Opinion
Case No: 2:15-cv-294-FtM-38CM
06-15-2015
Disclaimer: Documents filed in CM/ECF may contain hyperlinks to other documents or Web sites. These hyperlinks are provided only for users' convenience. Users are cautioned that hyperlinked documents in CM/ECF are subject to PACER fees. By allowing hyperlinks to other Web sites, this court does not endorse, recommend, approve, or guarantee any third parties or the services or products they provide on their Web sites. Likewise, the court has no agreements with any of these third parties or their Web sites. The court accepts no responsibility for the availability or functionality of any hyperlink. Thus, the fact that a hyperlink ceases to work or directs the user to some other site does not affect the opinion of the court.
This matter comes before the Court on the Defendants, Robin Youmans and Garden St. Portables, LLC's Motion to Dismiss and for the Court to Decline Supplemental Jurisdiction on Any Remaining State Law Claims (Doc. #5) filed on May 29, 2015, and the Defendants William "Bill" Oswald , Jr., Billopro, LLC, Lori Langlous, Debra Palmer, and Palmer Accounting & Bookkeeping Service, Inc.'s Motion to Dismiss Complaint for Injunctive Relief and Damages (Doc. #8) filed on May 29, 2015. The Plaintiff Allied Portables, LLC, filed its Response in Opposition to Youmans' Motion to Dismiss (Doc. #26) on June 11, 2015, and her Response in Opposition (Doc. #26) to the Defendants William "Bill" Oswald , Jr., Billopro, LLC, Lori Langlous, Debra Palmer, and Palmer Accounting & Bookkeeping Service's Motion to Dismiss on June 11, 2015.
The Court's subject matter jurisdiction depends upon the Plaintiffs' Claim in Count I, based upon the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030. Since the arguments are the same regarding Count I, the Court will address both Motions to Dismiss together. The Motions are fully briefed and ripe for the Court's review.
FACTS
The primary business of Allied Portables is the provision of portable restrooms, flushing toilets, hand washing stations, hand sanitization stations, climate controlled restroom trailers, climate controlled shower trailers, and specialized restroom trailers for agricultural use. (Doc. #1, ¶14-15). Allied Portables was formed in 2009 by Robin Youmans and Allied Recycling, Inc. Chester Adamson signed on behalf of Allied Recycling. Robin Youmans owns 49% of Allied Portables and was selected to be the managing member. Connie Adamson was substituted as a member replacing Allied Recycling, LLC in 2012.
As managing member Youmans carried out Allied Portables day to day administrative operations with the assistance of the other Defendants in this action, William Oswald, Jr., Lori Langlois, and Deborah Palmer. (Doc. #1, ¶21). As the managing member, Youmans oversaw the daily operations of Allied Portables including sales, operations, vendor and customer relationships. Youmans via third party vendors set up and serviced Allied Portables' computer systems. Youmans had unfettered access to all of Allied Portables' confidential, business, and trade secret information. (Doc. #1, ¶ 22).
Youmans argues that Chester Adamson, the husband of Connie Adamson, who owns 51% of Allied Portables, was using Allied Portables' password to gain access to Allied Portables' checking account and then using the funds for his own personal benefit. Youmans claims Chester Adamson submitted a bill to Allied Portables for $17,000.00 to pay for the Adamson's oldest son's fortieth (40) birthday party in Las Vegas, Nevada. Youmans changed the passwords to the accounts and created a new post office box to segregate Allied Portables' mail from Adamson's mail. Youmans then offered to purchase Connie Adamson's 51% stake in Allied Portables. On August 18, 2014, Youmans states that Connie Adamson sent her a text message agreeing to sell Adamson's 51% interest in Allied Portables to her.
On August 29, 2014, Youmans was terminated from her position as managing member without any notice or compensation. Connie Adamson has served as the sole managing member since Youmans termination. The Plaintiffs have now filed a lawsuit against Youmans.
The Plaintiffs brought eight (8) Counts against the Defendants. Count I for an alleged violation of the Computer Fraud and Abuse Act (CFAA) is the only federal law claim in the Complaint. Plaintiffs' state law claims include allegations of the following: a violation of the Florida Privacy of Communication Act, misappropriation of trade secrets, tortious interference, a civil conspiracy to convert, breach of contract, and breach of fiduciary duty.
In the Complaint, the Plaintiffs allege that prior to her termination with Allied Portables, Youmans conspired with Oswald and others to leave Allied and form a competing business. In fact, approximately four (4) months prior to Youmans' termination, she informed Allied's agents that she would be leaving the company and forming a competing venture. It is alleged Youmans conspired with Palmer to divert and hold payments to reduce the company's appearance and value and mischaracterized and paid funds to Billpro and other entities controlled by Youmans and Oswald and then transferred the funds to themselves. It is further alleged Youmans allowed Oswald to use Allied's utilities and facilities to operate Billpro and used Allied's funds to purchase insurance for herself and Oswald without authorization. Youmans changed the mailing address for Allied receivables to allow her to intercept same. Plaintiffs continue, alleging that Youmans directed Palmer to change Allied Portables' payment address, electronic access credentials for Allied's accounting programs, and to prevent access to Allied Portables systems by Adamson. Youmans further directed Palmer to take twenty (20) Allied Portable checks in case she needed them. Further, Youmans installed a computer in her home office using Allied's funds. Additionally, Youmans had a third party vendor configure a firewall and take other unauthorized actions including changing the access credentials for the Total Activity Control software to impede Allied's operations in case she was terminated.
STANDARD OF REVIEW
In deciding a motion to dismiss, the Court must accept all factual allegations in a complaint as true and take them in the light most favorable to the plaintiffs. Christopher v Harbury, 536 U.S. 403, 406, 122 S. Ct. 2179, 153 L. Ed. 2d 413 (2002). However, dismissal for failure to state a claim upon which relief may be granted does not require appearance, beyond a doubt. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 561- 563, S. Ct. 127 S. Ct. 1955, 167 L. Ed 2d 929 (2007) (aboragating Conley v. Gibson, 355 U.S. 41, 45-46, 78 S. Ct. 99, 2 L. Ed. 2d 80 (1957)). While a complaint attacked by a Rule 12(b)(6) motion to dismiss does not need detailed factual allegations, a plaintiff's obligation to provide the "grounds" of his "entitlement" to relief requires more than labels, conclusions, and a formulaic recitation of the cause of actions elements. Bell Atlantic, 550 U.S. 544, 561- 563.
To satisfy the pleading requirements of Fed. R. Civ. P. 8, a complaint must simply give the defendants fair notice of what the plaintiff's claim is and the grounds upon which it rests. Id. at 555; Swierkiewicz v. Sorema N.A., 534 U.S. 506, 512, 122 S. Ct. 992, 152 L. Ed. 2d 1 (2002). Although the pleading standard announced in Fed R. Civ. P. 8 does not require "detailed factual allegations," it does demand more than an unadorned, "the-defendant-unlawfully-harmed-me accusation." Sinaltrainal v. Coca-Cola Co., 578 F. 3d 1252, 1268 (11th Cir. 2009) (citing Ascroft v. Iqbal, ----- U.S.----, 129 S. Ct. 1937, 1949, 173 L. Ed 2d 868 (2009). Furthermore, unwarranted deductions of fact in a complaint are not admitted as true for the purpose of testing the sufficiency of the allegations. Sinaltrainal, 578 F. 3d at 1268 (citing Aldana v. Del Monte Fresh Produce, N.A., Inc., 416 F.3d 1242, 1248 (11th Cir. 2005)). The facts as pled must state a claim for relief that is plausible on its face. Sinaltrainal, 578 F. 3d at 1268 (citing Iqbal, 129 S. Ct. at 1950). Dismissal is warranted under Fed. R. Civ. P. 12(b)(6) if, assuming the truth of the factual allegations of plaintiff's complaint, there is a dispositive legal issue which precludes relief. Simplexgrinnell, L.P. v. Ghiran, 2007 WL 2480352 (M.D. Fla. August 29, 2007) (citing Neitzke v. Williams, 490 U.S. 319, 326, 109 S. Ct. 1827, 104 L. Ed. 2d 338 (1989); Brown v. Crawford County, Georgia, 960 F.2d 1002, 1009-1010 (11th Cir. 1992).
DISCUSSION
The Plaintiffs argue that Youmans violated the CFAA in a conspiracy with the other Defendants by repeatedly accessing Allied Portable's computers with the intent to defraud Allied and/or Adamson without authorization or by exceeding any authorization she may have had to access Allied Portable's computers. Youmans argues the case should be dismissed because the Plaintiffs failed to sufficiently allege that Youmans or the other Defendants exceeded their authorize access when they accessed Allied Portables' computers.
Congress enacted the CFAA in 1984 to
enhance the government's ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to "access and control high technology processes vital to our everyday lives...."Enhanced Recovery Co., LLC v. Frady, WL 1470852, *5 -7 (M.D. Fla. March 31, 2015) (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir.2009) (quoting H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984)). Under U.S.C. § 1030(a)(2)(C) of the CFAA, whoever "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains ... information from any protected computer" commits an offense. In a similar vein, § 1030(a)(4) provides that whoever "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value" also commits an offense. Enhanced Recovery, WL 1470852, at *5 -7. Of import to this action, one "who suffers damage or loss by reason of a violation of [ § 1030(a) ]" may bring a civil action under the CFAA if the loss is one of five types of harm identified in the statute. 18 U.S.C. §§ 1030(g), 1030(c)(4)(A) (i)(I-V). I d.
Thus, to succeed on a claim against Youmans under the CFAA, the Plaintiffs would have to establish that Youmans entered Allied Portables' computers exceeding her authorized access. The CFAA defines the term "exceeds authorized access" as follows:
[T]he term "exceeds authorized access" means to access a computer without authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.18 U.S.C. § 1030(e)(6).
Courts have generally espoused two theories when interpreting this term. Some have interpreted the definition broadly, reading into it a theory of agency, such that an employee's authorization is revoked, and thus she "exceeds authorized access," whenever she obtains information with a subjective intent that is unlawful or contrary to her employer's interests, even though the employee actually had authorization to access the information. See, e.g., U.S. v. John, 597 F.3d 263, 271-72 (5th Cir.2010) ("authorization" as used in the CFAA "may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system" if the use is in furtherance of a crime); Int'l Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006) (employee's authorization to access a computer ended, for purposes of 18 U.S.C. § 1030(a)(5), once the employee breached his duty of loyalty to the employer); Aquent LLC, 2014 WL 5780293, at *4-5 (employee exceeded authorized access by abusing access to confidential information to share it with a competitor). Under this theory, where an employee accesses confidential information for personal purposes inconsistent with the employer's interests, that employee has exceeded her authorized access to the information. Enhanced Recovery, WL 1470852, at *5 -7. This is the interpretation that the Plaintiffs advocate in this case.
Other courts, including the majority of district courts in the Eleventh Circuit that have considered the question, have adopted a narrower definition of "exceeds authorized access." Enhanced Recovery, WL 1470852, at *5 -7. As one put it, "[q]uite simply, without authorization means exactly that: the employee was not granted access by his employer. Similarly, exceeds authorized access simply means that, while an employee's initial access was permitted, the employee accessed information for which the employer had not provided permission." Enhanced Recovery, WL 1470852, at *5 -7 (quoting Power Equipment Maintenance, Inc. v. AIRCO Power Services, Inc., 953 F.Supp.2d at 1296; see also, e.g., Clarity Services, Inc. v. Barney, 698 F.Supp.2d 1309, 1315 (M.D. Fla. 2010); Trademotion, LLC v. Marketcliq, Inc., 857 F.Supp.2d at 1289-91; Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D.Ga.2007). Many courts outside of the Eleventh Circuit have also adopted this narrower interpretation. E.g., WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 203-07 (4th Cir.2012); U.S. v. Nosal, 676 F.3d 854, 858 (9th Cir.2012); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 968 (D.Ariz.2008). Under the narrow interpretation, an employee who has actually been granted access to information does not "exceed authorized access" by virtue of the employee's subjective intent or by subsequently violating company policies on the use of the information. AIRCO, 953 F.Supp.2d at 1296; WEC Carolina, 687 F.3d at 206-07; Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267, 1272 (M.D.Ala.2010) (" 'Exceeds authorized access' should not be confused with exceeds authorized use.") (citing Diamond Power Int'l, 540 F.Supp.2d at 1343). Nor does an employee "exceed authorized access" by obtaining information that she is permitted to access, but "in a manner" that is not authorized. WEC Carolina, 687 F.3d at 205-07; Nosal, 676 F.3d at 856-63. Rather, an individual "exceeds authorized access" by gaining access to specific information that her employer simply did not give her permission to access. Diamond Power Int'l, 540 F.Supp.2d at 1343. This narrow interpretation of the CFAA is the theory that Youmans urges.
After a review of the relevant case law, this Court agrees with the majority of the Courts in the Eleventh Circuit by finding the narrow interpretation significantly more persuasive. "[T]he proper inquiry," then, "is whether an employer had, at the time, both authorized the employee to access a computer and authorized that employee to access specific information on that computer." Enhanced Recovery, WL 1470852, at *5 -7 (citing AIRCO, 953 F.Supp.2d at 1295). This analysis focuses on the actions of the employer rather than the subjective motivation of the employee, because "it is the employer's decision as to what the employee can access that determines whether an employee exceeded his authorized access." Id. at 1296. Looking first to the text of the CFAA, the Court agrees with the discussion in AIRCO that:
[t]he language of the CFAA simply prohibits accessing information either without authorization or in excess of authorized access. 18 U.S.C. § 1030. It does not confer upon employers the ability to sue their employees in federal court for violations of company policy regarding computer usage.... [T]he language of the CFAA does not speak to employees who properly accessed information, but subsequently used it to the detriment of their employers: either one has been granted access or has not. Employers cannot use the CFAA to grant access to information and then sue an employee who uses that information in a manner undesired by the employer.Enhanced Recovery, WL 1470852, at *5 -7.
Additionally, the legislative history of the CFAA supports the narrower view. As noted by one court:
[I]n 1986 Congress amended the CFAA to substitute the phrase "exceeds authorized access" for the phrase "or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend." S.Rep.No. 99-432, at 9, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2486. By enacting this amendment, and providing an express definition for "exceeds authorized access," the intent was to "eliminate coverage for authorized access that aims at 'purposes to which such authorization does not extend,' " thereby "remov[ing] from the sweep of the statute one of the murkier grounds of liability, under which a [person's] access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization." S.Rep.No. 99-432, at 21, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2494-95.Enhanced Recovery, WL 1470852, at *5 -7.
The Plaintiffs claim that Youmans exceeded her authorized access by acting in bad faith by changing the access credentials used by other authorized users and creating backdoors and other vulnerabilities in the Allied Network. Plaintiffs allege these actions were taken to weaken and disrupt Allied Portables business operations. However, when Congress amended the CFAA, it repudiated the theory the Plaintiffs set forth in their arguments. The plain text, legislative history, and purpose of the CFAA support the conclusion that "exceeds authorized access" means to have initial access to a computer, but to access certain information or files that one does not have authorization to access. See 18 U.S.C. § 1030(e)(6).
The claims set forth in the Complaint clearly indicate that Youmans had unfettered access and usage of Allied Portables computer system as the managing member of the company. (Doc. #1, ¶22). While the Plaintiffs do state in one parenthetical that Youmans entered Allied Portables' computer system after she was terminated, the factual basis used to support that claim in Count I fails to establish that Youmans exceeded authorized access. Instead, the Complaint alleges that after Youmans left Allied Portables others obtained the alleged illicit information at Youmans' request but does not specify any facts that Youmans obtain it through unauthorized access. In fact, the Complaint itself notes that Youmans denied, through counsel, hacking or otherwise accessing the Allied Network subsequent to her dismissal. (Doc. #1, ¶27). As such, the Court finds that Count I of the Complaint should be dismissed as Plaintiffs have failed to sufficiently allege that Youmans violated the CFAA by exceeding her access to Allied Portables' computer system.
In regards to the other Defendants, Oswald, Langlois, and Palmer, the Complaint states that Youmans conspired with them to use unauthorized access to Allied Portables' computers to provide Youmans confidential and trade secret information. However, the facts alleged in the Complaint do not claim that the alleged conspirators exceeded their authorized access nor does it state what their limitations to access were or how they violated those limitations when they allegedly took confidential and trade secret information from Allied Portables. (Doc. #1, ¶30 a-k). Count I merely makes conclusory allegations against Oswald, Langlois, and Palmer et al misused Allied Portables' confidential and trade secret information at Youmans' direction. Misuse of information falls under other civil statues but does not violate the CFAA. Enhanced Recovery, WL 1470852, at *7 (holding that the history of the CFAA does not support the theory that a defendant violated the statue because she abused her authorization to access confidential information by accessing the information for the purpose of sharing it with a competitor). Furthermore, a plaintiff's obligation to provide the "grounds" of his "entitlement" to relief requires more than labels, conclusions, and a formulaic recitation of the cause of actions elements. Bell Atlantic, 550 U.S. 544, 561- 563. Therefore, the Plaintiffs have failed to allege a claim under the CFAA against Oswald, Langlois, and Palmer. Accordingly, the Motion to Dismiss Count I against them is also granted.
The Court acknowledges the Plaintiffs' reliance on the Eleventh Circuit's decision in United States v. Rodriguez, 628 F. 3d 1258 (11th Cir. 2010). In Rodriguez, the defendant was a TeleService representative for the Social Security Administration (SSA), and in that capacity he answered questions from the general public about social security benefits over the telephone. Id. at 1260. As a TeleService representative, he was authorized access to individuals' sensitive personal information only for business reasons. Id. Indeed, the SSA had a well-advertised established policy that explicitly conditioned authorization to access a particular individual's file based on whether it was done within the scope of business. Id. The SSA went to great lengths to give its employees fair notice of the policy:
The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases.Id. Despite the warnings, Rodriguez "admitted that he accessed information for nonbusiness reasons when he obtained personal identifying information, such as birth dates and home addresses, of 17 persons he knew or their relatives." Id. The Eleventh Circuit upheld Rodriguez's conviction for exceeding authorized access under § 1030(a)(2)(B), explaining that [t]he policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons. Rodriguez conceded at trial that his access of the victims' personal information was not in furtherance of his duties as a TeleService representative and that "he did access things that were unauthorized." Id. (emphasis added). In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.
Unlike the Rodriguez case, the Plaintiffs here have failed to sufficiently allege that Youmans and the other Defendants violated a well established written policy regarding the access of Allied Portables' information. In fact, as noted above Youmans as the managing member of Allied Portables had unfettered access to Allied Portables' computer system. Also the Plaintiffs failed to support with a factual basis the parenthetical allegation that Youmans entered Allied Portables' system after she was terminated. Thus, the instant case is distinguishable from Rodriguez, because the Plaintiffs failed to establish that Youmans or any of the other Defendants exceeded their access in violation of CFAA.
The Court also notes, the Eleventh Circuit distinguished, but did not reject, the Ninth Circuit's decision in LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) where the Ninth Circuit held that an employee did not exceed authorized access under the CFAA by misappropriating trade secrets that his employer admittedly authorized him to access. Rodriguez, 628 F.3d at 1263. In doing so, the Eleventh Circuit observed that "there was no dispute that Brekka had been authorized to obtain the documents or to send the emails [containing confidential information to his personal email account] while he was employed." Id. (citing Brekka, 581 F.3d at 1129). The court concluded that "Brekka is distinguishable because the Administration told Rodriguez that he was not authorized to obtain personal information for nonbusiness reasons." Enhanced Recovery, 2015 WL 1470852, at *10 (citing Rodriguez, 628 F.3d at 1263).
The remaining claims in the Complaint are state law claims. The Plaintiffs encourage the Court to maintain supplemental jurisdiction over the state law claims. The Federal Court may exercise supplemental jurisdiction over state law claims that arise out of the same case and controversy as the federal subject matter claim. 28 U.S.C. § 1367(a). The statute reads in pertinent part:
[e]xcept as provided in subsections (b) and (c) or as expressly provided otherwise by Federal statute, in civil action of which the district courts have original jurisdiction over all other claims that are related to claims in the action within such original jurisdiction that they form part of the same case or controversy under Article III if the United States Constitution.28 U.S.C. § 1367(a). However, the District Court may dismiss underlying state law claims in cases where it has dismissed all claims in which it had original jurisdiction. 28 U.S.C. § 1367(c)(3). Because the Court has found that the Plaintiff has failed to establish the pleading requirements needed to establish a claim pursuant to the CFAA, the Court will exercise its discretion pursuant to 28 U.S.C. § 1367(c)(3), and decline to take supplement jurisdiction over the remaining state law claims.
Accordingly it is hereby
ORDERED:
(1) The Defendants, Robin Youmans and Garden St. Portables, LLC's Motion to Dismiss and for the Court to Decline Supplemental Jurisdiction on Any Remaining State Law Claims (Doc. #5) is GRANTED.
(2) The Defendants William "Bill" Oswald , Jr., Billopro, LLC, Lori Langlous, Debra Palmer, and Palmer Accounting & Bookkeeping Service, Inc.'s Motion to Dismiss Complaint for Injunctive Relief and Damages (Doc. #8) is GRANTED.
(3) The remaining counts in the Complaint (Doc. #1) are hereby DISMISSED for lack of subject matter jurisdiction.
(4) The Plaintiffs are given up to and including June 29, 2015 to amend the Complaint.
(5) The Preliminary Injunction Hearing scheduled for Tuesday, June 16, 2015 at 1:30 pm is hereby CANCELLED.
DONE and ORDERED in Fort Myers, Florida this 15th day of June, 2015.
/s/ _________
SHERI POLSTER CHAPPELL
UNITED STATES DISTRICT JUDGE
Copies: All Parties of Record