attacking websites and computer file servers to obtain proprietary information was actionable under the CFAASummary of this case from Microsoft Corp. v. Doe
December 5, 2003
THIS MATTER is before the Court on Plaintiff Physicians Interactive's Motion for a Temporary Restraining Order and Preliminary Injunction, and Plaintiff's Motion for Limited Expedited Discovery. This is a case where the host of an interactive website for medical professionals contends that Lathian Systems, Inc.'s ("Lathian") information technology employee, Mr. Martinez, secretly hacked Physicians Interactive's website and stole their confidential customer lists and computer software code. The question presented is whether an injunction should issue where Physicians Interactive has shown probable cause to believe that Lathian's information technology employee used both a Lathian computer and his home computer to hack into Physicians Interactive's web site using computer software to secretly collect Physicians Interactive's customer lists and proprietary software. An injunction will be issued because Physicians Interactive has made a preliminary showing of an invasion of its computer system, unauthorized copying of its customer list, and theft of its trade secrets. Lathian may not use this confidential information to gain an unfair trade advantage; therefore, the Court will enjoin this activity. The Court will also enjoin Lathian, its employee Stephen Martinez, and any other agents of Lathian from any future attacks on the Physicians Interactive website. Finally, the Court will enjoin Lathian and its agents from using any of Physicians Interactive's information previously obtained by Lathian or its employee(s).
"Hack" is defined as, "to explore and manipulate the workings of a computer or other technological device or system, either for the purpose of understanding how it works or to gain unauthorized access." See Microsoft Encarta College Dictionary 644 (1st ed. 2001).
Physicians Interactive alleges that Defendants Lathian and Stephen Martinez hacked its website by sending "electronic robots" to steal its customer list, computer code, and confidential data. Physicians Interactive runs a website for physicians, www.physinteractive.com, featuring medical product and pharmaceutical data. See Mem. of P. A. in Supp. of Pl's Mot. for a T.R.O. and Prelim. Inj. ("Pl.'s Prelim. Inj. Mem.") at 1-5. Lathian runs a similar type of service, www.mydrugrep.com. Id. Physicians Interactive maintains its file servers in Sterling, Virginia, which is located in the Eastern District of Virginia. Id. On its file server, Physicians Interactive maintains an extensive confidential electronic database of the physicians and other medical professionals who use its service. Id. Specifically, Physicians Interactive's database contains the names, street addresses, and e-mail addresses of all of its medical professional clients. Physicians Interactive's file server is connected to the Internet, and is accessible by others via the Internet. Id. The public, however, does not have access to Physicians Interactive's client lists. In order to make full use of the Physicians Interactive website, a medical professional must have a user password and personal identification number that has been issued by the Plaintiff. Id. The website's most valuable asset is its data lists on medical professionals. These client lists consist of the medical professional's name, title, occupation, speciality, mailing address, e-mail address, telephone number, and fax number. Id. at 5.
"File server" is defined as, "a computer in a network that stores application programs and data files accessed by other computers." See Microsoft Encarta College Dictionary 533 (1st ed. 2001).
Physicians Interactive alleges that Defendants launched three "attacks" on its file servers to surreptitiously steal confidential data from its website. The attacks were carried out by Lathian's technology employee, Stephan Martinez, to obtain the proprietary medical professional information stored on Physicians Interactive's website. Id. at 7-11. The first alleged attack occurred on January 24, 2003. According to Plaintiff's Preliminary Injunction Memorandum, the computer that accessed Physicians Interactive's computer on that date "began to issue a series of commands to the Physicians Interactive Website Servers in which the URL and query string used by the Physicians Interactive Website Servers had been intentionally altered . . . These modifications appeared as part of a calculated effort to discover — through a process of experimentation — the elements of the query string that the Physicians Interactive Website Servers use to ensure that a user logged onto the site accesses only the information on the Website intended for that Medical Professional . . . Approximately 50 of these commands were issued." Id. at 8. Physicians Interactive did an investigatory audit of this alleged attack, and concluded that the computer which initiated this action had an Internet Provider ("IP") address of 126.96.36.199. Id. According to the registration records maintained by the American Registry for Internet Numbers ("ARIN"), this address is registered towww.mydrugrep.com, Lathian's website. Id.
The Defendants second alleged attack occurred on January 27, 2003. This attack, according to Physicians Interactive, lasted over 30 hours and "flooded [Physicians Interactive's] servers with a constant stream of commands issued at a rate of approximately 2.4 commands per second. Id. at 9. This alleged attack, according to Physicians Interactive, succeeded in accessing a significant number of Plaintiff's proprietary medical professional information. According to Physicians Interactive, because of the nature of the attack, the alleged hacker used a "software robot" or "extraction software" program. Id. The purpose of such a program, according to Plaintiff, is to "operat[e] across the Internet to perform searching, copying, and retrieving functions on the websites of others. . . ." Id. The IP address involved in this alleged attack, 188.8.131.52, was registered to Cox Communications, Inc. ("Cox"), an Internet Service Provider ("ISP"). Physicians Interactive subpoenaed Cox to determine what person used this IP address at the time of the alleged attack. However, Cox no longer had the user information from this time period. Id.
The Defendants third alleged attack took place on September 10, 2003. The third attack, according to Physicians Interactive, was similar to the second, and succeeded in accessing an even more greater number of Physicians Interactive's proprietary medical professional information. Id. at 10. According to Physicians Interactive, the alleged attack originated from IP address 184.108.40.206. This IP address was also registered to Cox. According to Cox, this IP address was assigned to Defendant Stephan Martinez of Lake Forest, California. Mr. Martinez is an information technology employee of Lathian Systems. Lake Forest, California, according to Physicians Interactive, is approximately 14 miles from Lathian's Newport Beach offices. Id.
After Physicians Interactive determined the place and nature of these computer hacking attacks, its information technology professionals implemented a software patch to protect its website from unauthorized access. The purpose of this software patch is to "prevent such unauthorized access from recurring." Id. at 12.
Physicians Interactive is suing Lathian Systems, Stephan Martinez, and John Doe(s) 1-10 for a private right of action under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, the Virginia Computer Crimes Act, Va. Code Ann. §§ 18.2-152.3, — 153.4, the Virginia Uniform Trade Secret Act, Va. Code Ann. §§ 59.1-336 et seq., and a common law trespass on chattels claim. In its Motion for Temporary Restraining Order and Preliminary Injunction, Physicians Interactive moves this Court to enjoin Defendants from (1) accessing Plaintiff's website file servers; (2) obtaining confidential proprietary and trade secret information belonging to Plaintiff; (3) using or disclosing any information that Defendants acquired by their allegedly unauthorized and illegal intrusions into Plaintiff's website file servers; and (4) destroying or altering any evidence of such acts. See Pl.'s Prelim. Inj. Mem. at 1. Physicians Interactive also seeks expedited discovery in connection with its Motion for Preliminary Injunction.
STANDARD OF REVIEW
In deciding whether to grant a motion for a preliminary injunction, this Court must apply the four part test set forth in Blackwelder Furniture Co. v. Seilig Mfg. Co., 550 F.2d 189 (4th Cir. 1977); see also Manning v. Hunt, 119 F.3d 254, 263 (4th Cir. 1997); Microstrategy Inc. v. Motorola, Inc., 245 F.3d 335 (4th Cir. 2001). The four-part test involves a consideration of the following factors: (1) the likelihood of irreparable harm to the plaintiff if the preliminary injunction is denied; (2) the likelihood of harm to the defendant if the requested relief is granted; (3) the likelihood that the plaintiff will succeed on the merits; and (4) the public interest. Id. at 195-96. The Fourth Circuit has held that in a Blackwelder analysis, harm to both parties is the most important consideration. See Direx Israel, Ltd. v. Breakthrough Medical Corp., 952 F.2d 802, 812 (4th Cir. 1992); see also Wilson v. Office of Civilian Health Medical Program of the Uniformed Services (CHAMPUS), 866 F.Supp. 903, 905 (E.D. Va. 1994). The plaintiff bears the burden of establishing that each of the Blackwelder factors support granting the injunction. See id. In addition, if the probable irreparable harm to the plaintiff in the absence of injunctive relief greatly outweighs the likely harm to the defendant if the Court should grant injunctive relief, then "it is not enough that grave or serious questions are presented; and plaintiff need not show a likelihood of success." Blackwelder, 550 F.2d at 196. Conversely, "[t]he importance of probability of success increases as the probability of irreparable harm diminishes." Blackwelder, 550 F.2d at 195.
Physicians Interactive also seeks limited expedited discovery directly related to the issues raised in its Motion for Temporary Restraining Order and Preliminary Injunction. According to Plaintiff's Memorandum in Support of its Motion for Limited Expedited Discovery, Physicians Interactive seeks "a limited number of document requests from Lathian and Martinez that relate, in general, to the circumstances surrounding the illegal intrusion of the PI Website Servers, the persons involved, the scope of the disclosure or dissemination of the confidential and proprietary and trade secret information which was illegally obtained as a result of the intrusions, and the use to which such trade secrets were put." See Pl.'s Mem. of P. A. in Supp. of Pl's Mot. for Limited Expedited Disc. at 3. Physicians Interactive also seeks "a limited number of interrogatories regarding the information downloaded from the PI Website Servers, the location of the computers used to access the PI Website Servers, the identity of persons involved in the underlying activities, the user of the illegally downloaded data, and the scope of the disclosure of such information." Id. Physicians Interactive has attached to its pleadings proposed document requests and interrogatories. Physicians Interactive also seeks to enter the sites where the computers used in the alleged attacks are located in order to obtain a "mirror image" of the computer equipment containing electronic data relating to the Defendants' alleged attacks on Plaintiff's file server.
This Court has "wide latitude in controlling discovery and . . . its rulings will not be overturned absent a showing of clear abuse of discretion." Rowland v. Am. Gen. Fin., Inc., 340 F.3d 187, 195 (4th Cir. 2003) (quoting Ardrey v. United Parcel Service, 798 F.2d 679, 682 (4th Cir. 1986)). Specifically, Federal Rules of Civil Procedure 26(d), 30(a), 33(b), 34(b) and 36 give this Court the power to adjust the timing requirements imposed under Rule 26(d) and if warranted, to expedite the time for responding to the discovery sought. Courts have held that expedited discovery is warranted "when some unusual circumstances or conditions exist that would likely prejudice the party if they were required to wait the normal time." Fimab-Finanziaria Magklificio Beillese Fratelli Fila S.p.A. v. Helio Import/Export, Inc., 601 F.Supp. 1, 3 (S.D. Fla. 1983); Semitool, Inc. v. Tokyo Electron America, Inc., 208 F.R.D. 273, 275 (N.D. Cal. 2002). This Court, in granting motions for expedited discovery, has held that a plaintiff must sufficiently prove the first and second prongs of Blackwelder, the "balance of hardships" analysis. Religious Tech. Ctr. v. Lerma, 897 F. Supp. 260, 267 (E.D. Va. 1995) (Brinkema, J.)
A) Irreparable Harm to Plaintiff
The Fourth Circuit has held that a plaintiff must make a clear showing of the irreparable harm it will suffer from the denial of injunctive relief. Dan River, Inc. v. Icahn, 701 F.2d 278, 284 (4th Cir. 1983). In accordance with Blackwelder, Physicians Interactive has demonstrated that there is a likelihood of irreparable harm to it if this Court denies the injunction. To date, Physicians Interactive has alleged three computer attacks against its file server. The origin of the second attack is unknown. However, Physicians Interactive has provided affidavits of its information technology staff, which trace the source of the first attack to www.mydrugrep.com, Lathian's website. Further, Physicians Interactive has alleged that it has traced the third attack to an IP address registered to Mr. Martinez. Physicians Interactive has shown probable cause to establish that the three hacking attacks described above are directly linked to the Defendants. This preliminary showing demonstrates irreparable harm to Physicians Interactive. Defendants argue that Physicians Interactive fails to show irreparable harm regarding future attacks because Physicians Interactive has, by its own admission, installed a software patch to protect Physicians interactive's computer file server. Defendants' argument has little merit. Although Physicians Interactive has indeed stated that it has installed a software patch that corrects its file server's current security vulnerabilities, such electronic security systems are not foolproof. The possibility still remains that Physicians Interactive's system could continue to be the target of Lathian's computer hackers. Such future Lathian attacks, if successful, would cost Physicians Interactive time and money through investigation and clean up.
B) HARM TO DEFENDANTS
The Court holds that the likelihood of irreparable harm to defendant, if the Court grants injunctive relief, is non-existent compared to the likelihood of harm to the plaintiff if the Court does not grant injunctive relief. Under the second prong of Blackwelder, the Court must balance the likelihood of irreparable harm to the plaintiff against the likelihood of harm to the defendant. See Blackwelder, 550 F.2d at 195. Physicians Interactive argues that the likelihood of irreparable harm to the Defendants is slim, because "defendants Martinez and Lathian will suffer no legally cognizable harm if they are required to stop accessing the PI Website Servers and to stop using or disclosing Physicians Interactive trade secrets and other confidential and proprietary information they have illegally obtained." See Pl.'s Prelim. Inj. Mem. at 28. The Court agrees with this argument. Injunctive relief is proper in this case for two reasons. First, injunctive relief is proper because any injunctive relief that this Court will grant will not prohibit the Defendants from using the authorized, public functions of Physicians Interactive's website. Second, any injunctive relief that the Court will issue will not infringe upon Lathian's right to legally compete within the marketplace for its services. Additionally, the Court recognizes some merit in Defendants' assertion that Physicians Interactive's proposed injunction request is vague. Indeed, the Court finds that Physicians Interactive's proposed injunctive request is overbroad and accordingly will issue a more narrowly tailored form of injunctive relief in a separate order.
C) LIKELIHOOD OF SUCCESS ON THE MERITS
The Court holds that Physicians Interactive has sufficiently shown a likelihood of success on the merits at this stage of the pleadings on all of its Counts. The third prong of Blackwelder requires Physicians Interactive to demonstrate to the Court that it is likely to succeed on the merits of all claims. Counts One, Two, and Three of Plaintiff's First Amended Complaint allege that Defendants violated subsections (a)(2)(C), (a)(4), and (a)(5) of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. Counts Four and Five of Plaintiff's First Amended Complaint allege that Defendants violated the Virginia Computer Crimes Act ("VCCA"), Va. Code Ann. §§ 18.2-152.3, -153.4. Count Six of Plaintiff's First Amended Complaint allege a violation of the Virginia Uniform Trade Secrets Act (the "VUTSA"), Va. Code Ann. §§ 59.1-336 et seq. Finally, Count Seven of Plaintiff's First Amended Complaint allege a trespass on chattels under Virginia common law.
i) Counts One, Two, and Three (CFAA)
This Court finds that at this stage of the pleadings, Physicians Interactive has proved a likelihood of success on the merits of its CFAA Counts against both Lathian and its agent, Mr. Martinez. The CFAA, although a criminal statute, provides for a private right of action. See 18 U.S.C. § 1030(g). A violation of Subsection (a)(2)(C) of the CFAA occurs whenever a person:
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains — . . . (C) information from any protected computer if the conduct involved an interstate or foreign communication. 18 U.S.C. § 1030 (a) (2) (C).
A violation of 18 U.S.C. § 1030(a)(4) occurs whenever a person:
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . 18 U.S.C. § 1030 (a) (2) (C).
In YourNetDating, Inc. v. Mitchell, 88 F. Supp. 2d 870 (N.D. Ill. 2000), the Northern District of Illinois held that the plaintiff had shown a likelihood of success on the merits of its CFAA claim when defendant was alleged to have hacked into its computer file server. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001), the First Circuit held that the competitor's use of a "scraper" computer software program to systematically and rapidly glean prices from a tour company's website, in order to allow systematic undercutting of those prices, "exceeded authorized access" within the meaning of the CFAA.
A violation of 18 U.S.C. § 1030(a)(5) occurs whenever a person "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage." 18 U.S.C. § 1030 (a) (5) (A) (iii). The damage, or loss, must aggregate to at least $5,000 within a one-year period. 18 U.S.C. § 1030 (a) (5) (B) (i).
Physicians Interactive has shown probable cause to demonstrate that Lathian's information technology employee, Mr. Martinez, directed two computer attacks against its website and computer file server. Physicians Interactive traced the first alleged attack, which occurred on January 24, 2003, to www.mydrugrep.com. This website belongs to Lathian. Physicians Interactive traced the third alleged attack, which occurred on September 10, 2003, to an IP address assigned to Mr. Martinez. The January 24, 2003 alleged attack, according to Physicians Interactive, was designed to obtain technical information about the workings and security vulnerabilities of its website. The September 10, 2003 attack used a "software robot" to obtain proprietary information from Plaintiff. Both alleged attacks, at this stage of the pleadings, appear more likely than not to fit within the definition of 18 U.S.C. § 1030 (a) (4). These attacks were an unauthorized entry into Physicians Interactive's website. The activity was geared towards copying confidential data. The end result was the loss to Physicians Interactive of something of value — a significant amount of its confidential customer list information.
Courts have held that a loss under the CFAA includes remedial and investigative expenses incurred by the plaintiff. See, e.g., E.F. Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (1st Cir. 2001); Four Seasons Hotels and Resorts B.V. v. Consorcio Barr, S.A., 267 F. Supp. 2d 1268, 1321 (S.D. Fla. 2003); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1126-27 (W.D. Wash. 2000). Physicians Interactive has stated in its affidavit that it has spent in excess of approximately $18,750 to assess the extent of the alleged attacks. See Pl.'s Prelim. Inj. Mem. at 16.
Defendants contend that Physicians Interactive's website authorized secret collections of customer lists and computer software code because the Physicians Interactive website does not have a sign posted on its opening page or elsewhere that sets limits on Internet users access to the site. While categorically denying involvement for the alleged attacks on Physicians Interactive's website, Defendants argue that a website with no such posting is open to Internet users for any purpose, including the secret collection of data not generally available and computer code. This extravagant assertion warrants careful scrutiny, as this argument appears to circumvent the spirit of the CFAA, and any other type of statute designed to protect website owners against computer hackers. If Defendants' argument has any merit, it is not for the Court to decide at this time. At this stage of the pleadings, based upon Physicians Interactive's Complaint and allegations, Physicians Interactive is likely to succeed on the merits of a CFAA claim.
ii) Counts Four and Five (VCCA)
As with the CFAA claim, Physicians Interactive has shown a likelihood to succeed on the merits of its VCCA claim. Section 18.2-152.3 of the VCCA provides in pertinent part that this statute is violated when a person "uses a computer or computer network without authority and with the intent to: (1) Obtain property or services by false pretenses; . . . or, (3) Convert the property of another." Section 18.2-152.4(A) makes it unlawful for a person "to use a computer or computer network without authority and with the intent to . . . (6) Make or cause to be made an unauthorized copy, in any form, . . . of computer data . . . residing in, communicated by, or produced by a computer or computer network." Like the CFAA, the VCCA provides for a private right of action. See Va. Code Ann. § 18.2-152.12.
Physicians Interactive has traced alleged hacking attacks to Defendants, in which the Defendants obtained property by false pretenses. In this case the alleged computer hacker used a software robot to obtain proprietary information. Based upon this fact, it is highly likely that the hacker, or hackers, converted Physicians Interactive's proprietary information for their own use. It is undisputed that Physicians Interactive's proprietary information was its own property. Likewise, in allegedly converting this property, it is highly likely that Defendants also made an unauthorized copy of computer data. Again, Defendants argue that if such an attack occurred, it was not unauthorized because of the Plaintiff's failure to place a usage restriction on its website. At this stage of the pleadings, this argument suggests that any Internet user has an open invitation to enter any website and to access the host computer's file server for any purpose including copying customer lists and computer code. Also, at this stage of the pleadings, Defendants argument offends the fundamental principles of ownership of private property. Suppose a private homeowner posted a sign welcoming all authorized visitors into her home. Certainly one would not consider the welcome sign as extending permission to visitors to not only enter, but to plunder through locked drawers in order to obtain confidential checking account and credit card statements. Applying the same analogy to a computer file server does not require much extrapolation. The website invitation to Internet users to visit a website, gather information, and sign up for services is not an invitation for Internet users to hack the website's host computer file server and copy company financial statements or personnel files. No sign need be posted on a website to protect the web host's property rights. In sum, Physicians Interactive has shown a likelihood that it will succeed on the merits.
iii) Count Six (VUTSA)
Physicians Interactive has demonstrated a likelihood of success on the merits of its VUTSA claim because Physicians Interactive has shown unauthorized copying of customer lists and proprietary software codes. Physicians Interactive has also shown that customer lists and proprietary software taken in the previously described computer attacks are trade secrets. Physicians Interactive has also shown a likelihood that these trade secrets were misappropriated by Lathian or its agent, Mr. Martinez.
To succeed on a claim under the VUTSA, a plaintiff must demonstrate that (1) the defendant has acquired or disclosed a "trade secret" and (2) that the trade secret has been "misappropriated," meaning that the person knows or has reason to know that the information was acquired by improper means. A trade secret is information that derives economic value from its secrecy and is subject to reasonable attempts to be maintained as secret. See Fordham v. Onesoft, Corp., No. 00 Civ. 1078-A, 2001 U.S. Dist. LEXIS 22918, *13 (E.D. Va. 2001); Newport News Indus. v. Dynamic Test'g, Inc., 130 F. Supp. 2d 745, 750-51 (E.D. Va. 2001).
In order to demonstrate the existence of a trade secret, a plaintiff must demonstrate that the information derives economic value from its secrecy and that it was subject to reasonable attempts to maintain it as a secret. Information that would economically benefit competitors, were it to become known to them, satisfies the standard if that information is safeguarded from disclosure in a manner that is reasonable under the circumstances. See Dionne v. Southeast Foam Conv'g Pack'g, Inc., 240 Va. 297, 302-03, 397 S.E.2d 110, 113-14 (1990). Numerous courts have held that customer lists and customer information are classic examples of trade secrets. See, e.g., North Atl. Instr., Inc. v. Haber, 188 F.3d 38, 44 (2d Cir. 1999); Four Seasons Hotels and Resorts B.V. v. Consorcio Barr, S.A, 267 F. Supp. 2d 1268, 1325 (S.D. Fla. 2003).
Physicians Interactive's information stored on its computer file server was not meant for the public domain and, therefore, was not stored in the public area of the website. Physicians Interactive created significant electronic safeguards to protect this information. Indeed, since the alleged attacks, Physicians Interactive has taken additional steps to safeguard this information through a software patch.
Under the VUTSA, "misappropriation" is defined to include the use of "improper means" to acquire knowledge of the trade secret, and the "improper means" are defined to include "theft", "misrepresentation" and "espionage through electronic or other means." Va Code Ann. § 59.1-336; see Fordham, 2001 U.S. Dist. LEXIS 22918 at *13; Newport News, 130 F. Supp. 2d at 751.
There can be no doubt that the use of a computer software robot to hack into a computer system and to take or copy proprietary information is an improper means to obtain a trade secret, and thus is misappropriation under the VUTSA. Defendants again argue that their access to Physicians Interactive's website was authorized because of Physicians Interactive's failure to place a usage restriction on its website. Again, for the reasons stated earlier, this argument fails to negate Plaintiff's likelihood to succeed on the merits.
iv. Count Seven (Trespass on Chattels)
Physicians Interactive has shown a likelihood of success on the merits of its trespass on chattels claim. A common law claim of trespass on chattels occurs "when one party intentionally uses or intermeddles with personal property in rightful possession of another without authorization." America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 451 (citing Restatement (Second) of Torts § 217(b)). Moreover, trespass occurs when the chattel "is impaired as to its `condition, quality, or value," Id. (citing Restatement (Second) of Torts § 218(b)).
This Court holds that there is a likelihood that the two alleged attacks that Physicians Interactive traced to Defendants were designed to intermeddle with personal property in the rightful possession of Plaintiff. The third alleged attack, which used a software robot to hack into Physicians Interactive's computer system and obtain proprietary information serves as a prima facie basis for a claim for trespass on chattels.
Defendants, as with all other of Plaintiff's claims, argue that their access to Physicians Interactive's website was authorized because of Plaintiff's failure to place a usage restriction on its website. Again, for the reasons stated earlier, this argument does not negate Physicians Interactive's likelihood to succeed on the merits.
Even if Defendants arguments that its access was not unauthorized because of Physicians Interactive's lack of notice on its website has merit, it is not for this Court to decide at this stage of the pleadings. As Blackwelder holds, if the probable irreparable harm to the plaintiff in the absence of injunctive relief greatly outweighs the likely harm to the defendant if injunctive relief should issue, then "it is enough that grave or serious questions are presented; and plaintiff need not show a likelihood of success." Blackwelder, 550 F.2d at 196. Physicians Interactive has shown irreparable harm through the costs it must incur to guard against future attacks.
v) Defendant Lathian Systems' Respondeat Superior Argument
Defendant Lathian Systems also argues that even if Defendant Martinez's conduct was wrongful, it was outside the scope of his employment with Lathian Systems. Lathian Systems cites Newport News, which establishes a multi-part test for determining whether an employee's conduct was within the scope of employment:
Generally, an act is within the scope of the employment if (1) it was expressly or impliedly directed by the employer, or is naturally incident to the business, and (2) it was performed, although mistakenly or ill-advisedly, with the intent to further the employer's interest, or from some impulse or emotion that was the natural consequence of an attempt to do the employer's business, and did not arise wholly from some external, independent, and personal motive on the part of the employee to do the act upon his own account. Newport News, 130 F. Supp. 2d at 750 (citing Kensington Associates v. West, 234 Va. 430, 432, 362 S.E.2d 900, 901 (1987).
At this stage of the pleading, it is unclear whether Physicians Interactive meets the test to establish respondeat superior as defined in Newport News. These facts will be elicited through discovery. However, based upon the given facts of the alleged attacks, this Court concludes that there is a substantial likelihood, at this stage of the pleadings, that the Plaintiff would succeed in proving that Mr. Martinez's alleged actions were within the scope of his employment. Thus, Physicians Interactive succeeds in proving a likelihood of success on the merits on all of its claims.
D) Public Interest
This Court holds that there is a strong public interest in granting preliminary injunctive relief in this action. The facts alleged by Physicians Interactive, if true, violate several federal and state criminal and civil statutes. This Court has an obligation to enjoin any alleged computer hackers from continuing to attack and steal Physicians Interactive's proprietary information.
E) Expedited Discovery
The Court will grant Physicians Interactive limited expedited discovery. Under a tailored form of injunctive relief issued in a separate order, Physicians Interactive satisfies the requirements for expedited discovery under the Fimab-Finanziaria, Semitool, and Religious Technology tests. In addition, Physicians Interactive meets the requirements for expedited discovery because it has successfully met the burden of all of the prongs of Blackwelder. Also, this case presents the Court with unusual circumstances or conditions that would likely prejudice the party if they were required to wait the normal time to initiate discovery. In this case, electronic evidence is at issue. Electronic evidence can easily be erased and manipulated. Physicians Interactive's expedited discovery is limited, however, to the proposed set of document requests and interrogatories that it provided to the Court in its Motion for Limited Expedited Discovery. Physicians Interactive is also granted limited expedited discovery to enter the sites where the computers used in the alleged attacks are located and to obtain a "mirror image" of the computer equipment containing electronic data relating to Defendants' alleged attacks on Physicians Interactive's file server. This discovery is limited only to information on Defendants' computers related to the alleged attacks, and must be done with the assistance of a computer forensic expert.
As discussed above, Physicians Interactive meets its burden under Blackwelder and thus the Court will grant it preliminary injunctive relief. Physicians Interactive has shown irreparable harm. Defendants have failed to show they will suffer irreparable harm by the Court's grant of injunctive relief. Physicians Interactive has overwhelmingly shown a likelihood of success on the merits. Finally, there is a strong public interest in granting this injunctive relief.
For the foregoing reasons, Plaintiff's Motion for a Temporary Restraining Order and Preliminary Injunction is GRANTED. Plaintiff's Motion for Limited Expedited Discovery is also GRANTED. An appropriate order will issue. The Clerk is directed to forward a copy of this Memorandum Opinion to counsel.