an alleged CFAA offense, regardless of whether those costs relate to an interruption of service. See, e.g., AssociationVoice, Inc. v. AtHomeNet, Inc., No. 10-cv-109-CMA-MEH, 2011 WL 63508, at *6 (D. Colo. Jan. 6, 2011) (citing long line of cases supporting view that "[c]osts do not need to relate to an 'interruption of service' in order to fall within the ambit of 'loss'" under the CFAA). For the reasons that follow, the court finds the CFAA's definition of "loss" is not limited to costs caused by interruption of service.
"In determining the meaning of a statute, [the court's] analysis begins with the language of the statute." Saysana v. Gillen, 590 F.3d 7, 13 (1st Cir. 2009). "When the plain wording of the statute is clear, that is the end of the matter." Id. On the other hand, interpretation of statutory language may require the court to "read the words in their context and with a view to their place in the statutory scheme." King v. Burwell, 135 S. Ct. 2480, 2489 (2015) (internal quotation marks omitted).
A. Plain Language of § 1030(e)(11)
Section 1030(e)(11) defines loss as "any reasonable cost to any victim . . . ." § 1030(e)(11) (emphasis added). "[A]ny reasonable cost" is a broadly inclusive definition of loss that is limited only to reasonable costs. A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) ("This broadly worded provision plainly contemplates . . . costs incurred as part of the response to a CFAA violation, including the investigation of an offense.").
The statute further defines loss as "including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." § 1030(e)(11) (emphasis added). By using "including" after "any reasonable cost," the CFAA provides examples, but not an exclusive or exhaustive list, of reasonable costs. See P.C. Pfeiffer Co., Inc. v. Ford, 444 U.S. 69, 77 n.7 (1979) ("including" means the enumerated items are part of a larger group); Black's Law Dictionary 1120 (9th ed. 2009) ("The term [namely] indicates what is to be included by name. By contrast, including implies a partial list and indicates that something is not listed.").
The exemplars for "any reasonable cost to any victim" include "the cost of responding to an offense" as well as "any . . . costs incurred . . . because of interruption of service." § 1030(e)(11). Thus, the CFAA provides even broader protection for costs incurred because of interruption of service, since it states that "any" such costs shall be deemed "loss" under the definition. However, nothing in either the language or structure of § 1030(e)(11) suggests that only costs caused by an interruption of service shall be deemed "loss" under the CFAA. Such a reading of the statute would contort the plain meaning of its words.
In short, the plain language of § 1030(e)(11) provides a broad definition of "loss" as "any reasonable cost to any victim." That definition is not limited to costs arising out of an interruption of service. Rather, costs incurred due to interruption of service are but one example of the types of costs compensable under the CFAA. See Fidlar Techs. v. LPS Real Estata Data Sols., Inc., No, 4:13-cv-4021-SLD-JAG, 2013 WL 5973938, at *8 (C.D. Ill. Nov. 8, 2013) (noting that "loss" in § 1030(e)(11) is defined as "any reasonable cost to any victim" and is not limited to the enumerated costs set forth after the term "including").
B. Section 1030(e)(11) in Context
While the words in § 1030(e)(11), read alone, reveal that "loss" does not require interruption of service, reading those words in the context of the statute as a whole further clarifies their meaning. The CFAA provides a private right of action to "[a]ny person who suffers damage or loss by reason of a violation of [the CFAA]." § 1030(g). The violation of the CFAA at issue here is "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer . . . ." § 1030(a)(2)(C). That violation (i.e., unauthorized access to obtain information) does not contain as an element any sort of computer harm, data impairment, or interruption of service. Nor has GLS argued that any such allegation is required to state a violation of the CFAA.
The definition of "loss" includes "the cost of responding to an offense . . . ." § 1030(e)(11) (emphasis added). The offense in this case requires no showing of interruption of service. Therefore, a plain reading of the loss provision in the context of the whole statute supports GLN's interpretation of "loss" in the CFAA.
GLS nonetheless urges the court to construe the second exemplar clause in § 1030(e)(11) to impose a requirement that loss must include interruption of service. To achieve such a result, however, the court must not only ignore the broadly-worded definition of loss (i.e., "any reasonable cost to any victim"), but it must also adopt a construction of the two clauses in § 1030(e)(11) that renders part of the statutory language surplusage.
"It is 'a cardinal principle of statutory construction' that 'a statute ought, upon the whole, to be so construed that, if it can be prevented, no clause, sentence, or word shall be superfluous, void, or insignificant.'" TRW Inc. v. Andrews, 534 U.S. 19, 31 (2001) (quoting Duncan v. Walker, 533 U.S. 167, 174 (2001)). For that reason, the court "must read statutes, whenever possible, to give effect to every word and phrase." Narragansett Indian Tribe v. R.I., 449 F.3d 16, 26 (1st Cir. 2006).
Section 1030(e)(11) provides that "loss" includes certain specific costs, such as "the cost of responding to an offense, conducting a damage assessment, and restoring the data . . . to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." § 1030(e)(11) (emphasis added). To read the phrase "because of interruption of service" as applying to each cost exemplar listed above it would render the phrase "cost of responding to an offense" surplusage. That is, it would be redundant to include the "costs of responding to an offense" in the list because the latter phrase (i.e., "any costs incurred . . . because of interruption of service") would necessarily capture the more specific costs listed above.
The drafters of the statute intended that where a victim incurs costs due to an interruption of service, the victim may recover "any . . . cost incurred" as a result. To give meaning to the "cost of responding to an offense," it must include costs other than "any . . . cost incurred . . . because of interruption of service." See S. Parts & Eng'g Co., LLC v. Air Compressor Servs., LLC, No. 1:13-CV-2231-TWT, 2014 WL 667958, at *5 (N.D. Ga. Feb. 20, 2014); Dice Corp. v. Bold Techs., No. 11-13578, 2012 WL 263031, at *7 (E.D. Mich. Jan. 30, 2012); AssociationVoice, 2011 WL 63508, at *7.
In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001), the First Circuit suggested that a more expansive reading of the remedial portion of the CFAA is consistent with the Act's legislative history. Although the First Circuit based its decision in EF Cultural on a prior version of the CFAA which did not include the current definition of "loss," the court's analysis of legislative intent behind the CFAA remains sound. And, the definition of the term "loss" subsequently added to the CFAA is consistent with the First Circuit's analysis of the CFAA in EF Cultural.
For all of these reasons, the plain language of the CFAA does not limit compensable "loss" to those costs arising out of interruption of service. Accordingly, to the extent GLS's motion seeks summary judgment on GLN's CFAA claim because GLN's loss does not arise out of interruption of service, it is denied.
II. Loss in Excess of $5,000
GLS argues that even if GLN's loss need not arise out of an interruption of service, its CFAA claim still fails because the record demonstrates that GLN did not suffer loss of at least $5,000. GLS asserts that GLN's alleged loss (i.e., the cost of its investigation into the unauthorized access to the web portal) was minimal and consisted of, at most, a single day of investigative work.
Neither party disputes, however, that GLN learned of the invoice problem on April 1, 2010. On April 8, 2010, Alliant informed Van Pelt that someone had accessed GLN's network by capitalizing on a vulnerability in the network. Specifically, the intruder had used a username and password ("admin") created by Alliant to permit Alliant "backdoor" access into GLN's network. Also on April 8, 2010, Van Pelt determined that GLS was the suspected intruder and took the necessary steps to patch the password vulnerability. According to GLS, anything GLN did after GLN discovered the intruder and patched the vulnerability does not qualify as "loss" to meet the $5,000 threshold under the CFAA.
To show loss, GLN submitted Van Pelt's declaration. In his declaration, Van Pelt states that both he and GLN's sales manager, Proulx, spent the two weeks after GLN discovered the intrusion investigating the breach on a full-time basis. In his deposition, Van Pelt described himself as having worked "around the clock" for those two weeks. Doc. no. 56-4 at 17. In answers to interrogatories, GLN converted Van Pelt's and Proulx's salaries to hourly wages. At the relevant time, Van Pelt earned $24.00 per hour and Proulx earned $19.25 per hour. Van Pelt described his investigation from April 1 through April 12 as "determin[ing] how the breach occurred, who was responsible and what information may have been compromised . . . and remedying the [breach]." Doc. no. 58-2 at ¶¶ 5-6. Van Pelt described Proulx's investigation as "trying to track down information relating to the data breach." Id. at ¶ 8. Construed favorably to GLN, a reasonable jury could conclude that Van Pelt's and Proulx's investigation from April 1 through April 12, 2010, qualifies as "the cost of responding to an offense" under § 1030(e)(11).
"[A] CFAA plaintiff may recover damages for its own employees' time spent responding to CFAA violations." Animators at Law, Inc. v. Capital Legal Sols., LLC, 786 F. Supp. 2d 1114, 1122 (E.D. Va. 2011); see also iParadigms, 562 F.3d at 646 (quoting with approval SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 980-81 (N.D. Cal. 2008), in which the district court held that the value of "many hours of valuable time away from day-to-day responsibilities" are contemplated within the CFAA's definition of "loss").
GLS argues that once GLN determined how GLS obtained the invoices it gave to Hart House and then patched the network vulnerability at issue, all other parts of the investigation were either unnecessary or were somehow unrelated to the violation. In a CFAA case, however, "[t]he 'reasonableness' of a company's reaction to stolen data involves questions of judgment that invoke practical, rather than legal, concerns. And a jury might well look askance when individuals who stole from a company protest that the victim of the theft overreacted." 1st Rate Mortg. Corp. v. Vision Mortg. Servs. Corp., No. 09-C-471, 2011 WL 666088, at *3 (E.D. Wis. Feb. 15, 2011) (internal parentheses omitted). Therefore, whether GLN's investigation was reasonable generally is a factual question for a jury. See Genworth Fin. Wealth Mgmt., Inc. v. McMullan, No. 3:09-CV-1521(JCH), 2012 WL 1078011, at *13 (D. Conn. Mar. 30, 2012) ; Animators, 786 F. Supp. 2d at 1121.
GLS also asserts that "[t]here are no time records, phone records, emails or any other records upon which a reasonable fact-finder could determine that GLN's employees actually spent over $5,000 worth of time on the so-called investigation." Def.'s Reply (doc. no. 62) at 6. Construed favorably to GLN, however, the evidence of loss, even if limited to just the two-week period from April 1 to April 12, 2010, exceeds the $5,000 threshold. Van Pelt worked "around the clock" for those two weeks, and Proulx worked on a "full-time basis." Viewing this evidence in the light most favorable to GLN, a reasonable jury could find Van Pelt's and Proulx's time spent investigating the offense constituted a "loss" of at least $5,000.
Although it is not clear what Van Pelt meant by "around the clock," GLN suggests that a favorable construction amounts to 24-hour-long days. Nothing in Van Pelt's declaration or deposition suggests that he worked twelve days, non-stop, without any sleep. At oral argument, GLN asserted that a favorable but reasonable interpretation of "around the clock" is 16-hour-long days.
As discussed above, the definition of "loss" means any reasonable cost to any victim, including the cost of responding to an offense. Whether GLN's incurred costs were reasonable and whether they totaled at least $5,000 are disputed facts. Therefore, viewing the record evidence in a light most favorable to GLN, a genuine dispute of material fact exists as to whether GLN has sustained loss under the CFAA of at least $5,000.
GLN also argues that other costs and attorney's fees incurred during its ongoing investigation should be considered "loss" under the CFAA. Because GLN's employees' time spent in response to the CFAA violation is sufficient to create a genuine issue of material fact as to whether GLN has sustained at least $5,000 in loss under the CFAA, the court does not address GLN's other arguments with respect to costs. Importantly, however, to prove at trial that costs are compensable under the CFAA, GLN must show a sufficient causal nexus between the costs incurred and the CFAA violation. See § 1030(g) (compensable loss is "loss by reason of a violation"). --------
For the foregoing reasons, the defendant's motion for partial summary judgment (doc. no. 56) is denied.
United States District Judge
October 20, 2015 cc: Sara Yevics Beccia, Esq.
Dennis J. Kelly, Esq.
James F. Laboe, Esq.
Laura Witney Lee, Esq.
Andrea L. Martin Esq.
Paul R. Mastrocola, Esq.
Joseph Gardner Mattson, Esq.
Jeffrey C. Spear, Esq.