Opinion
23 C 795
06-21-2023
BLOCK ELECTRIC COMPANY, INC., Plaintiff, v. JOSEPH JOZSA, MICHAEL BENNINGER, GEORGE BRAUNEIS, GERALD HUGHES &INTERACTIVE BUILDING SOLUTIONS, LLC, Defendants.
MEMORANDUM OPINION AND ORDER
VIRGINIA M. KENDALL, UNITED STATES DISTRICT JUDGE
Block Electric Company, Inc. (“Block”) sued three former employees; their new employer, Interactive Building Solutions, LLC (“Interactive”); and Interactive's President, Joseph Jozsa, for conspiring to steal Block's confidential trade secrets and proprietary information. (Dkt. 36). Block brings several claims under state and federal law against Defendants. (Id.) In Count III of its Verified Amended Complaint, Block claims that Defendants Jozsa and Interactive violated the Computer Fraud and Abuse Act (“CFAA”) as part of the alleged theft. (Id. at 19-22). Jozsa and Interactive move for judgment on the pleadings of Block's CFAA claim. (Dkts. 46, 49). For the following reasons, the Court grants the Motions. (Dkts. 46, 49).
Background
Block provides commercial electrical-contracting services to customers in Illinois and other states. (Dkt. 36 ¶ 7). Before 2022, Interactive was predominantly a building-automation contractor-designing, installing, and servicing computerized heating, ventilation, and air-conditioning systems in commercial settings. (Id. ¶ 8). Jozsa is President of Interactive. (Id. ¶ 9).
Defendants Michael Benninger, George Brauneis, and Gerald Hughes each worked for Block for over thirty years before abruptly resigning in April 2022 to join Interactive. (Id. ¶¶ 10-12).
According to Block, Interactive planned to launch its own new electrical-contracting division. (Id. ¶ 13). Interactive intended to jumpstart this new division by using Block's proprietary information to outbid competitors and poach Block's existing accounts. (Id. ¶ 13). Jozsa allegedly conspired with Hughes, Benninger, and Brauneis while they were Block employees to steal Block's confidential proprietary bidding and pricing information, contained in a master database and stored in a customizable software program called Accubid. (Id. ¶¶ 13-14).
As relevant to its CFAA claim, Block alleges that while still working at Block, Hughes downloaded Block's proprietary information from Accubid onto a thumb drive and gave it to Jozsa and Interactive. (Id. ¶¶ 62, 64). Jozsa uploaded the information to Interactive's computers. (Id. ¶ 65). Jozsa and Interactive then used this information to compete against Block by preparing bids for electrical-contracting services. (Id. ¶¶ 67, 71). They submitted bids undercutting Block to TransUnion-one of Block's long-term accounts-among other customers. (Id. ¶¶ 67, 71).
Because Jozsa and Interactive accessed Block's proprietary information without authorization, Block suffered losses including the “value of trade secrets . . . that [were] not previously known to the public or Block's competitors.” (Id. ¶ 73). Further, it suffered loss “because of the diminution of value of Block's Protected Information ....” (Id. ¶ 74). Finally, Block lost “competitive advantage” from Interactive's use of Block's proprietary information as a competitor. (Id. ¶ 75). Block claims its losses exceed $5,000. (Id. ¶ 76).
Block filed a Verified Complaint for injunctive and monetary relief alleging ten claims against the five defendants, including a CFAA claim against Interactive and Jozsa. (Dkt. 1). These defendants moved to dismiss the CFAA claim. (Dkts. 23, 26). Block then filed a Verified Amended Complaint. (Dkt. 36). Jozsa and Interactive answered, (dkts. 42, 43), and both now move for partial judgment on the pleadings, arguing that Block failed to plead loss or damages cognizable under the CFAA. (Dkts. 46, 49).
Legal Standard
“After the pleadings are closed-but early enough not to delay trial-a party may move for judgment on the pleadings.” Fed.R.Civ.P. 12(c). The same standard governs a Rule 12(c) motion for judgment on the pleadings as a Rule 12(b)(6) motion to dismiss. Adams v. City of Indianapolis, 742 F.3d 720, 727-28 (7th Cir. 2014). “As with a motion to dismiss, the court views all facts and inferences in the light most favorable to the non-moving party.” Federated Mut. Ins. Co. v. Coyle Mech. Supply, Inc., 983 F.3d 307, 313 (7th Cir. 2020). To survive a Rule 12(c) motion, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Taylor v. JPMorgan Chase Bank, N.A., 958 F.3d 556, 562 (7th Cir. 2020).
Discussion
The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). It also forbids:
knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.18 U.S.C. § 1030(a)(4); see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131-32 (9th Cir. 2009).
The CFAA is primarily a criminal anti-hacking statute. See 18 U.S.C. § 1030. But subsection 1030(g) provides a civil remedy for CFAA violations. Fidlar Techs. v. LPS Real Est. Data Sols., Inc., 810 F.3d 1075, 1079 (7th Cir. 2016). The civil remedy requires pleading a CFAA violation that caused at least $5,000 of either “damage” or “loss.” See § 1030(g) ; Fidlar Techs., 810 F.3d at 1079; Modrowski v. Pigatto, 712 F.3d 1166, 1168 (7th Cir. 2013) (CFAA civil action requires alleging cognizable injury of at least $5,000 in “damage” or “loss”). Block claims that Defendants Jozsa and Interactive violated the CFAA by obtaining confidential proprietary information from Block's Accubid program without authorization and with the intent to defraud. (Dkt. 36 at 19-21). Yet, Block fails to plead any cognizable loss or damage resulting from Defendants' violations, so its CFAA claim fails.
“Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.” 18 U.S.C. § 1030(g). Of the five subclauses referenced, this case involves only subclause (I), which involves “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” § 1030(c)(4)(A)(i)(I).
The CFAA defines “loss” disjunctively: first, loss includes “any reasonable cost to any victim including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.” Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073 (6th Cir. 2014) (quoting 18 U.S.C. § 1030(e)(11)); see also A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) (holding “loss” “plainly contemplates . . . costs incurred as part of the response to a CFAA violation, including the investigation of an offense”). Second, “loss” encompasses “any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Yoder & Frey, 774 F.3d at 1073 (quoting 18 U.S.C. § 1030(e)(11)). “If a plaintiff is able to establish a loss of at least $5,000 in value, whether that be composed solely of costs identified in the first clause, or solely costs identified in the second clause, or a combination of both, then he may recover under the statute.” Id. at 1073.
Block fails to plead a cognizable loss under either clause. First, Block alleges no costs incurred responding to the theft of its proprietary information. It conducted no damage assessment, nor did it restore any computer systems, programs, or data to their original condition. It is easy to see why: the data theft involved no hacking, so there was nothing to assess or restore. Jozsa and Interactive received Block's proprietary information because a Block employee, Hughes, copied and downloaded it to a thumb drive. Defendants did not hack into Block's computer network; they got the information from an employee who accessed it through his employer-provided credentials. (See dkt. 36 ¶ 14; id. ¶ 20). This was a leak-not a hack. Neither did Defendants cause any “data, program, system, or information” to be altered or deleted, so Block did not have to restore anything to its original condition before the offense. See § 1030(e)(11). Hughes could access the Accubid software and its data but could not change the data stored in the master spreadsheet. (See dkt. 36 ¶ 20).
In short, Block had no need to respond to a hacking incident or third-party intrusion into its computer systems as the CFAA contemplates. So no related loss resulted. Cf. Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066 (9th Cir. 2016) (plaintiff suffered loss under CFAA when its employees spent many hours analyzing, investigating, and responding to defendant's alleged hacking of plaintiff's computer systems); Yoder & Frey, 774 F.3d at 1074 (defendant's intrusion into plaintiff's online bidding system required plaintiff to investigate the offense and conduct a damage assessment, satisfying CFAA's definition of loss).
Second, Block experienced no interruption of service to its computer systems or programs, so any economic harm resulting from Defendants' data theft is not cognizable. The second clause in the CFAA's definition of “loss” restricts compensable economic harms-“lost revenue, cost incurred, or other consequential damages”-to those that occurred “because of interruption of service.” § 1030(e)(11) (emphasis added). Since Block experienced no interruption of service, no compensable losses resulted from Defendants' actions. See Courser v Allard, 969 F.3d 604, 61819 (6th Cir. 2020) (CFAA limits compensable losses to those “incurred because the computer's service was interrupted and does not include subsequent use of illegally obtained information”).
Block's alleged losses boil down to the diminished intrinsic value of its misappropriated trade secrets and confidential information. (See dkt. 36 ¶¶ 73-75). But the CFAA's civil remedy does not vindicate such losses. It addresses the costs of responding to and recovering from attacks on computer systems and programs-not business competitors' ill-gotten gains in market advantage. See Courser, 969 F.3d at 618-19; see also Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 760 (6th Cir. 2020) (noting that CFAA's “damages” and “loss” provisions indicate the Act's “narrow scope,” aiming to prevent typical consequences of computer hacking rather than misuse of sensitive business information); see also, e.g., Cassetica Software, Inc. v. Comput. Scis. Corp., 2009 WL 1703015, at *4 (N.D. Ill. June 18, 2009) (“With respect to ‘loss' under the CFAA, other courts have uniformly found that economic costs unrelated to computer systems do not fall within the statutory definition of the term.” (collecting cases)).
Finally, the CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8); Fidlar Techs., 810 F.3d at 1084. Damage thus refers to a defendant either (1) harming the plaintiff's data or computer infrastructure, or (2) rendering such data or computer infrastructure unavailable. See Yoder & Frey, 774 F.3d at 1072 n.5; cf. id. at 1073 (holding that defendant's incursion into plaintiff's online bidding program caused damage by interfering with platform's ability to function normally).
Neither scenario occurred here. Block has alleged nothing about Defendants harming, deleting, or making unavailable any of Block's proprietary data or the computers and software storing its data. Hughes simply copied the data, put it on a thumb drive, and gave it to Jozsa and Interactive. This caused no damage. See Courser, 969 F.3d at 618-19 (CFAA limits compensable economic harm to “damage to the illegally accessed computer or computer system, or loss incurred because the computer's service was interrupted and does not include subsequent use of illegally obtained information”).
Conclusion
For these reasons, the Court grants the Motions of Defendants Jozsa and Interactive Building Solutions, LLC, for Partial Judgment on the Pleadings [46, 49] and dismisses with prejudice Count III of Block Electric Company's Verified Amended Complaint.