Summary
finding that "the costs involved in investigating the damage to the computer system may constitute such a loss," even when no damage is found
Summary of this case from Int'l Chauffeured Serv., Inc. v. Fast Operating Corp.Opinion
05 CV 6782 (GBD).
September 26, 2006
MEMORANDUM DECISION AND ORDER
Plaintiff commenced this action for unlawful access to stored electronic communications under Title II of the Electronic Communications Privacy Act ("ECPA"), referred to as the Stored Communication Act, 18 U.S.C. § 2701 et seq., and for fraud in connection with a computer under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. Plaintiff has also asserted various state law claims. Defendants are moving, pursuant to Fed.R.Civ.P. 12(b)(6), to dismiss the complaint for failure to state a federal claim upon which relief may be granted. Additionally, defendants request that this Court decline to assert ancillary jurisdiction over the state law claims. Defendants' motion is denied.
The state law claims are for conversion, trespass to chattel, unfair competition and breach of contract.
Plaintiff Allen Kaufman was assigned the legal claims of Principal Connections Limited ("PCL") (which does business as MLX), and of Klickads, Inc. "PCL is a real estate service company" which "provides real estate services to consumers under MLX and to real estate professionals under Brokers NYC." (Compl. ¶ 13). Plaintiff alleges that "in . . . January 2003, PCL spun off BrokersNYC, under a new company, Klickads, Inc., dba BrokersNYC." (Id. ¶ 14). Plaintiff maintains that "PCL derives revenues from consumer one-time memberships to MLX and monthly broker subscription fees to BrokersNYC. The BrokersNYC subscription includes training, support, advertising and marketing services and access to www.brokersnyc.com. (the "Website"). (Id. ¶ 15).
In the complaint, plaintiff alleges that the "Website and PCL and BrokersNYC's server constitute a facility through which an electronic communication service is provided." (Id. ¶ 69). Plaintiff also claims that "PCL and BrokersNYC provide 'remote computing services' . . . as they provide computer storage and computer services by means of an electronic communications system. (Id. ¶ 71).
The term "electronic communication" is defined, in pertinent part, as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce." 18 U.S.C. § 2510(12).
"[T]he term 'remote computing service' means the provision to the public of computer storage or processing services by means of an electronic communications systems." 18 U.S.C. § 2711(2). An "'electronic communication system' means any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission or related electronic equipment for the electronic storage of such communications." 18 U.S.C. § 2510(14).
Plaintiff further alleges that "[t]he Website entails a multiple listing forum for brokers to list and search for residential properties for their clients and to manage their confidential client records, real estate listings, and advertisements." (Id. ¶ 16). Plaintiff claims that "[e]ach BrokersNYC subscriber is assigned a non-sharable private member name and password which is used to login to access each subscriber's personal, private, and confidential account." (Id. ¶ 22). All subscribers have "access to the Website's propriety information and content, including real estate listings and client/consumer contacts." (Id. ¶ 22). Plaintiff claims that "[e]ach BrokersNYC subscriber account contains private, personal, and proprietary information and communications that cannot, and should not be accessed by anyone other than that particular subscriber," and such "information cannot be viewed by all subscribers." (Id. ¶ 23). Plaintiff maintains that "[e]ach BrokersNYC subscriber account contains a database of real estate listings that the subscriber has inputted. This includes real estate listings that are proprietary in nature and have been obtained through the subscriber's hard work, good will, skill, name and reputation." (Id. ¶ 25). Plaintiff alleges that "[w]hile each BrokersNYC subscriber has the option of posting these listings to other subscribers, MLX consumers, or on its own company website, BrokersNYC subscribers may also choose not to disclose these listings to the public or any other brokers. Such listings may only be available to the BrokersNYC subscriber's brokerage firm, select recipients, or to that particular BrokersNYC subscriber. Essentially, BrokersNYC subscribers may choose to use their account like a private address book to store private, confidential, and proprietary information regarding owners and real estate listings that they do not wish to share with the public or other brokers." (Id. ¶ 27).
Plaintiff further alleges that a "BrokersNYC subscriber may transmit and post listings to certain clients, brokers, or within the BrokersNYC subscriber's brokerage firm. Such transmittals or postings are facilitated through the Website. The transmittals or postings may be viewed by accessing a BrokersNYC subscriber account." (Id. ¶ 28). Plaintiff alleges that "[a]ll BrokersNYC subscribers are guaranteed that their accounts and the information within their accounts will be kept confidential, and private, and will not be accessed by anyone without their authority." (Id. ¶ 24).
The complaint further states that "subscribers also have the ability to use BrokersNYC's email function to email information to clients, other brokers, landlords, etc." (Id. ¶ 34). The emails are allegedly "stored and can be assessed and viewed when assessing the BrokersNYC subscriber's account." (Id.). "BrokersNYC [allegedly] keeps an email history providing a summary of all email correspondence and the subject matter of these correspondence." (Id.).
The complaint further states that in February of 2000, PCL hired defendant Amir Eddie Shapiro ("Shapiro") as an independent contractor to sell BrokersNYC services. After Shapiro's employment was allegedly terminated for cause on August 1, 2000, defendant Churchill Corporation Service, Inc. ("Churchill") hired him. In 2002, Shapiro, in partnership with Churchill, allegedly started the defendant company Nest Seekers, International, Inc. ("Nest Seekers").
In 2003, PCL and BrokersNYC purportedly received a number of complaints from its subscribers regarding the unauthorized access to their personal BrokersNYC accounts. A pattern of suspicious logins to numerous subscriber accounts was detected. Plaintiff alleges that, since August of 2002, there have been over 4,000 unauthorized logins to twenty-seven subscriber accounts on the Website from defendants' computers. Plaintiff claims that defendants intentionally stole subscribers' "passwords in order to 'hack' into PCL and BrokersNYC's server, the Website, and into twenty-seven (27) private, personal, confidential BrokersNYC subscriber accounts that contained private, personal, and proprietary information." (Id. ¶ 47). Allegedly, the misappropriation of the information resulted in defendants earning at least five million dollars.
Plaintiff further claims that Shapiro was arrested and charged, in state court, with computer trespass. He allegedly pled guilty to unauthorized use of a computer. During his plea allocution, Shapiro allegedly "admitted that from August 12, 2000 to October 1, 2003, he provided brokers working for him at Nest Seekers with a list of names and passwords to access the Website and BrokersNYC's service without authorization." (Id. ¶ 65). The complaint further states that Shapiro admitted "he obtained confidential listing information from 'Brokers NYC dot com customers' without their permission and authority." (Id. ¶ 67).
Plaintiff alleges that, as a result of defendants' unauthorized access to the Website and to BrokersNYC subscriber accounts, PCL and BrokersNYC expended over $125,000 in personnel and software costs "to investigate the 'hacking' and unauthorized access, to investigate for damage, and to reveal the infringing activity." (Id. ¶ 56). Plaintiff further alleges that, as a result of defendants' unauthorized access, there has been a decline in subscriptions to BrokersNYC and PCL and BrokersNYC have suffered a loss of good will in the real estate community. (Id. ¶¶ 58, 59).
In reviewing a complaint for dismissal, the Court must accept the factual allegations in the complaint as true and draw all reasonable inferences in plaintiff's favor. Hartford Courant Co. v. Pellegrino, 380 F.3d 83, 89-90 (2d Cir. 2004) ( quoting Emergent Capital Inv. Mgmt., LLC v. Stonepath Group, Inc., 343 F.3d 189, 194 (2d Cir. 2003)). The complaint should only be dismissed where it appears beyond doubt that plaintiff can present no set of facts entitling him to relief. Conley v. Gibson, 355 U.S. 41, 46 (1957); Ryder Energy Distrib. Corp. v. Merrill Lynch Commodities, Inc., 748 F.2d 774, 779 (2d Cir. 1984).
STORED COMMUNICATION ACT
The first cause of action is for unlawful access to stored electronic communications in violation of 18 U.S.C. § 2701. With certain exceptions not applicable here, § 2701 imposes both criminal and civil liability for the intentional access without authorization "of a facility through which an electronic communication service is provided," "and thereby obtains, alters, or prevents authorized access to wire or electronic communication while it is in electronic storage in such system . . ." 18 U.S.C. § 2701(a)(1). An "'electronic communication service' means any service which provides to users thereof the ability to send or receive wire or electronic communications." 18 U.S.C. § 2510(15). "Electronic storage" is defined as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such communication by an electronic communication service for purposes of backup protection of such communication." 18 U.S.C. § 2510(17)(A), (B).Defendants, relying on In re DoubleClick, Inc. Privacy Litig., 154 F.Supp.2d 497 (S.D.N.Y. 2001), and In re Jetblue Airways Corp. Privacy Litig., 379 F.Supp.2d 299 (S.D.N.Y. 2005), argue that the complaint fails to state a cognizable claim, under § 2701, "because the conduct set out [in the complaint] does not relate to the improper access to material in 'electronic storage' of an 'electronic communication service.'" (Defts.' Mem. Supp. Mot. at 6). Defendants assert that examples of an electronic communication service provider are Internet service providers ("ISPs") and telecommunication companies whose cables and telephone lines carry Internet traffic. Defendants claim that "Plaintiffs [fail to] allege that they are electronic service providers or allege facts that would give rise to this inference." (Id. at 14). Defendants contends that the complaint reveals that the subject Website is simply a database website that limits access and affords subscribers a place to store information on the Website's server.
In DoubleClick, supra, the court held that dismissal of the § 2701 claim, pursuant to Fed.R.Civ.P. 12(b)(6), was warranted because the "users" had authorized the subject access, and hence the statutory consent exception precluded an unauthorized access claim. In JetBlue, supra, the court granted defendants' 12(b)(6) motion dismissing the claim for violation of § 2702, which prohibits an electronic communication service provider from divulging stored communications, because the defendant-airline, was an air travel service provider, not an electronic communication service provider.
Additionally, defendants note that "Plaintiffs attempt to invoke the limitation of the ECPA by alleging that they are more than just a website, because BrokersNYC.com has an 'email function' that allows brokers to e-mail items from the site to others." (Id. at 16). Defendants contend that "[t]his is a process, which is provided to Plaintiffs by their ISP, separate from the operation of the website." (Id. at 16-17). Defendants conclude that "[p]roviding an e-mail function to subscribers does not transform Plaintiffs into an 'electronic communication service.' Plaintiffs are not an e-mail service provider," but rather "[t]hey merely provide access through their website to an e-mail service provider." (Id. at 17). Defendants, therefore, conclude that the allegations in the complaint are insufficient to establish that defendants' accessed, without authorization, "a facility through which an electronic communication service is provided."
Plaintiff argues that the Stored Communication Act is not only applicable to ISPs in the traditional sense, as defendants maintain, but may also apply to certain types of web sites that have been breached by hackers. Plaintiff contends that, although not explicitly alleged in the complaint, the Website is an electronic bulletin board system, and therefore PCL and BrokersNYC qualify as electronic communication service providers. Additionally, plaintiff claims that, notwithstanding defendants' contentions to the contrary, its Website's email/messaging capabilities are not furnished by a third-party email service provider. Plaintiff maintains that "[t]hese email/messages were in fact stored on Plaintiffs' server pending receipt and for backup protection purposes after receipt." (Pl.'s Mem. Opp'g Mot. at 22).
The aim of the Stored Communication Act was, in part, to protect individuals' privacy interests in personal and proprietary information. S. Rep. No. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, at 3557. Section 2701 "addresses the growing problem of unauthorized persons deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are not intended to be available to the public." S. Rep. No. 99-541, at 35; 1986 U.S.C.C.A.N. at 3589. It was primarily designed to provide a cause of action against computer hackers. See, DoubleClick, 154 F.Supp.2d at 507; State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F.Supp. 137, 145 (S.D.N.Y. 1995).
Section 2701(a) addresses the unauthorized access to communications in "electronic storage" at "a facility through which an electronic communication service is provided." InDoubleClick, supra, the district court defined the term "electronic communication service" to apply to ISPs and telecommunication companies which provide the means upon which Internet communications travel. DoubleClick, 158 F.Supp.2d at 508, 511 n. 20. Relying on DoubleClick, the district court inJetblue, supra, held that an "electronic communication service" does not include operators of commercial web sites that provide traditional products and services over the Internet, as opposed to Internet access itself, notwithstanding the fact that such websites have email capabilities enabling its operators to communicate with their customers. JetBlue, 379 F.Supp.2d at 307;accord, Crowley v. CyberSource Corp., 166 F.Supp.2d 1263, 1270 (N.D.Cal. 2001) (On-line merchant which receives electronic communications from its customers is not an entity providing electronic communication services.); see also,Anderson Consulting LLP v. UOP, 991 F.Supp. 1041, 1043 (N.D.Ill. 1998) (Partnership, which purchases Internet access from an electronic service provider and does not independently provide Internet services, is not an electronic communication service simply because the company's internal email system enables it to send emails to and to receive emails from, third-parties over the Internet.).
Plaintiff also argues, in opposition to the motion to dismiss, that the Website acted, in part, as an electronic bulletin board, and hence PCL and BrokersNYC constitute electronic communication service providers. Although the complaint does not specifically allege that the Website operated an electronic bulletin board (also known as a computer bulletin board), the factual allegations in the complaint, liberally construed, are minimally sufficient to support plaintiff's contention. "Computer bulletin boards generally offer both private electronic mail service and newsgroups. The latter is essentially email directed to the community at large, rather than a private recipient." MTV Networks v. Curry, 867 F.Supp. 202, 204 n. 3 (S.D.N.Y. 1994); see also, United States v. Riggs, 739 F.Supp. 414, 417 n. 4 (N.D.Ill. 1990) ("A computer bulletin board system is a computer program that simulates an actual bulletin board by allowing computer users who access a particular computer to post messages, read existing messages, and delete messages.").
An electronic bulletin board fits within the definition of an electronic communication service provider. See eg., United States v. Steiger, 318 F.3d 1039, 1049 (11th Cir. 2003) ("[T]he SCA clearly applies, for example, to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system (BBS)."); Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457, 462-63 (5th Cir. 1994) (Finding that the SCA "clearly applies to the conduct of the" defendant in seizing a computer used to operate an electronic bulletin board system which contained private electronic mail that had been sent and stored on the bulletin board, but not yet read by the intended recipients.); Inventory Locator Serv., LLC v. Partsbase, Inc., 2005 WL 2179185, at *24 (W.D.Tenn. Sept. 6, 2005) (Finding that the ECPA not only applied to entities that provide gateway access to the Internet, but also applies to a password protected website containing an electronic bulletin board and a web-based forum where parties could communicate.); see also, Konop, 302 F.3d at 875 ("The legislative history of the ECPA suggests that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards."). Only electronic bulletin boards which are not readily accessible to the public are protected under the Act. See eg.,Snow v. DirecTV Inc., 450 F.3d 1314 (11th Cir. 2006) (Finding that Internet website which operated an electronic bulletin board was not protected under the Stored Communications Act because it was not configured in some way so as to limit access by the general public.). As the legislative history reveals:
The bill does not for example hinder the development or use of 'electronic bulletin boards' or other similar services where the availability of information about the service, and the readily accessible nature of the service are widely known and the service does not require any special access code or warning to indicate that the information is private. To access a communication in such a public system is not a violation of the Act, since the general public has been 'authorized' to do so by the facility provider. S.Rep. 99-541, *36; 1986 U.S.C.C.A.N. 3555, at *3590.
The legislative history defines the term "electronic bulletin boards" as follows:
Electronic 'bulletin boards' are communications networks created by computer users for the transfer of information among computers. These may take the form of proprietary systems or they may be noncommercial systems operating among computer users who share special interests. These noncommercial systems may involve fees covering operating costs and may require special 'passwords' which restrict entry to the system. These bulletin boards may be public or semi-public in nature, depending on the degree of privacy sought by users, operators or organizers of such systems. S. Rep. No. 99-541, at 8-9; 1986 U.S.C.C.A.N. at 3562-63.
The complaint, which tracks the statutory language of § 2701 with supporting factual allegations, is sufficient for 12(b)(6) purposes, to establish that the restricted Website is a facility through which electronic communications is provided. The factual allegations in the complaint indicate that the Website was configured in such a manner as to restrict public access thereto, and only paid subscribers could gain access with the use of an individual user's name and password. The pleadings further reveal that as part of the services provided on the Website, real estate professionals could transmit and post listings to other professionals and customers. The complaint also indicates that subscribers have the ability to use the Website's email function. Absent discovery, it cannot be ascertained whether the nature of the Website's posting function is that of an online forum or message board so as to constitute an electronic bulletin board. Similarly, it cannot be determined, on the pleadings alone, whether the Website's sufficiently acted as an email provider.See eg., United States v. Councilman, 418 F.3d 67, 70 (1st Cir 2005) (noting in dicta that the Stored Communications Act was applicable where private emails were read by defendant, who was president of company which ran online book listing and gave its customers an email address at the website location and acted as their email provider.).
An on-line business which provides its customers, as part of its commercial offerings, the means by which the customers may engage in private electronic communications with third-parties may constitute a facility through which electronic communication service is provided. In the case at bar, to make a definitive finding, based solely on the pleadings, as to whether the alleged unauthorized access was from a facility through which an electronic communication service is provided would be "premature" as it "would entail speculation about the nature of [PCL and BrokersNYC's] role in electronic communications." See eg., H R Block E. Enters. v. J. M Sec., LLC., 2006 WL 1128744 (W.D.Mo. Apr. 24, 2006) (Finding complaint, alleging that plaintiff provides electronic communication service in connection with its tax preparation services and that defendants, without authorization, accessed plaintiff's database facilities to obtained confidential information, was sufficient to state a § 2701 claim.).
Section 2701(a) also pertains only to the unauthorized access to electronic communications while they are in electronic storage. Subsection (A) of 18 U.S.C. § 2510(17), which pertains to temporary, intermediate storage incidental to the electronic transmission, "is specifically targeted at communications temporarily stored by electronic communications services incident to their transmission — for example, when an email service stores a message until the addressee downloads it." DoubleClick, 154 F.Supp.2d at 512. Messages stored on an electronic bulletin board pending delivery to their intended recipients are in electronic storage for purposes of subdivision (A). Steve Jackson, 36 F.3d at 461-62.
Subsection (B) of 18 U.S.C. § 2510(17) pertains to both the backup storage of messages pending delivery, as well as post-transmission storage. Theofel v. Farey-Jones, 359 F.3d 1066, 1075-76 (9th Cir. 2004). The mere retention of the messages alone will not satisfy the requirements of subdivision (B). It must be established that the purpose for the retention was to serve as a backup protection. Id. at 1076.
Defendants argue that "even were the resulting transmittal an 'electronic communication,' Plaintiffs do not allege that Defendants hacked into such communications except, perhaps, after they had been 'stored' so that they could be 'accessed and viewed when accessing the BrokersNYC subscriber's account.'" (Id. at 17, quoting Compl. ¶¶ 74-75). Defendants claim that such allegations establish that "Defendants improperly accessed 'electronic communication stored' on their server, but these were not 'stored communications' under the Act" as "[t]hey were neither temporary, intermediate, and incidental[,] nor for backup purposes." (Id. at 17-18).
The complaint alleges that "subscriber's emails are stored and can be accessed and viewed when accessing the BrokersNYC subscriber's account." (Compl. ¶ 34). The complaint further alleges that the defendants accessed, without authorization "electronic communications stored on PCL and BrokersNYCs' server." (Id. ¶ 74). Such allegations are sufficient to make out the element of "electronic storage." The intricacies of the Website's operational systems need not be specifically pled. A complaint must merely provide a short and plain statement of the claims demonstrating that the pleader is entitled to relief. Fed.R.Civ.P. 8(a)(2). This affords the defendants fair notice as to the nature of the claims asserted against them, as well as the grounds upon which they rest. Swierkiewicz v. Sorema N.A., 534 U.S. 506, 512 (2002) (citations omitted). The complaint at bar meets the necessary pleading requirements to withstand a motion to dismiss.
Accordingly, defendants' motion to dismiss the cause of action for unlawful access to stored electronic communications is denied.
COMPUTER FRAUD
Defendants contends that plaintiff failed to allege the requisite monetary threshold to maintain a cause of action for computer fraud. In order to state a cause of action for computer fraud, in violation of 18 U.S.C. § 1030, the defendants' culpable conduct must cause an aggregated loss of at least five thousand dollars during a one year period. 18 U.S.C. § 1030(a)(5)(B)(I). "[T]he term 'loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue loss, cost incurred or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11). "Congress intended the term 'loss' to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker."DoubleClick, 154 F.Supp.2d at 521.
The complaint specifically alleges that defendants' culpable conduct resulted in a loss of over $125,000, well above the statutory requirement of $5,000. Plaintiff attributes the monetary loss to the personnel and software costs involved in investigating the hacking and unauthorized access, investigating the damage, and revealing the infringing activity. Although certain of these expenditures may not fall within the ambit of a loss for purposes of § 1030, the costs involved in investigating the damage to the computer system may constitute such a loss. See eg., Nexans Wires S.A. v Sark-USA, Inc., 319 F.Supp.2d 468, (S.D.N.Y. 2004) (Finding that "loss" includes the costs associated with investigating the damage to the computer.), aff'd, 266 Fed.Appx. 559 (2d Cir. 2006). Defendants argue that since plaintiff has not allege any damage to PCL and BrokersNYC's computer system or software, there has been no showing of a loss. The claimed loss sustained by PCL and BrokersNYC in investigating the potential damage to their computer system and Website is not lessened merely because fortuitously no physical damage was allegedly caused to the computer system or software. See, E.F. Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 585 (1st Cir. 2001) (Finding that the loss suffered by plaintiffs, in having to expend substantial sums to assess whether there was any physical damage to their website, is not lessened simply because fortunately no damage occurred.). The monetary threshold necessary to state a computer fraud claim is sufficiently pled in the complaint.
CONCLUSION
Accordingly, defendants' motion to dismiss the complaint, pursuant to Fed.R.Civ.P. 12(b), is denied in all respects.
SO ORDERED: