Summary
holding that where "Plaintiff has not described any measures taken to ensure confidentiality, other than the assertion that the database is 'only accessible to authorized staff ... and could only be accessed through [Plaintiff's] secure Windows-based domain network and [Plaintiff]-supplied and configured computers, ... [t]he Court cannot conclude that Plaintiff has met its burden on this essential element" of a claim under the Trade Secrets Act
Summary of this case from Lard-VID, LLC v. Ground Support Labs, LLCOpinion
No. 18-2835
02-25-2019
Ronald D. Coleman, Esq. [ARGUED] Brian Block, Esq. Mandelbaum Salsburg 3 Becker Farm Road Suite 105 Roseland, NJ 07068 Counsel for Appellee David Kistler, Esq. [ARGUED] Blank Rome 300 Carnegie Center Suite 220 Princeton, NJ 08540 Michael A. Iannucci, Esq. Blank Rome 130 North 18th Street One Logan Square Philadelphia, PA 19103 Counsel for Appellants
NOT PRECEDENTIAL
Appeal from the United States District Court for the District of New Jersey
(D.C. No. 3-18-cv-03540)
District Judge: Hon. Anne E. Thompson Before: AMBRO, SHWARTZ, and FUENTES, Circuit Judges. OPINION Ronald D. Coleman, Esq. [ARGUED]
Brian Block, Esq.
Mandelbaum Salsburg
3 Becker Farm Road Suite 105
Roseland, NJ 07068
This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not constitute binding precedent.
Counsel for Appellee David Kistler, Esq. [ARGUED]
Blank Rome
300 Carnegie Center
Suite 220
Princeton, NJ 08540 Michael A. Iannucci, Esq.
Blank Rome
130 North 18th Street
One Logan Square
Philadelphia, PA 19103
Counsel for Appellants SHWARTZ, Circuit Judge.
Scherer Design Group, LLC ("SDG"), obtained a preliminary injunction that stopped its former employees, Defendants Daniel Hernandez, Ryan Waldron, Chad Schwartz, and Kyle McGinley, from contacting SDG's clients and destroying information taken from SDG. Defendants assert that SDG surreptitiously monitored Hernandez's Facebook activity after he left SDG, and claim this constitutes unclean hands barring SDG from obtaining equitable relief. Because the Court acted within its discretion in declining to apply the unclean hands doctrine, we will affirm.
I
"In an appeal from the grant or denial of a preliminary injunction, we typically view the facts in the light most favorable to the prevailing party." Arrowpoint Capital Corp. v. Arrowpoint Asset Mgmt., LLC, 793 F.3d 313, 316 n.1 (3d Cir. 2015).
SDG is an engineering firm that provides services to wireless carriers and other vendors in the telecommunications business. Schwartz alleges that he was promised a partnership in SDG. During discussions about a potential ownership stake, Schwartz informed SDG that if he did not reach an agreement with SDG, he would start a competing engineering firm. SDG asked Schwartz to enter a noncompete agreement, but he declined, and, in November 2017, Schwartz resigned and started two competing engineering firms, Defendants Ahead Engineering and Far Field Telecom.
Schwartz thereafter recruited Hernandez, McGinley, and Waldron to join his firms. While Hernandez, McGinley, and Waldron were still employed by SDG, they (1) discussed their new venture using, at least in part, Facebook, and (2) transmitted SDG's documents and information to Schwartz's firms.
During the 2017 Christmas vacation period, Schwartz accepted a project from one of SDG's largest clients, ExteNet, which SDG had allegedly declined because SDG would be closed through the New Year. Schwartz asked Waldron, who was on vacation from SDG at the time, to assist him with the project. ExteNet eventually left SDG and became Schwartz's client.
Hernandez, McGinley, and Waldron resigned from SDG in January 2018. Hernandez testified that while he worked at SDG, he accessed his Facebook account from his SDG laptop, and "would log off sometimes and leave it open sometimes," but that on the day he resigned from SDG—at the direction of his co-Defendants—he "closed out of Facebook" by clearing the history on the internet browsers on his SDG laptop, App. 227, 334 ("I cleared the passwords which logs you out.").
After the mass resignation and loss of ExteNet as a client, SDG's network administrator was instructed to examine Defendants' SDG computers. The administrator (1) reviewed Hernandez's browser history using software that allowed him to access deleted activity, (2) asserts that he accessed Hernandez's Facebook account without a password because Hernandez had not cleared it from the computer, and (3) installed software that allowed him to monitor Hernandez's Facebook activity without detection. From February through mid-March 2018, the administrator accessed Hernandez's Facebook account "very often" from Hernandez's SDG laptop, App. 210, and saw messages that revealed Defendants' plans and the actions that they took to secure SDG's client information and other intellectual property.
At the time of Defendants' employment, SDG had no policies informing employees that SDG retained the right to monitor their use of SDG computers, and did not remind departing employees to log out of personal accounts prior to their departure.
SDG's network administrator attempted to review the other Defendants' browsing histories but was unable to do so "[b]ecause they cleared all of their information and were logged out of all of their accounts." App. 221.
SDG sent Defendants cease and desist letters, and thereafter filed a complaint in the New Jersey Superior Court alleging, among other things, breach of the duty of loyalty, tortious interference with prospective business relationships, and misappropriation of trade secrets. With the complaint, SDG sought a temporary restraining order ("TRO") and a preliminary injunction. Defendants removed the case to the United States District Court for the District of New Jersey.
After granting SDG's request for a TRO, the District Court allowed the parties to conduct expedited discovery and then it held argument on SDG's injunction request. Defendants produced, among other things, testimony from Hernandez, who insisted that he logged out of his Facebook account before he returned his computer to SDG, and a report from a computer forensics expert, who opined that (1) "it is highly unlikely" that Hernandez's Facebook account "remained logged on the SDG laptop after January 17, 2018" and (2) SDG accessed the Facebook account using Hernandez's password. App. 245. In response, SDG produced a supplemental declaration from its network administrator stating that he did not have Hernandez's password and that Hernandez "likely . . . misremembered logging out of his Facebook account" or may have "thought" he logged out but did not do so because of Facebook's "persistent" picture login "feature," which requires additional steps to completely log out. App. 342-46.
The District Court acknowledged that the parties "hotly dispute" how SDG gained access to Hernandez's Facebook account but, without resolving this factual dispute, determined that the unclean hands doctrine did not bar injunctive relief because (1) it "may be reasonable" for an employer such as SDG to access password-protected content on a company laptop; (2) SDG's conduct "is arguably not related to the litigation" because "[w]hile it goes to Plaintiff's full knowledge of the underlying facts," Defendants' alleged breaches of loyalty, tortious interference, and/or trade secret violations predate SDG's alleged hacking of Hernandez's account and SDG's actions did not "affect" the Defendants' alleged violations; and (3) "[o]n balance," the Court was not persuaded that "unclean hands" should bar SDG's right to pursue injunctive relief. App. 9. The Court then considered the preliminary injunction factors, determining that SDG "demonstrated a strong likelihood of success on the merits of its breach of the duty of loyalty claim" and that SDG would be irreparably harmed without an injunction barring Defendants from soliciting SDG's clients and from destroying information taken from SDG. App. 18-22. Defendants appeal the Court's decision not to apply the unclean hands doctrine.
II
The District Court had jurisdiction over SDG's claims against Defendants. 28 U.S.C. §§ 1331, 1367. We have jurisdiction to review the Court's order granting a preliminary injunction under 28 U.S.C. § 1292(a). The decision to grant or deny a preliminary injunction is within the sound discretion of the district court. Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 24, 33 (2008). "Ordinarily, an abuse of discretion standard applies to our review of the district court's application of the unclean hands doctrine. However, the parameters of the unclean hands doctrine implicate a matter of law," Ne. Women's Ctr., Inc. v. McMonagle, 868 F.2d 1342, 1354 (3d Cir. 1989), which we review de novo, K.A. ex rel. Ayers v. Pocono Mountain Sch. Dist., 710 F.3d 99, 105 (3d Cir. 2013).
The unclean hands doctrine is "derived from the unwillingness of a court, originally and still nominally one of conscience, to give its peculiar relief to a suitor who in the very controversy has so conducted himself as to shock the moral sensibilities of the judge." Gaudiosi v. Mellon, 269 F.2d 873, 882 (3d Cir. 1959) (quotation marks and citation omitted). The doctrine "applies when a party seeking relief has committed an unconscionable act immediately related to the equity the party seeks in respect to the litigation." Highmark, Inc. v. UPMC Health Plan, Inc., 276 F.3d 160, 174 (3d Cir. 2001) (citing Keystone Driller Co. v. Gen. Excavator Co., 290 U.S. 240, 245 (1933)). Thus, a party seeking to invoke the doctrine must show: (1) the party seeking equitable relief committed an unconscionable act; and (2) the act is related to the claim upon which equitable relief is sought.
Under our jurisprudence, proof of injury is not required. See, e.g., In re New Valley Corp., 181 F.3d 517, 526 (3d Cir. 1999) (citing Gaudiosi, 269 F.2d at 881-82).
The unclean hands doctrine "is not an automatic or absolute bar to relief; [rather,] it is only one of the factors the court must consider when deciding whether to exercise its discretion and grant an injunction." 11A Charles Alan Wright & Arthur R. Miller, Federal Practice and Procedure § 2946 (3d ed. 1998) (citing Johnson v. Yellow Cab Transit Co., 321 U.S. 383, 387 (1944) (explaining that the unclean hands doctrine "is not a rigid formula which 'trammels the free and just exercise of discretion'"); Shondel v. McDermott, 775 F.2d 859, 868 (7th Cir. 1985) ("Today, 'unclean hands' really just means that in equity as in law the plaintiff's fault, like the defendant's, may be relevant to the question of what if any remedy the plaintiff is entitled to."); and Houston Oilers, Inc. v. Neely, 361 F.2d 36 (10th Cir. 1966)). Thus, a court retains the discretion to grant equitable relief even where the elements of the unclean hands doctrine are met. See Johnson, 321 U.S. at 387 (explaining that while "a federal court should not, in an ordinary case, lend its judicial power to a plaintiff who seeks to invoke that power for the purpose of consummating a transaction in clear violation of law" courts need not "always permit a defendant wrongdoer to retain the profits of his wrongdoing merely because the plaintiff himself is possibly guilty of transgressing the law in the transactions involved"); In re New Valley Corp., 181 F.3d 517, 525 (3d Cir. 1999) (even where there is a "relationship between the inequitable conduct and the claims brought . . . the court has discretion to limit the reach of the doctrine").
Even if SDG's monitoring of Hernandez's Facebook constituted the kind of act that would be viewed as unconscionable, the District Court did not err in concluding the conduct was not related to the claim upon which equitable relief was sought. For the unclean hands doctrine to apply, "there must be a relationship between the inequitable conduct and the claims brought before the court." New Valley Corp., 181 F.3d at 525 (citations omitted). In describing the "relationship" element, we have said that the unclean hands doctrine will bar recovery when such conduct "has immediate and necessary relation" to the equity sought. Id. (quoting Keystone, 290 U.S. at 245). Thus, the doctrine "only applies when there is a direct nexus between the bad conduct and the activities sought to be enjoined." Id.; see also Ne. Women's Ctr., Inc. v. McMonagle, 868 F.2d 1342, 1354, 1356 (3d Cir. 1989) (reversing district court's determination that unclean hands precluded issuance of injunction in favor of plaintiff women's health clinic because a physician's failure to comply with state fetal tissue inspection law had no relationship with defendant antiabortion protesters' liability under the RICO, contract interference, and trespass counts); Ciba-Geigy Corp. v. Bolar Pharm. Co., 747 F.2d 844, 855-56 (3d Cir. 1984) (affirming grant of permanent injunction and rejection of unclean hands argument where "the alleged wrongdoings [did] not relate to the subject matter of [the] claim"); Monsanto Co. v. Rohm & Haas Co., 456 F.2d 592, 598 (3d Cir. 1972) (applying unclean hands doctrine to bar equitable remedies in patent infringement case where patents at issue were procured through misrepresentations in the patent application).
"To prevail on an unclean hands defense, the defendant must show fraud, unconscionability, or bad faith on the part of the plaintiff." S & R Corp. v. Jiffy Lube Int'l, Inc., 968 F.2d 371, 377 n.7 (3d Cir. 1992). The misconduct, however, "need not necessarily have been of such a nature as to be punishable as a crime or as to justify legal proceedings of any character. Any willful act concerning the cause of action which rightfully can be said to transgress equitable standards of conduct is sufficient cause for the invocation of the maxim . . . ." Monsanto Co. v. Rohm & Haas Co., 456 F.2d 592, 598 (3d Cir. 1972). Because showing unclean hands requires two elements, establishing that an act is illegal or "transgress[es] equitable standards" is a necessary but insufficient condition for the doctrine's application. See Ciba-Geigy Corp. v. Bolar Pharm. Co., 747 F.2d 844, 855 (3d Cir. 1984) (holding unclean hands did not preclude injunction because plaintiff's alleged regulatory violations did "not implicate transgressions so egregious as to merit the preclusion of an injunction" against manufacturer of generic drug found to have violated trademark laws).
Because the District Court did not clearly err by disposing of the unclean hands argument on relatedness grounds, we need not decide whether SDG violated New Jersey privacy law because the alleged "violation is at most collateral" to the causes of action "involved in this lawsuit." See Ne. Women's Ctr., 868 F.2d at 1353. In any event, our dissenting colleague's discussion about privacy and computers mistakenly asserts that (1) an employer may only access personal password-protected content that an employee viewed on a work computer "so long as the employer's policies clearly communicate[] that such content may be monitored," Dissent Op. at 3, and (2) "mere use of a password to protect an account or files generally conveys a clear intent to prevent others' access," Dissent Op. at 6-7. The first point overstates the holding of Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010). In that case, the New Jersey Supreme Court held that an employee who "plainly took steps to protect privacy of . . . emails" she sent to her attorney through a third-party program on her company laptop, had a reasonable expectation of privacy in those emails. Id. at 663, 664. The Stengart Court found that the employee had (1) a subjective expectation of privacy based on her own affirmative actions to protect her privacy, and (2) an objective expectation of privacy based on the attorney-client nature of the communications and the company's electronic communications policy, which did not discuss the use of personal accounts on company computers. Id. at 663-64. The presence of a policy was a consideration but certainly was not dispositive. Id. at 662-63. Indeed, the Stengart Court emphasized the plaintiff's affirmative actions to protect her privacy on her work computer, including by not saving her personal account password on it. Id. at 663, 665. Stengart is also distinguishable from this case because Stengart involved emails to plaintiff-employee's attorney and this case involves review of browsing history on SDG's computer, where there is a lesser expectation of privacy. Liebeskind v. Rutgers Univ., No. A-0544-12T1, 2014 WL 7662032, at *7 (N.J. Super. Ct. App. Div. Jan. 22, 2015) ("The browsing history on plaintiff's workplace computer does not hold the same expectations of privacy that emails to an attorney hold."). The second point is based on a collection of various cases from outside New Jersey that do not involve employees' work computers, or the employers' access to personal accounts the employee accessed from his work computer, or circumstances where the employee saved login information on the employer's computers.
We have also described the "relationship" element in somewhat looser terms. See, e.g., Precision Instrument Mfg. Co. v. Auto. Maint. Mach. Co., 324 U.S. 806, 814-15 (1945) ("[W]hile equity does not demand that its suitors shall have led blameless lives, as to other matters, it does require that they shall have acted fairly and without fraud or deceit as to the controversy in issue.") (quotation marks and citations omitted) (emphasis added)). Regardless of the phrasing, each articulation has a common thread: the doctrine applies only where the unclean "conduct relat[es] to the matter in litigation," Ne. Women's Ctr., 868 F.3d at 1355, and "[t]he nexus 'between the misconduct and the claim must be close,'" Highmark, 276 F.3d at 174 (quoting New Valley Corp., 181 F.3d at 525). The fact that a different framing of the relationship element is possible and the District Court chose a narrower articulation does not mean that the Court erred. See Hohe v. Casey, 868 F.2d 69, 70 (3d Cir. 1989).
"Unless courts insist on a tight connection between the object of the injunction and the misconduct of the plaintiff . . . . the right to injunctive relief . . . would have little value [and] the defendant could divert the proceeding into the byways of collateral misconduct." Shondel, 775 F.2d at 869. Such misdeeds are "'collateral' . . . when the right for which the plaintiff seeks protection in the injunction suit did not accrue to him because of the misdeed." Restatement (Second) of Torts § 940 cmt. c (Am. Law Inst. 1979).
The District Court applied these legal principles and declined to invoke the unclean hands doctrine because SDG's access of Hernandez's Facebook account "does not affect the potential breaches of loyalty, tortious interference, and/or trade secret violations that are the subject of the litigation and which occurred prior to Plaintiff's alleged hacking of Hernandez's account." App. 9. This conclusion was sound for three reasons. First, SDG did not dirty its hands to "acquire[ the] rights" it asserts in its complaint. S. Cal. Darts Ass'n v. Zaffina, 762 F.3d 921, 933 (9th Cir. 2014); see also Restatement (Second) of Torts § 940 cmt. c ("equity will not aid a person to reap the benefits of his own misconduct"). Unlike a patent holder who obtains patent rights based upon a fraudulent patent application, Monsanto, 456 F.2d at 598, SDG did not monitor Hernandez's Facebook account so it could obtain a right that SDG did not otherwise have. Defendants owed a duty of loyalty to SDG long before the Facebook monitoring occurred.
Second, while SDG obtained proof of its duty of loyalty claim from its monitoring, and thus it benefitted from its activity, SDG had a right to Defendants' loyalty and could prove their breach of that duty without relying on the surreptitiously obtained Facebook messages. Put differently, SDG's alleged misconduct has a link with Defendants' breach of loyalty claim insofar as SDG's conduct led it to proof of its duty of loyalty claim, see App. 52 (Verified Compl. ¶ 75 ("To the extent these discussions referred to downloads by Hernandez, McGinley and Waldron from the SDG computer network, SDG was able to corroborate virtually all of them with the removal of portable storage devices such as flash drives from users' computers as logged by the auditing function of SDG's Windows domain operating system.")), but this conduct did not give rise to the claim upon which SDG seeks relief. Thus, SDG's monitoring of the Facebook messages is not related to "whether [Defendants], at some earlier point, stole [SDG's] property." Sullens v. Graham, No. 14 CV 866, 2014 WL 6765138, at *2 (N.D. Ill. Dec. 1, 2014).
That said, the Facebook messages would have been discoverable.
Third, SDG's alleged privacy violation and Defendants' alleged breach of the duty of loyalty are causes of action "governed by distinct bodies of law that provide their own separate remedies for misconduct." Intertek USA Inc. v. AmSpec, LLC, No. 14 CV 6160, 2014 WL 4477933, at *7 (N.D. Ill. Sept. 11, 2014).
Not only is the law distinct but the impact of the alleged conduct differs. Unlike SDG's Facebook monitoring, which has ceased, Defendants' alleged theft of SDG's client information and other intellectual property could result in future economic harm.
In sum, because relatedness is a "critical element of the unclean hands doctrine," New Valley Corp., 181 F.3d at 524, and SDG's allegedly unclean conduct is not directly related to Defendants' breach of the duty of loyalty, the District Court did not abuse its discretion in declining to apply the unclean hands doctrine to deny SDG's request for equitable relief.
III
For the foregoing reasons, we will affirm. AMBRO, Circuit Judge, dissenting
The District Court's decision to issue a preliminary injunction preventing SDG's former employees from communicating with SDG clients or using SDG documents might be the correct outcome in this case. And if, as my colleagues conclude, the Court determined that SDG's conduct was not sufficiently related to trigger unclean hands, I agree affirmance may be appropriate. But because I am not sure it made such a determination, and I think its privacy analysis is faulty, I am uncomfortable affirming at this time.
Unclean hands law prevents injunctive relief to one who otherwise would merit it. Inequity cancels out equity. Under our precedent, unclean hands applies when (1) the conduct of one seeking to enjoin another offends the court's conscience and (2) "in some measure affect[s] the equitable relations between the parties in respect of something brought before the court for adjudication[, which typically goes by the term relatedness]." Highmark, Inc. v. UPMC Health Plan, Inc., 276 F.3d 160, 174 (3d Cir. 2001) (quoting Keystone Driller Co. v. General Excavator Co., 290 U.S. 240, 245 (1933)). We ordinarily review an unclean hands ruling for abuse of discretion, but conduct plenary review of a district court's offensiveness and relatedness determinations to the extent they implicate a matter of law. Ne. Women's Ctr., Inc. v. McMonagle, 868 F.2d 1342, 1353-54 (3d Cir. 1989).
The District Court observed that SDG's "conduct is arguably not related to the litigation to find unclean hands. While it goes to [SDG's] full knowledge of the underlying facts, it does not affect the potential breaches of loyalty, tortious interference, and/or trade secret violations that are the subject of the litigation and which occurred prior to [SDG's] alleged hacking of Hernandez's account." App. at 9. Though the Court notes that this is "arguably" correct, it is not definitive. I have the same lack of certainty.
For offensiveness, however, I part ways with the District Court and my colleagues. The Court states that "it may be reasonable and does not necessarily amount to an intrusion upon seclusion for an employer to have access to and view password-protected content on a company laptop." Id. I believe an incorrect view of New Jersey privacy law affected the Court's thinking as to whether SDG's conduct—including accessing a former employee's password-protected PNC bank account and actively monitoring his Facebook Messenger account—is offensive.
The opinion also refers to a discussion at the April 3 oral argument, which likewise shows the Court is very skeptical that SDG's conduct is concerning.
MR. KISTLER: . . . . Your Honor, they continued to monitor and look at these communications after all of these individuals left the company on January 18th for another six weeks.Apr. 3, 2018 TRO Tr. at 43:11-44:3 (emphases added).
THE COURT: Of course they would. Why wouldn't they?
MR. KISTLER: Because it's illegal I would submit, Your Honor.
THE COURT: I'm not at all persuaded of that. . . .
Reasonable minds can interpret differently the Court's ruling that, "[o]n balance, [it] is not persuaded that Plaintiff's 'unclean hands' should bar its right to pursue injunctive relief." Id. But if its privacy analysis to get to that conclusion misses the mark, a redo is in order. Hence I write separately to explain why I believe it is unlawful to access a former employee's password-protected bank account and actively monitor his private digital communications months after he resigned.
I. SDG's access of Hernandez's accounts was unlawful and offensive conduct
A. Employer monitoring under New Jersey Law
The District Court cites to Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010), to support its view that SDG's conduct "may be reasonable and does not necessarily amount to an intrusion upon seclusion." App. at 9. I don't read Stengart that way. It held that an employer may not view password-protected attorney-client emails that an employee sent from a company computer and which it subsequently recovered. 990 A.2d at 665. In so ruling, the Court stated not only that the computer-use policy of the employer failed to disclose the monitoring of employee activities on company computers, id. at 659, but also concluded that these emails would still be privileged and access to them unenforceable even if the company had such a policy, id. at 665. The employee in Stengart had a subjective expectation of privacy in her use of personal, password-protected accounts on her company laptop and an "objectively reasonable expectation" of privacy based on "the language of the Policy and the attorney-client nature of the communications." Id. at 663.
Though SDG accessed content that was not attorney-client privileged, it was clearly private. SDG accessed that content not by recovering from Hernandez's company computer copies of the messages he viewed or sent but rather by infiltrating his personal, password-protected accounts. In other words, SDG went on an external fishing expedition rather than merely conducting a review of activity on its own physical assets. Stengart, 990 A.2d at 665. And SDG also didn't have any policies disclosing its monitoring practices. Thus nothing in Stengart nor any subsequent New Jersey case suggests SDG's conduct is permissible.
Indeed, a non-precedential New Jersey Superior Court case interpreting Stengart suggests that even a clear policy may not permit an employer to retrieve and view password-protected personal communications or accounts that the employee accessed on a work computer. In Liebeskind v. Rutgers Univ., No. A-0544-12T1, 2014 WL 7662032, at *7 (N.J. Super. Ct. App. Div. Jan. 22, 2015), the Court held that an employee lacked an expectation of privacy in his non-password-protected browsing history on his company computer where Rutgers had a clear policy that it "reserve[d] the right to examine material stored on or transmitted through its facilities." The Court emphasized, however, that, "[i]mportantly, there is no competent evidence that defendants tried to access the content of personal, password-protected emails or personal accounts." Id.
SDG concedes these facts. Its head of Information Technology, Jason Gerstenfeld, reviewed the browser history from Hernandez's old SDG laptop roughly a month after Hernandez resigned. While viewing it, Gerstenfeld clicked on links to many of Hernandez's personal, password-protected, and off-premises accounts. He successfully bypassed the log-in requirements for three of them: Hernandez's personal PNC Bank Account, his Dropbox account (associated with his SDG email), and his Facebook Messenger account. From February 15 through March 15, Gerstenfeld and SDG's founder, Glenn Scherer, monitored many times a day Hernandez's Facebook Messenger activity, which is both password-protected and end-to-end encrypted. To repeat, SDG had no computer-use policies disclosing that the company might monitor employee activity on its computers or access personal accounts of employees after they left the company.
This conduct surely is beyond the scope of permissible conduct that Stengart recognizes. SDG infiltrated password-protected accounts hosted on third-party servers and networks without any authorization. It had no connection to or right to view the information in these private accounts (except through the traditional discovery process, which has procedural safeguards on information acquisition and use). And neither the parties nor my colleagues can identify any authority under New Jersey law that suggests a mere computer-use policy may permit a company to acquire password-protected information not already stored on a company computer.
B. Access to personal, password-protected accounts as intrusions upon seclusion
A traditional intrusion analysis leads me to believe that SDG's conceded conduct is tortious. Under New Jersey law, the elements of a privacy claim based on intrusion upon seclusion are (1) intentional conduct that (2) intrudes into a private space and (3) is "highly offensive" to a reasonable person. In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 293 (3d Cir. 2016) (citing Hennessey v. Coastal Eagle Point Oil Co., 609 A.2d 11, 17 (1992)). Let's look at each element.
i. Intentional conduct
A person acts intentionally if he knows he lacks either legal or personal permission to intrude into a private space. Id. (citing O'Donnell v. United States, 891 F.2d 1079, 1083 (3d Cir. 1989)). In other words, if an intruder searches another's private space and is uncertain whether her search is lawful but knows it was without consent, the intruder acts intentionally. Id. As Hernandez never gave his permission for SDG to access his password-protected accounts, it acted intentionally.
ii. Intrusion into private space
An intrusion must invade a private space, meaning the victim must have a reasonable expectation of privacy in the intruded space. Kline v. Sec. Guards, Inc., 386 F.3d 246, 260 (3d Cir. 2004) (citing Restatement (Second) of Torts § 652B). Individuals have a reasonable expectation of privacy in password-protected online accounts and communications. See, e.g., United States v. Stabile, 633 F.3d 219, 233 (3d Cir. 2011) (observing that employing a password on a shared computer can protect a user's privacy rights vis a vis a third-party to whom a co-owner grants access); Trulock v. Freeh, 275 F.3d 391, 403 (4th Cir. 2001) ("Trulock's password-protected files are analogous to the locked footlocker inside the bedroom. By using a password, Trulock affirmatively intended to exclude Conrad and others from his personal files.").
While Kline applies Pennsylvania law, we have observed that "[s]ince the highest courts of both New Jersey and Pennsylvania have looked to the same treatise, we are comfortable adopting" the same standards in the intrusion context. Nickelodeon, 827 F.3d at 293 n.194.
A cursory review of our sister circuits shows that the mere use of a password to protect an account or files generally conveys a clear intent to prevent others' access. This preserves a user's reasonable expectation of privacy as to the bypassing intruder. See, e.g., United States v. Thomas, 818 F.3d 1230, 1241-42 (11th Cir. 2016) (stating that use of a separate, unshared password or encryption will preserve a user's expectation of privacy as to a third party who happens to access the account); United States v. Heckenkamp, 482 F.3d 1142, 1146-47 (9th Cir. 2007) (concluding that a student's use of a "screen-saver password" preserved his objective and subjective expectations of privacy); United States v. Andrus, 483 F.3d 711, 719 (10th Cir. 2007) (ruling that a user retains an expectation of privacy in a computer where the password's protections are bypassed so long as the bypasser reasonably knew the account was password-protected).
What if Hernandez hadn't cleared his browser history? He attests that he did, but would it matter if he forgot or simply had no way to stop however SDG accessed his accounts? No, for borrowing a person's jacket and discovering a notecard with handwritten passwords to an email or bank account does not make the information on those accounts any less private. In the intrusion context, mere lapses of mind or capacity are insufficient to waive a privacy interest in password-protected accounts. See K-Mart Corp. Store No. 7441 v. Trotti, 677 S.W.2d 632, 638 (Tex. App. 1984) (where an employer intrudes upon an employee's seclusion by searching her locked locker, "it is immaterial whether the [employee] actually securely locked her locker or not") (emphasis added); see also, e.g., Hernandez v. Hillsides, Inc., 211 P.3d 1063, 1076 (Cal. 2009) (employees maintain reasonable expectations of privacy from covert monitoring even though "colleagues, supervisors, visitors, and security and maintenance personnel have varying degrees of access" to shared office).
SDG's forensic report suggests that Hernandez did delete his browser history, but that local files stored on the SDG system gave SDG a backdoor way into his account. "Given the volume and granularity of Internet History records, cached web pages, form fill data, and file access information, available in [SDG's local] dhernandez user profile, efforts to clear the Internet History were unsuccessful[,] leaving session cookies, login information, and other cached data available for another user." App. at 381 (emphasis added). The record does not address whether Hernandez could view or delete these files.
Stengart aligns with these principles. SDG used a former employee's browsing history to access and actively monitor his external, password-protected accounts. This is an intrusion into private space.
iii. Highly offensive
An intentional intrusion into a private space must also be highly offensive to a reasonable person, a determination usually made by juries. See, e.g., Nickelodeon, 827 F.3d at 295; In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 151 (3d Cir. 2015). When pressed, as here, to articulate whether an intrusion is highly offensive as a matter of law, courts generally balance interests. See, e.g., Borse v. Piece Goods Shop, Inc., 963 F.2d 611, 625 (3d Cir. 1992) (predicting the Pennsylvania Supreme Court would consider all facts surrounding a drug screening program and weigh the employee's privacy interest against the employer's interest in maintaining a drug-free workplace); Safari Club Int'l v. Rudolph, 862 F.3d 1113, 1127 (9th Cir. 2017) (holding that under California law an intrusion is highly offensive if it satisfies a balancing test with relevant factors that include "the degree and setting of the intrusion[] and the intruder's motives and objectives").
From my review of the conceded facts, I conclude that SDG's conduct was highly offensive given the types of information accessed along with the manner of its intrusions. And, to make matters worse, SDG had a way through discovery to acquire legally all information relevant to its former employees' alleged misconduct.
a. Type of information accessed
The Second Restatement of Torts lists unconsented access to private correspondence, bank accounts, and safes as examples of highly offensive intrusions. See Restatement (Second) of Torts § 652B cmt b (explaining that tortious intrusions are committed, for example, "as by opening his private and personal mail, searching his safe or his wallet, examining his private bank account, or compelling him by forged court order to permit an inspection of his personal documents"). Indeed, SDG's access of Hernandez's private bank account appears to violate the Computer Fraud and Abuse Act. See, e.g., 18 U.S.C. § 1030 (a)(2)(A), (c)(2)(A) (providing for fines and imprisonment of not more than one year for anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information contained in a financial record of a financial institution . . . ."); United States v. Tolliver, 451 F. App'x 97, 103 (3d Cir. 2011).
Federal statutes, not implicated here, also criminalize unauthorized access to personal communications. See, e.g., 18 U.S.C. § 1702 (unconsented access to another's mail); 18 U.S.C. §§ 2511(1), (4)-(5) (interception of another's electronic communications).
The personal communications here were private and must not be viewed absent legal mandate or clear and knowing consent by the sender or a named recipient. Today private communications are perhaps the most common way for people to build authentic relationships, share intimate facts, and expose to another ideas or habits that are works in progress. Private communications are also critical to human organization. People use private messages to plan and advance commercial opportunities (as we see here), political campaigns, and academic research, to name a few. Permitting third parties to monitor private communications without clear permission or legal authorization poses grave and profound risks to a free society.
For this reason, private communications have been a particular concern since the privacy movement began in the United States. See, e.g., Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890) ("The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others"); Millar v. Taylor, 4 Burr. 2303, 2379 (1769) ("It is certain every man has a right to keep his own sentiments, if he pleases. He has certainly a right to judge whether he will make them public, or commit them only to the sight of his friends."); see also Bradley A. Areheart & Jessica L. Roberts, GINA, Big Data, and the Future of Employee Privacy, 128 Yale L.J. 710, 779 (2019) ("Privacy has independent moral value because it allows us to define our relationships through what we keep secret and what we disclose. . . . With respect to intrinsic privacy harms, the detriment is the invasion itself, regardless of whether the intruder actually acts on that information.") (citations omitted).
b. The manner of SDG's intrusion
The way SDG intruded—with covert, sustained, and overbroad monitoring of its former employees' communications—is also highly concerning. It took steps to obscure its monitoring when Gerstenfeld installed the application "fbunseen," which permitted the company to review Hernandez's Facebook Messenger conversations without the other participants knowing.
Once in the account, SDG's search for useful information lasted roughly a month. Both alongside Scherer and on his own, Gerstenfeld monitored Hernandez's Facebook messages many times a day for a month. He continued to monitor actively Hernandez's Facebook Messenger account until March 15, roughly a week after SDG filed suit.
And nothing in the record suggests the scope of SDG's review and acquisition of Hernandez's communications was narrow. SDG snooped on conversations between Hernandez and other friends not related to this litigation. SDG also does not dispute the account of Chad Schwartz, one of the ventures' founders, who declared under penalty of perjury that it reviewed and downloaded privileged attorney communications from Hernandez's account. From the breadth and duration of the search, we may fairly infer that SDG looked for any information that might be useful to its investigation and litigation, its awareness of its competitors' commercial strategies, or gaining understanding of their founders' activities. This monitoring is offensive to anyone's reasonable expectation of privacy.
c. SDG didn't need to act so brazenly
We have litigation to resolve disputes by a legal process, which includes discovery. And indeed SDG had expedited discovery. And yet for SDG that wasn't enough. To the extent Hernandez's accounts held relevant information, I repeat that this information should only have come to light through discovery rather than prior misconduct.
Balancing the interests here, I have no doubt that SDG's conduct was sufficiently offensive for purposes of an unclean hands inquiry.
II. Relatedness
That conduct is unlawful or otherwise offensive to the court's conscience does not mean unclean hands necessarily bars equitable relief. It must also bear a sufficient relationship to either the litigation or claims for equitable relief. As implied above, I think the District Court could have concluded that SDG's conduct was not related to the equitable relief it sought. Or it could have ruled the other way.
Our Court has described the relatedness requirement in various ways over the years. From my review, the three articulations we have most frequently endorsed are:
1. That courts "close their doors" "only for such violations of conscience as in some measure affect the equitable relations between the parties in respect of something brought before the court for adjudication.'" Highmark, Inc. v. UPMC Health Plan, Inc., 276 F.3d 160, 174 (3d Cir. 2001) (quoting Keystone, 290 U.S. at 245).
2. That there must be an "'immediate and necessary relation to the equity that' the party seeks." In re New Valley Corp., 181 F.3d 517, 525 (3d Cir. 1999) (citing Keystone, 290 U.S. at 245).
3. That "the nexus 'between the misconduct and the claim must be close.'" Highmark, 276 F.3d at 174 (quoting In re New Valley Corp., 181 F.3d at 525).
This is not an exhaustive list, and we are not alone in recognizing many standards of relatedness, a practice that dates back over a century. See generally Pomeroy, Equity Jurisprudence §§ 397, 399-403 (5th ed. 2002) (discussing the broad principles that govern unclean hands, its limitations, and distinct analyses in various contexts). As the majority notes, "that a different framing of the relationship element is possible and the District Court chose a narrower articulation does not mean that the Court erred." Majority Op. at 10 n.7. I would only add "necessarily" before "mean."
In its ruling, the District Court applied a two-part test—to be related, the plaintiff's conduct must (1) "bear direct relation to the matter in litigation/before the Court . . . [and (2)] affect the balance of equities." SDG includes in its complaint snapshots of Hernandez's private messages. This satisfies the first requirement. The second requirement is vague by design and gives district courts discretion to determine when misconduct, already connected to the litigation, is sufficiently related for unclean hands to bar equitable relief. See, e.g., Keystone Driller Co. v. Gen. Excavator Co., 290 U.S. 240, 245-46 (1933) ("[Courts] do not close their doors because of plaintiff's misconduct, whatever its character, that has no relation to anything involved in the suit, but only for such violations of conscience as in some measure affect the equitable relations between the parties in respect of something brought before the court for adjudication. . . . They are not bound by formula or restrained by any limitation that tends to trammel the free and just exercise of discretion."). Thus the District Court could conclude that SDG's conduct affected the balance of the equities between the parties.
One way this is possible is if the Court found that the similarity of SDG's conduct to the conduct it challenges affected the balance of equities between the parties—in effect, "a pox on both their houses." The Court stated that Defendants' acquisition of SDG documents is the central basis for the lone claim triggering a preliminary injunction (a breach of New Jersey's duty of loyalty). SDG responded to this activity by accessing Hernandez's external, password-protected accounts and taking information related to him, SDG's new competitors, and their founders. Thus both parties unlawfully acquired from the other information relevant to their competing businesses. Further, each also "abused" Hernandez's relationship with SDG: Hernandez used his employment to acquire SDG information; SDG used Hernandez's activity as an employee to acquire his information. Given these similarities, I think the District Court could have concluded that SDG's conduct affected the balance of equities between the parties. See Ciba-Geigy Corp. v. Bolar Pharm. Co., 747 F.2d 844, 855 (3d Cir. 1984).
Though SDG's conduct was offensive and highly so, the District Court here was within its discretion to rule either way as to whether SDG's access to private accounts was related to the equitable remedies it sought. Thus it could have granted equitable relief in full, as to only certain claims and defendants, or not at all.
But what the Court decided on relatedness was not definitive. It concluded only that SDG's conduct was "arguably not related," and that, "[o]n balance," unclean hands should not apply to bar a preliminary injunction in favor of SDG. Because I think the Court erred in its privacy analysis and this—at least in part—informed its decision not to apply unclean hands, I cannot affirm at this time. See, e.g., Sprint/United Mgmt. Co. v. Mendelsohn, 552 U.S. 379, 386-88 (2008) (where a district court's decision is reviewed for abuse of discretion and may stem from underlying error, the proper course is to clarify the operative legal inquiry and remand unless the record permits only one resolution of the issue). I would clarify the privacy law issue, vacate and remand, and preserve the status quo between the parties so the District Court could consider the unclean hands question within that legal framework.
Thus I respectfully dissent.