Summary
parsing dense statute to cobble together this claim
Summary of this case from Schwartz v. ADP, Inc.Opinion
CASE NO. 16–61145–CIV–ZLOCH
04-12-2018
Christopher Stephen Carver, Akerman Senterfitt, Miami, FL, Paul Leo Kobak, Jason Samuel Oletsky, Stacy J. Rodriguez, Akerman Senterfitt, Ft. Lauderdale, FL, for Plaintiff. Larry Allan Karns, Ryan Charles Shrouder, Spink & Associates, P.A., Cooper City, FL, for Defendant.
Christopher Stephen Carver, Akerman Senterfitt, Miami, FL, Paul Leo Kobak, Jason Samuel Oletsky, Stacy J. Rodriguez, Akerman Senterfitt, Ft. Lauderdale, FL, for Plaintiff.
Larry Allan Karns, Ryan Charles Shrouder, Spink & Associates, P.A., Cooper City, FL, for Defendant.
ORDER
WILLIAM J. ZLOCH, Sr. United States District Judge
THIS MATTER is before the Court upon Plaintiff Hamilton Group Funding, Inc.'s, Motion For Summary Judgment On Liability (DE 31) and Defendant Gerard Anthony Basel's Motion For Summary Judgment (DE 33). The Court has carefully reviewed said Motions, the entire court file and is otherwise fully advised in the premises.
In the above-styled cause, Plaintiff Hamilton Group Funding, Inc. (hereinafter "Plaintiff") alleges that Defendant Gerard Anthony Basel (hereinafter "Defendant") disclosed Plaintiff's internal communications, to non-party Daniel Lucas (hereinafter "Lucas") and his counsel for use in his state court action against Plaintiff and others. Based on this belief about Defendant's involvement in Lucas's possession of these documents, Plaintiff asserts two remaining counts against Defendant, Count I, for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., and Count II, for violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq., pursuant to its provision of a private cause of action at 18 U.S.C. § 2520, and also for violation of the Stored Communications Act, 18 U.S.C. § 2701, et seq., pursuant to its provision of a private cause of action at 18 U.S.C. § 2707. The Stored Communications Act is contained within the Electronic Communications Privacy Act.
The CFAA includes criminal penalties. See 18 U.S.C. § 1030(c). A civil action, such as the above-styled cause, is permitted by 18 U.S.C. § 1030(g), as will be discussed more fully below.
I. Background
Plaintiff is a mortgage lending firm offering residential mortgage products. Defendant was hired by Plaintiff as an IT consultant in January of 2014 and promoted in April of 2015 to Assistant Vice President, Director of Information Systems, a position he retained until his resignation on May 5, 2016. Lucas was a co-founder of Plaintiff and served as the CFO and President until his April, 2014 termination. Following his termination, Lucas initiated a lawsuit, currently pending in the Circuit Court of the Seventeenth Judicial Circuit, in and for Broward County, Florida, against Plaintiff and Plaintiff's officers and managers (hereinafter "Lucas lawsuit"). In the course of this state court action, Defendant assisted Plaintiff's attorneys with discovery, executed an affidavit, and sat for a deposition on April 6, 2016. On April 18, 2016, during Lucas's deposition of Plaintiff's CEO Mark Korell, one of the defendants in that lawsuit, seven exhibits were marked with dates subsequent to Lucas's termination and which Plaintiff had not produced to Lucas in discovery. See DE 32–7 (hereinafter "Korell Exhibits"). One of these documents is an offer letter to Michael Clark; the others consist of emails, frequently involving Mr. Korell and at times discussing Lucas. The precise nature of these communications and their relevance to the claims at issue in Lucas's lawsuit are not material to the resolution of the issues at stake in the above-styled cause, and thus the Court will not further describe their contents. But, the surfacing of these documents led to Plaintiff's investigation of a potential security breach related to these exhibits and ultimately to its request that Defendant attend a meeting. Defendant agreed to attend this meeting, but on the evening before the meeting, he resigned with no prior notice on May 5, 2016.
The following facts are taken from Plaintiff's Statement Of Undisputed Material Facts In Support Of Plaintiff's Motion For Summary Judgment (DE 32), Defendant's Statement Of Material Facts In Support Of His Motion For Summary Judgment (DE 34), Plaintiff's Response To Defendant's Statement Of Material Facts (DE 50), and Defendant's Statement Of Material Facts In Opposition To Plaintiff's Motion For Summary Judgment On Liability (DE 52), and accompanying exhibits attached to the instant Motion (DE 33) and these Statements of Facts and Responses (DE No. 32, 34, & 50).
Plaintiff uses the Microsoft 365 platform to run its computer systems, including e-mails and daily activities. Prior to his resignation, Defendant had full and complete global administrative rights to Plaintiff's computer systems and servers. During Defendant's employment with Plaintiff, he received two versions of an Employee Handbook. Some relevant portions in the 2014 Employee Handbook (DE 32–4) from the section "Use of Communications & Computer Systems & Information Security," state in pertinent part:
This system is described by Jeffrey E. Tuley, who performed a forensic assessment of Plaintiff's system, which will be described in detail below, as "a Web-based version of Microsoft's Office suite of enterprise-grade productivity applications," "a ‘cloud-based’ application enabled over the internet" which "allows HGF's employees access to Office applications such as hosted email, OneDrive online storage (similar to Dropbox), and SharePoint for collaboration, among others." DE 32–3, ¶ 8.
Hamilton Group Funding, Inc. has provided these computer and communications systems to help conduct business. Although limited personal use of the Company's systems is allowed to the extent it does not violate any Company policy or interfere with job performance, no use of these systems should ever conflict with the primary business purpose for which they have been provided, with the Company's ethical responsibilities or with applicable laws and regulations. Each user is personally responsible to ensure that these guidelines are followed.
...
No employee may access, or attempt to obtain access to another employee's computer systems without appropriate authorization.
DE 32–4, pp. 25–26. The revised 2015 Employee Handbook (DE 32–5) included some of the exact same language, which will be quoted here again, as well as some additional sections. Under the section, "Technology Use and Privacy," in language virtually identical to that appearing in the 2014 Employee Handbook, this revised version states:
HGF has provided these computer and communications systems to help conduct business. Although limited personal use of the Company's systems is allowed to the extent it does not violate any Company policy or interfere with job performance, no use of these systems should ever conflict with the primary business purpose for which they have been provided, with the Company's ethical responsibilities or with applicable laws and regulations. Each user is personally responsible to ensure that these guidelines are followed.
...
No employee may access, or attempt to obtain access to another employee's computer systems without appropriate authorization.
DE 32–5, pp. 42–43.
Following Mr. Korell's deposition, on April 20, 2016, Plaintiff hired Jeffrey E. Tuley (hereinafter "Tuley") of Net Evidence, Inc., to perform a computer forensic investigation as to whether there had been a security breach in Plaintiff's systems. The Parties are greatly at odds over the interpretation of Tuley's findings, but not with the findings themselves. Thus, the Court sets forth statements within his Expert Witness Report (DE 32–3) which the Court deems relevant to its analysis of the instant Motions (DE Nos. 31 & 33). Tuley concluded:
The only location the Korell Exhibits were found was inside the mailbox of Mr. Korell. This indicated they were not at that time saved or forwarded to another mailbox or user drive space of [Plaintiff]. Additionally, I reviewed audit and log data from the Office 365 system and Mark Korell's system to identify any accessing of his files or system. The log data did not show any access from other user accounts to Mark Korell's information.
DE 32–3, ¶ 9. During his review of users of Plaintiff's system, Tuley located a user, Keri Ochs (hereinafter "Ochs"), Plaintiff's former Vice President and Head of Information Systems, whose employment ended in April of 2014, but who, nevertheless, at the time of his investigation in April of 2016, still retained full and complete global administrative rights to Plaintiff's systems. Tuley's report observes that these credentials remaining active presented an "unsecure ‘open door’ " Id. at ¶ 12, and he notes that an unidentified party using her username and credentials accessed her mailbox on June 9, 2015, and, again, as recently as February 9, 2016. See Id. at ¶¶ 16, 19. Tuley also analyzed Defendant's laptop and included several paragraphs about his related findings:
My forensic inspection of [Defendant]'s laptop revealed that, prior to returning the laptop, [Defendant], or someone acting on his behalf, had deleted the "user directory" and his personal profile from the computer. Additionally, I determined that on or about April 22, 2016, between the hours of 10:00 pm and 11:59 pm (based on the clock settings in the laptop), [Defendant], or someone acting on his behalf, deleted a number of files (including documents and other data) from the laptop's hard drive while at the same time multiple USB Removable Flash Drives were connected to the laptop.
Specifically, a SanDisk Cruzer Glide USB Flash Drive and a Silicon Power USB Drive were plugged into on the laptop between 10:00 p.m. and 11:59 p.m. on April 22, 2016, i.e., during the time files were being deleted from the laptop hard drive.
I was not able to recover any of the files deleted from the laptop's hard drive or to determine what may have been downloaded to any of the USB flash drives.
DE 32–3, ¶¶ 30–32. Finally, while Tuley was not able to arrive at any definitive conclusions about the security breach, he provides this assessment:
Based on my investigation, it is my determination that someone using Ochs' credentials accessed Ochs' OneDrive and mailbox on [Plaintiff]'s computer system well after Ochs' resignation from [Plaintiff]. Whoever logged into [Plaintiff]'s computer system using Ochs' credentials would have had access to all of the emails of any [Plaintiff] employee, including Mark Korell, Mike Clark, and John Kantor, as well as full access to any other documents or information [Plaintiff] maintained within [Plaintiff]'s Microsoft 365 account.
[Defendant] with his credentials could have accessed the entire email system or could have used Ochs' credentials such that use of Ochs' credentials to access [Plaintiff]'s computer system is not the only method by which someone with global administrative access credentials could have obtained the Korell Exhibits.
Id. at ¶¶ 36–37.
Though Defendant was deposed, he frequently asserted his Fifth Amendment right not to incriminate himself. U.S. Const. amend. V. As noted above, both the CFAA and SCA are primarily criminal statutes, which also include the private civil causes of action asserted in the above-styled cause. The Court will discuss below the appropriate inference to be drawn as to Defendant's answers, but includes in this description of the factual basis for the instant Motions (DE Nos. 31 & 33) a few citations to Defendant's testimony.
Tuley's report, as quoted above, included some findings explaining how Defendant's user profile and some files had been deleted. At his deposition, Defendant was asked whether those actions were taken "in order to hide any trace of [his] providing [Lucas] with confidential [Plaintiff] documents in order to assist him [Lucas] with the prosecution of his lawsuit against [Plaintiff]?" and he answered, "No." DE 32–1, p. 55, ll. 13–18. He stated that he did not recall what documents he downloaded to the USB drives and that he also did not recall what documents he deleted on April 22, 2016. See Id. at ll. 21–25. Defendant was asked several detailed and several broad and overarching questions to which he asserted his Fifth Amendment right. Some examples include: "Then why did you decide to provide documents to [Lucas ] in secret outside of the formal discovery process in the state court action?" (Id., p. 70, ll. 4–9); "Did you provide [Lucas], Mr. Karns, Mr. Shrouder [Lucas's counsel in his state court case, as well as Defendant's counsel in this case], anyone at Spink & Associates [counsels' firm] or any third party, with either copies of those documents [the Korell Exhibits], or enough information about those documents so that they would be able to so specifically request that they be produced at a hearing in the state court action?" (Id. p. 114, ll. 18–24). The Court includes these examples merely as an indication of the types of questions to which Defendant asserted his Fifth Amendment right against self-incrimination. He provided this answer to numerous substantive and specific questions about his involvement with the Korell Exhibits. Further, Defendant responded "No." to the question, "Did anyone in senior management, Mr. Korell, Mr. Clark, Mr. Kantor, Karen Loney, anyone you considered a senior executive in the company or senior management in the company, did anyone ever authorize you to provide documents to [Lucas] outside of the formal discovery process in the state court action after the lawsuit was initiated? Id., p. 74, l. 20–p. 75, l. 2.
II. Standard of Review
Under Federal Rule of Civil Procedure 56(a), summary judgment is appropriate "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." The party seeking summary judgment
always bears the initial responsibility of informing the district court of the basis for its motion, and identifying those portions of the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, which it believes demonstrate the absence of a genuine issue of material fact.
Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986) (quotation omitted). "An issue of fact is ‘material’ if, under the applicable substantive law, it might affect the outcome of the case. An issue of fact is ‘genuine’ if the record taken as a whole could lead a rational trier of fact to find for the nonmoving party." Hickson Corp. v. N. Crossarm Co., Inc., 357 F.3d 1256, 1259–60 (11th Cir. 2004) (citing Allen v. Tyson Foods, 121 F.3d 642, 646 (11th Cir. 1997) ) (further citations omitted). "Only when that burden has been met does the burden shift to the non-moving party to demonstrate that there is indeed a material issue of fact that precludes summary judgment." Clark v. Coats & Clark, Inc., 929 F.2d 604, 608 (11th Cir. 1991) ; Avirgan v. Hull, 932 F.2d 1572, 1577 (11th Cir. 1991). "If the movant succeeds in demonstrating the absence of a material fact, the burden shifts to the non-movant to show the existence of a genuine issue of fact." Burger King Corp. v. E–Z Eating, 41 Corp., 572 F.3d 1306, 1313 (11th Cir. 2009) (citing Fitzpatrick v. City of Atlanta, 2 F.3d 1112, 1116 (11th Cir. 1993) ).
The moving party is entitled to "judgment as a matter of law" when the non-moving party fails to make a sufficient showing of an essential element of the case to which the non-moving party has the burden of proof. Celotex Corp., 477 U.S. at 322, 106 S.Ct. 2548 ; Everett v. Napper, 833 F.2d 1507, 1510 (11th Cir. 1987). All justifiable inferences are to be drawn in the light most favorable to the non-moving party. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986).
III. Analysis
Count I of the Complaint (DE 1) states a claim for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq., (hereinafter "CFAA"), which reads, in pertinent part:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages....
The referenced subclauses read:
(I) loss to 1 or more persons during any 1–year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security. 18 U.S.C. § 1030(c)(4)(A)(i)(I)–(V).
The referenced subclauses read:
(I) loss to 1 or more persons during any 1–year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security. 18 U.S.C. § 1030(c)(4)(A)(i)(I)–(V).
18 U.S.C. § 1030(g). The relevant factor in the above-styled cause, must necessarily, on the facts stated above, be 18 U.S.C. § 1030(c)(4)(A)(i)(I). Section 1030(g) references "damage or loss," and both of these terms are defined. Damage is "any impairment to the integrity or availability of data, a program, a system, or information," id. at (e)(8), and Loss is "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service," id. at (e)(11). Section 1030(a) describes the violations referenced in § 1030(g), and these include the violation relevant to the claim in the above-styled cause:
(a) Whoever—
...
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
...
(C) information from a protected computer;
...
shall be punished as provided in subsection (c) of this section [or, as in the instant case, shall be liable in a civil action as described by § 1030(g) ].
18 U.S.C. § 1030(a)(2)(C). Exceeds authorized access is defined as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Id. at (e)(6). In Clarity Services, Inc. v. Barney, the court, explaining that though the CFAA is "primarily a criminal statute," it "provides a civil remedy to any person who suffers damage or loss from a violation of the Act" requiring the plaintiff to prove that the defendant: "(1) intentionally ‘accessed’ a computer, (2) lacked authorization or exceeded his authorized access to the computer, (3) obtained information from the computer, and (4) caused a loss of at least $5,000.00 to [Plaintiff]." 698 F.Supp.2d 1309, 1313 (M.D. Fla. 2010) (citing 18 U.S.C. §§ 1030(g); (a)(2)(C) ).
Count II of the Complaint (DE 1) alleges that Defendant violated the Electronic Communications Privacy Act, 18 U.S.C. § 2510, private civil cause of action 18 U.S.C. § 2520 (hereinafter ECPA), and additionally the Stored Communications Act, 18 U.S.C. § 2701, et seq., private civil cause of action 18 U.S.C. § 2707 (hereinafter "SCA"), contained with the ECPA. Section 2520, titled "Recovery of civil damages authorized," states, in pertinent part:
(a) In general.—Except as provided in section 2511(2)(a)(ii), any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used in violation of this chapter may in a civil action recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate.
18 U.S.C. § 2520(a). And Section 2707, titled "Civil action," states, in pertinent part:
(a) Cause of action.—Except as provided in section 2703(e), any provider of electronic communication service, subscriber, or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate.
The elements of this ECPA claim are stated in 18 U.S.C. § 2511 :
(1) Except as otherwise specifically provided in this chapter any person who—
(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;
...
(c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;
(d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; or
...
shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).
18 U.S.C. § 2511 (1)(a) and (c)-(d). See also In re Pharmatrak, Inc., 329 F.3d 9, 18 (1st Cir. 2003) ("The post-ECPA Wiretap Act provides a private right of action against one who ‘intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.’ 18 U.S.C. § 2511(1)(a) ; see 18 U.S.C. § 2520 (providing a private right of action). The Wiretap Act defines ‘intercept’ as ‘the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.’ Id. § 2510(4). Thus, plaintiffs must show five elements to make their claim under Title I of the ECPA: that a defendant (1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication (5) using a device. This showing is subject to certain statutory exceptions, such as consent.").
Plaintiff's Motion For Summary Judgment On Liability (DE 31) specifies the relief sought: "Accordingly, the claims on which [Plaintiff] seeks summary judgment of liability against [Defendant] are Count I, for [Defendant's] violations of the CFAA, and Count II, for [Defendant's] violations of the SCA." Even if the Complaint (DE 1) also states a separate ECPA claim, Plaintiff has not moved for summary judgment as to liability on that claim. Therefore, the Court will only analyze Plaintiff's CFAA and SCA claims, and to the extent that Plaintiff still wishes to pursue a separate claim for violation of the ECPA, that claim will remain for trial.
And the elements of the SCA claim are stated in 18 U.S.C. § 2701(a) :
(a) Offense.—Except as provided in subsection (c) of this section whoever
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
18 U.S.C. § 2701(a). See also TEC Serv, LLC v. Crabb, No. 11–62040–CIV–DIMITROULEAS/SNOW, 2013 WL 12177342, at *3 (S.D. Fla. Jan. 14, 2013) ("The SCA creates a cause of action against anyone who either ‘(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility’ if through that access the person ‘thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.’ " (citing 18 U.S.C. § 2701 ) ).
The first legal issue the Court must address is the inference the Court must apply to Defendant's decision to assert his Fifth Amendment right against self-incrimination. In Baxter v. Palmigiano, the Supreme Court acknowledged that the Fifth Amendment right against self-incrimination extended to testimony, even if given in civil proceedings, which might incriminate as to future criminal charges. 425 U.S. 308, 316, 96 S.Ct. 1551, 47 L.Ed.2d 810 (1976) (citing Lefkowitz v. Turley, 414 U.S. 70, 77, 94 S.Ct. 316, 38 L.Ed.2d 274 (1973) ). This principle is clearly applicable to the claims in this case because they have been brought under criminal statutes, which also provide for civil claims. Though an individual does not lose the Fifth Amendment right in the civil context, the Supreme Court declined to extend a prior holding in Griffin v. California, that no inference of guilt must be drawn in a criminal case based on the defendant's decision not to testify, to testimony in civil cases. Id. at 316–19, 96 S.Ct. 1551 (citing 380 U.S. 609, 85 S.Ct. 1229, 14 L.Ed.2d 106 (1965) ). Thus, the Court held "that the Fifth Amendment does not forbid adverse inferences against parties to civil actions when they refuse to testify in response to probative evidence offered against them: the Amendment ‘does not preclude the inference where the privilege is claimed by a party to a Civil cause.’ " Id. at 318, 96 S.Ct. 1551 (quoting 8 J. Wigmore, Evidence 439 (McNaughton rev. 1961) ). The following year, the Supreme Court, deciding Lefkowitz v. Cunningham further clarified its prior holding, explaining that, " Baxter did no more than permit an inference to be drawn in a civil case from a party's refusal to testify. Respondent's silence in Baxter was only one of a number of factors to be considered by the finder of fact in assessing a penalty, and was given no more probative value than the facts of the case warranted." 431 U.S. 801, 808 n.5, 97 S.Ct. 2132, 53 L.Ed.2d 1 (1977). See also LaSalle Bank Lake View v. Seguban, 54 F.3d 387, 391 (7th Cir. 1995) (concluding that Baxter yielded the conclusion, "that even in a civil case a judgment imposing liability cannot rest solely upon a privileged refusal to admit or deny at the pleading stage" and that "plaintiff should have been put to its proof, either by way of evidentiary support for a motion for summary judgment or at trial."). The Eleventh Circuit has described the permissible response in cases such as that of the Defendant's invocation of his Fifth Amendment right, at his deposition and in response to discovery requests in the above-styled cause, as permitting the inference "that the answers to the questions would not have been favorable to the [individual] asserting the privilege." U.S. v. Two Parcels of Real Property Located in Russell County, Ala., 92 F.3d 1123, 1129 (11th Cir. 1996). See also Eagle Hosp. Physicians, LLC v. SRG Consulting, Inc., 561 F.3d 1298, 1304 (11th Cir. 2009) (citing U.S. v. Two Parcels of Real Property Located in Russell County, Ala. for the proposition that an adverse inference based on the invocation of the Fifth Amendment is appropriate in a civil case). An adverse inference based on Defendant's decision not to answer questions put to him at his deposition is permissible. The Court will thus infer that the answers to questions to which Defendant invoked his right not to testify against himself would not be favorable to Defendant. But, the Court is not permitted and will not rest any findings against Defendant on the fact of his assertion of his privilege alone.
The Court must take up additional legal issues raised by the Parties' instant Motions (DE Nos. 31 & 33) before examining whether all the evidence, including the adverse inference drawn against Defendant for his assertion of his Fifth Amendment right, yields a finding of liability for Plaintiff on its CFAA and SCA claims. First among these issues, the Court will address one of the bases for summary judgment Defendant raises in his Motion (DE 33), which the Court finds has been recently and indisputably resolved by binding authority from the Eleventh Circuit. As noted above, the CFAA defines loss in § 1030(e)(11). Prior to the decision in Brown Jordan Int'l, Inc. v. Carmicle, courts struggled to ascertain the precise parameters of the loss definition quoted above. Noting that the interpretation of this definition was an issue of first impression in the Eleventh Circuit, the court held:
The plain language of the statutory definition includes two separate types of loss: (1) reasonable costs incurred in connection with such activities as responding to a violation, assessing the damage done, and restoring the affected data, program system, or information to its condition prior to the violation; and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. The statute is written in the disjunctive, making the first type of loss independent of an interruption of service.... "Loss" includes the direct costs of responding to the violation in the first portion of the definition, and consequential damages resulting from interruption of service in the second. Thus, under a plain reading of the statute, [the plaintiff's] loss from [defendant's] violation of the CFAA does not need to be related to an interruption of service in order to be compensable.
846 F.3d 1167, 1173–74 (11th Cir. 2017) (citing 18 U.S.C. § 1030(e)(11) (further citation omitted). Thus the type of loss claimed by Plaintiff, for example, for services such as those performed by Tuley, whether or not an interruption of service occurred, is the type of loss that is covered by the CFAA.
The next interpretative question plaguing the analysis of CFAA elements also requires the Court to apply a seminal Eleventh Circuit opinion to the issue. A violation of 18 U.S.C. § 1030(a)(2)(C) requires the violator to either "intentionally access[ ] a computer without authorization or [to] exceed[ ] authorized access, and thereby obtain[ ] ... information from a protected computer." (emphasis added); see also § 1030 (e)(6) (defining exceeds authorized access, as quoted supra ). With respect to Defendant, the relevant portion relates to his allegedly exceeding authorized access because he could not be said to have accessed without authorization since the Parties agree that he had global administrative rights to access Plaintiff's system at the time in his employment at which the alleged violations occurred. In Enhanced Recovery Co., LLC v. Frady, the court aptly described the conundrum in which courts have been placed in attempting to correctly apply this definition when it explained the competing views of this term:
[A]pplication of this term and its definition have bedeviled the courts. Some have interpreted the definition broadly, reading into it a theory of agency, such that an employee's authorization is revoked, and thus she "exceeds authorized access," whenever she obtains information with a subjective intent that is unlawful or contrary to her employer's interests, even though the employee actually had authorization to access the information.... Other courts, including the majority of district courts in this Circuit that have considered the question, have adopted a narrower definition of "exceeds authorized access." ... Under the narrow interpretation, an employer who has actually been granted access to information does not "exceed authorized access" by virtue of the employee's subjective intent or by subsequently violating computer policies on the use of the information.... The Court finds the reasoning in favor of the narrow interpretation significantly more persuasive.
No. 3:13-cv-1262-J-34JBT, 2015 WL 1470852, at *6 (S.D. Fla. Mar. 31, 2015) (citations omitted). Defendant argues that this Court should follow the Enhanced Recovery court in choosing the narrow interpretation. But, this Court does not agree that this is the course charted by the Eleventh Circuit, despite the response of other district courts within this Circuit, to the Eleventh Circuit's opinion in the criminal case United States v. Rodriguez.
In Rodriguez, the court interpreted the same definition in the context of a criminal violation of 18 U.S.C. § 1030(a)(2)(B) broadly when it held that "Rodriguez exceeded his authorized access and violated the Act when he obtained personal information for a nonbusiness reason," when, on his own admission, "his access of the victims' personal information was not in furtherance of his duties as a TeleService representative and that ‘he did access things that were unauthorized.’ " 628 F.3d 1258, 1263 (11th Cir. 2010). Rodriguez was a former employee of the Social Security Administration convicted of violating the CFAA by accessing his former employer's databases containing sensitive personal information for a purpose other than that required by his job, for which he had been given the access. Id. at 1260–62. Enhanced Recovery was decided after Rodriguez. That court could not ignore the Eleventh Circuit's conclusion in Rodriguez and admitted that the fact that it was a criminal case in no way limited its application in a civil context. See 2015 WL 1470852, at *10 n.7. The lines on which to distinguish Rodriguez instead ran to the policy involved in that case which was "a well-advertised established policy that explicitly conditioned authorization to access a particular individual's file based on whether it was done within the scope of business." Id. at *9 (citing Rodriguez, 628 F.3d at 1260 ). Because the employer's policies limited the authorization to access to a specific use, the court found this policy to be distinguishable from the policy at issue in that case which limited use and disclosure, but did not limit or condition access or authorization. Id. at *10. District courts within the Eleventh Circuit following the Rodriguez decision have taken two main approaches. Some courts have responded similarly to the court in Enhanced Recovery, in their efforts to distinguish Rodriguez.See IBI Group (Florida), Inc. v. B & S Eng'r Consultants, LLC, No. 6:17–cv–246–Orl–18DCI, 2017 WL 7311866, at *4 (M.D. Fla. June 27, 2017) (focusing on the fact that in Rodriguez the "policies explicitly limited the defendant's authorization to access social security files based on his need to do so for business purposes"); Allied Portables, LLC v. Youmans, No. 2:15–cv–294–FtM–38CM, 2015 WL 3720107, at *7 (M.D. Fla. June 15, 2015) ("Unlike the Rodriguez case, the Plaintiffs here have failed to sufficiently allege that [defendants] violated a well established written policy regarding the access of [plaintiff's] information."); Power Equip. Maint., Inc. v. AIRCO Power Serv., Inc., 953 F.Supp.2d 1290, 1297–98 (S.D. Ga. 2013) ("In Rodriguez, the defendant was authorized to access personal information only under specific and narrow circumstances, and only to perform particular tasks."). But, other courts have regarded Rodriguez as establishing a broad reading of the term. See Global Physics Solutions, Inc. v. Benjamin, No. 17-60662-CIV-SCOLA, 2017 WL 6948721, at *2 (S.D. Fla. June 26, 2017) (citing Rodriguez for the proposition that, "When an employee is authorized to access or change information but accesses that information in a way that violates company policy, the employee has exceeded his or her authorized access."); Aquent LLC v. Stapleton, 65 F.Supp.3d 1339, 1346 (M.D. Fla. 2014) ("In 2010, the Eleventh Circuit joined circuits that take a broader view, holding that when the employer had a policy limiting an employee's computer access to that done for business purposes, an employee who accessed a database for an improper purpose exceeded authorized access."); Live Face on Web, LLC v. Tweople, Inc., No: 6:14–cv–44–Orl–22TBS, 2014 WL 12611359, at *2 (M.D. Fla. Sept. 29, 2014) (commenting on the broad construction of this term in the Eleventh Circuit in Rodriguez ); Lighthouse List Co., LLC v. Cross Hatch Ventures Corp., No. 13-60524-CIV-DIMITOULEAS, 2013 WL 11977916, at *6 (S.D. Fla. Aug. 9, 2013) (finding the Eleventh Circuit's broad interpretation controlling on this issue); TEC Serv, 2013 WL 12177342, at *3 (holding that Rodriguez is precedent in this Circuit).
More recently, the Eleventh Circuit has opined that though there is much disagreement with Rodriguez, "We are, of course, bound by Rodriguez," even though it "note[s] its lack of acceptance." EarthCam, Inc. v. OxBlue Corp., 703 Fed.Appx. 803, 808 n.2 (11th Cir. 2017). In EarthCam, the court commented that its prior opinion was the "one published opinion" in which it had "expounded" the CFAA definition of "exceeds authorized access." Id. at 808. Attempting to clarify the holding in Rodriguez, the court continued by stating that, "Although it is not entirely clear, one of the lessons from Rodriguez may be that a person exceeds authorized access if he or she uses the access in a way that contravenes any policy or term of use governing the computer in question." Id. This opinion appears to affirm both Rodriguez's broader reading of the term, as well as an interpretation of the that decision that does not narrow its holding. See Sunil Gupta, M.D., LLC v. Franklin, No. 17-00335-N, 2017 WL 5196392, at *4–5 (S.D. Ala. Nov. 9, 2017) (finding that Rodriguez is the only binding authority on this issue within this Circuit and that EarthCam, while acknowledging that this may not be a majority interpretation, does not depart from his prior holding). This Court concludes that Rodriguez binds the Court to a broad interpretation of exceeding authorized access under the CFAA.
Finally, though there is more discussion in the case law about the definition of exceeding authorized access in the CFAA, courts have indicated that this term in the SCA should follow its definition in the CFAA. In TEC Serve, LLC, the court reaches this conclusion, after, as noted above, approving the Rodriguez interpretation. 2013 WL 12177342, at *4 ("The CFAA has a definition of ‘exceeds authorized access’ that the Court finds persuasive in concluding that [defendant] could have violated the SCA by deleting work emails when there was a policy against such action."). See Live Face on Web, LLC, 2014 WL 12611359, at *3 (commenting on the similarity of the two acts and concluding, "The [SCA] is relatively similar to the CFAA ... However, the SCA does not provide a cause of action for ‘acts of individuals who ‘intercept’ or ‘access’ communications that are otherwise readily accessible by the general public.’ "). See also Estes Forwarding Worldwide LLC v. Cuellar, 239 F.Supp.3d 918, 924 (E.D. Va. 2017) (indicating that similar terms in the CFAA and SCA would be interpreted similarly) (citing Global Policy Partners, LLC v. Yessin, 686 F.Supp.2d 631, 636 (E.D. Va. 2009) ).
The question which remains for the Court is whether Plaintiff has provided undisputed evidence to meet its burden with respect to its CFAA claim and its SCA claim. As to the four elements of the CFAA claim, Plaintiff must establish that Defendant: "(1) intentionally ‘accessed’ a computer, (2) lacked authorization or exceeded his authorized access to the computer, (3) obtained information from the computer, and (4) caused a loss of at least $5,000.00 to [Plaintiff]." Clarity Services, Inc., 698 F.Supp.2d at 1313 (M.D. Fla. 2010) (citing 18 U.S.C. §§ 1030(g); (a)(2)(C) ). The Court recognizes that Plaintiff has sought summary judgment only as to liability and not as to the amount of loss. However, the fourth element of this claim requires, at this summary judgment stage, that there be no material dispute of fact about that fact that Plaintiff has suffered at least $5,000.00 of loss. As noted above, the type of loss Plaintiff is claiming has been found in this Circuit to be a type contemplated by this statute. Certainly, Plaintiff's Complaint alleges that Defendant's conduct has cost it damages in at least this amount. See DE 1, ¶¶ 85, 94. And, Defendant duly denies the allegations set forth in these paragraphs. See DE 20, ¶ 1. And, there the story ends. Neither Party has said aught else about the amount of loss in the summary judgment pleadings. Rather, Plaintiff has stated no facts and offered no evidence of its damages. The Court is thus compelled to find that there is a material dispute of fact about element four in that Plaintiff has not met its burden of offering any proof by which the Court could ascertain that its loss in relation to Defendant's conduct has been at least $5,000.00. Plaintiff has plead this loss amount. Defendant has denied it.
But, the Court will examine the other three elements of Plaintiff's CFAA claim in order to determine if any disputes of material fact would prevent the Court from ruling in favor of either Plaintiff or Defendant at this stage on these other factors. Defendant contends that Plaintiff's argument at summary judgment rests only on the fact that the Court must infer that the answers to questions, such as those cited above, at his deposition, are unfavorable to him due to the fact that he refused to answer and instead asserted his right against self-incrimination pursuant to the Fifth Amendment. The Court does, as it must, draw this adverse inference against Defendant. He has refused to answer questions about whether he has given the Korell Exhibits to Lucas or to Lucas's lawyers. Under Rodriguez, in this Circuit, this conduct, which would contravene existing computer policies of Plaintiff, as cited above, would thus exceed his authorized access. See supra I. Such conduct is intentional access of a computer, and would constitute obtaining information from a computer. But, Defendant is incorrect that Plaintiff's only evidence is the adverse inferences drawn against him. Other undisputed facts in this case support the conclusion to which the adverse inference against Defendant leads. First, there is no dispute as to what happened at the Korell deposition. The Korell Exhibits were introduced, and Defendant does not dispute the fact that they were never given to Lucas in discovery. He appears to argue that they should have been given to Lucas in that state court proceeding, but that is a question about which this Court need offer no opinion as it has no bearing upon the issues which must be decided here. No one disputes that these Korell Exhibits consist of documents, as previously noted, many of which are emails, which are internal documents of Plaintiff with no public source that any Party has brought to the attention of the Court or even suggested. Plaintiff also provides the investigation of Tuley who attempted to determine the source of the leak of these internal documents. Defendant does not dispute Tuley's findings. He does not offer a competing expert who calls into question any of these findings. He focuses the Court's attention on certain paragraphs, believing that some isolated statements support Plaintiff's inability to pinpoint with complete certainty how the leak of its internal documents has occurred. And, the Court would agree with Defendant that, apart from the adverse inference it is required to draw against him, the information Plaintiff learned about possible sources of the leak would not be sufficient to meet its burden. But, all of these facts taken together permit the Court to find that there are no disputed facts as to all elements—except for the element that the damages are $5,000.00 or more—which Plaintiff is required to prove to establish liability under the CFAA. Additionally, as to liability under the SCA, in that statute a damage amount is not an element of the claim. As cited above, the elements of this violation are contained in the statute and require that Defendant "intentionally accesses without authorization a facility through with an electronic communication service is provided" or "intentionally exceeds authorization to access that facility" "and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system." 18 U.S.C. § 2701(a). The Eleventh Circuit has unequivocally stated that Microsoft 365, a cloud-based service, through which emails are sent and received, and which was the system Plaintiff used, "is a facility through which an electronic communication service is provided," for the purposes of the SCA. Brown Jordan Int'l, Inc., 846 F.3d 1167, 1177 n.4 (11th Cir. 2017). Thus, for all the reasons the Court has stated, the same evidence supports a finding of liability for Plaintiff and against Defendant pursuant to the SCA. Accordingly, after due consideration, it is
ORDERED AND ADJUDGED as follows:
1. Defendant Gerard Anthony Basel's Motion For Summary Judgment (DE 33) be and the same is hereby DENIED ;
2. Plaintiff Hamilton Group Funding, Inc.'s, Motion For Summary Judgment On Liability (DE 31) be and the same is hereby GRANTED in part as follows:
a) As to Count I, Plaintiff's Motion (DE 31) is hereby GRANTED , as to liability only, and only as to all elements of this claim, other than the requirement that Defendant's actions caused a loss of at least $5,000.00 to Plaintiff;
b) As to Count II, Plaintiff's Motion (DE 31) is hereby GRANTED , as to liability only, and only as to Plaintiff's claim pursuant to the Stored Communications Act, 18 U.S.C. § 2701, et seq., and not as to any separate claim pursuant to the Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq., which the Stored Communications Act is contained within.
DONE AND ORDERED in Chambers at Fort Lauderdale, Broward County, Florida, this 12th day of April, 2018.
ORDER on Motion to Alter or Amend
THIS MATTER is before the Court upon Defendant Basel's Motion To Alter Or Amend Judgment (DE 93). The Court has carefully reviewed said Motion, the entire court file and is otherwise fully advised in the premises.
By its Order (DE 92), the Court granted, in part, Plaintiff Hamilton Group Funding, Inc.'s, Motion For Summary Judgment On Liability (DE 31), as to liability on all but one of the elements of Plaintiff's claim in Count I, pursuant to the Computer Fraud And Abuse Act, 18 U.S.C. § 1030 et seq., and as to liability on Plaintiff's claim in Count II, pursuant to the Stored Communications Act, 18 U.S.C. § 2701 et seq. DE 92, p. 27-28. Thus, at least one element of Count I and damages for both Counts remain for a bench trial in the above-styled cause. Final Judgment, thus, has not yet been entered, but will be entered at the conclusion of said trial.
The Court did not grant summary judgment as to any separate claim pursuant to the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq., as the Court did not believe such relief was sought by Plaintiff's Motion (DE 31). The Court stated in its Order (DE 92) that any remaining claim from Count II, if pursued separately from Plaintiff's Stored Communications Act claim from Count II remains for trial. DE 92, p. 14, n.5.
--------
By the instant Motion (DE 93), Defendant moves the Court to alter or amend its judgment pursuant to Fed. R. Civ. P. 59(e), at times incorrectly referred to by Defendant as Fed. R. Civ. P. 59(c), which is a section of Rule 59 dealing with the time to serve affidavits. See DE 95, pp. 1-2. The Court is not convinced that even a Motion under Rule 59(e) is timely at this stage of the litigation, prior to the entry of final judgment. But, as "The Eleventh Circuit has yet to consider the issue of whether an order granting summary judgment is considered sufficient entry of judgment under Rule 59(e)," this Court, like the court in Florida Land Title Company v. Martinez, will also find that "even if [Defendant's] motion to alter or amend is premature as no final judgment has been entered, the motion may be addressed if it meets the other requirements of Rule 59(e)." No. 93-1770-CIV-T-17C, 1995 WL 839595, at *2 (M.D. Fla. Dec. 6, 1995).
With respect to evaluating a Rule 59 motion, "The decision to alter or amend judgment is committed to the sound discretion of the district judge and will not be overturned on appeal absent an abuse of discretion." American Home Assur. Co. v. Glenn Estess & Assoc., Inc., 763 F.2d 1237, 1238-39 (11th Cir. 1985) (further citations omitted). See also Arthur v. King, 500 F.3d 1335, 1343 (11th Cir. 2007) ("We review the denial of a Rule 59 motion for abuse of discretion. Drago v. Jenne, 453 F.3d 1301, 1305 (11th Cir. 2006). ‘The only grounds for granting [a Rule 59 ] motion are newly-discovered evidence or manifest errors of law or fact.’ In re Kellogg, 197 F.3d 1116, 1119 (11th Cir. 1999). ‘[A] Rule 59(e) motion [cannot be used] to relitigate old matters, raise argument or present evidence that could have been raised prior to the entry of judgment.’ Michael Linet, Inc. v. Village of Wellington, Fla., 408 F.3d 757, 763 (11th Cir. 2005).").
After a thorough review of the Court's prior ruling in the above-styled cause, the Court finds no reason offered in Defendant's Motion (DE 93), which, indeed, is primarily composed of arguments which the Court has previously considered and rejected, to alter or amend its prior Order (DE 92). The Court has not only relied on the adverse inference pursuant to Defendant's exercise of his Fifth Amendment Right not to incriminate himself, but has considered all of the evidence in conjunction with the presumption the Court is required to draw against him. See DE 92, p. 17 ("But, the Court is not permitted and will not rest any findings against Defendant on the fact of his assertion of his privilege alone."). Defendant cannot now be heard to assert arguments which no evidence in the record supports, and the conclusion of the related ongoing state case, discussed in more detail in the Court's prior Order (DE 92), cannot change Defendant's failure to offer that evidence in this case. The Court has already set forth in detail its legal conclusions regarding binding precedent in this Circuit, as well as its interpretation of said precedent. Thus, the Court's prior ruling remains the same.
Accordingly, after due consideration, it is
ORDERED AND ADJUDGED that Defendant Gerard Anthony Basel's Motion To Alter Or Amend Judgment (DE 93) be and the same is hereby DENIED.
DONE AND ORDERED in Chambers at Fort Lauderdale, Broward County, Florida, this 23rd day of July, 2018.