Summary
dismissing claim where plaintiff only alleged the computer was a "protected computer" without more
Summary of this case from Altex U.S. Corp. v. QuintanaOpinion
CASE NO: 8:14-cv-2440-T-30MAP
01-26-2015
MAINTENX MANAGEMENT, INC., Petitioner, v. JEREMY LENKOWSKI, Respondent.
ORDER
THIS CAUSE comes before the Court upon Defendant Jeremy Lenkowski's Motion to Abstain, Stay And/Or Dismiss Complaint and Strike Portions of Complaint with Incorporated Memorandum of Law (Dkt. #9), filed November 7, 2014, and Plaintiff Maintenx Management Inc.'s Response in Opposition, filed December 5, 2014. Upon review, the Court concludes Defendant's motion to dismiss should be granted in part, because it appears there is no subject matter jurisdiction. The Court will not consider the abstention issue until after it has determined whether it has jurisdiction.
BACKGROUND
Defendant Jeremy Lenkowski's ("Lenkowski") motion arises in relation to Plaintiff Maintenx Management, Inc.'s ("Maintenx") action for injunctive relief and damages under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. §§ 1030 et. seq., and Florida common law and statutory claims relating to the same set of operative facts.
Lenkowski was formerly employed as Maintenx's I.T. Director, and due to the nature of his work, Maintenx provided Lenkowski with access to all of its data. Maintenx alleges that Lenkowski exceeded the scope of his authorized access to this data. Specifically, Maintenx asserts that Lenkowski intentionally saved Maintenx data and records to a removable storage device on more than one occasion. Although Maintenx asserts that this data included customer lists, pricing information, customer billing information, and other financial and operational business records, and Lenkowski does not specifically negate this allegation, the crux of the issue appears to be certain video files Lenkowsi retrieved from the laptop of one of Maintenx's employees. Maintenx alleges that Lenkowski improperly shared the files with third parties, exceeding the scope of his authorized access to Maintenx data. Also, Maintenx alleges that it incurred a monetary loss in excess of $5,000.00, namely in the form of attorney's fees and costs required to deal with the consequences of Lenkowski's actions.
In the instant motion, Defendant Jeremy Lenkowski ("Lenkowski") requests the Court to (1) abstain from exercising its jurisdiction over this matter, or (2) dismiss the complaint under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim, or, in the alternative, for a more definite statement; or (3) dismiss this action for lack of subject matter jurisdiction; or (4) strike certain allegations in the complaint.
After reviewing the motion, the response, and being otherwise apprised in the matter, the Court determines it should grant Lenkowski's 12(b)(6) motion respecting Maintenx's CFAA claim. Because the CFAA claim forms the sole basis of this Court's federal jurisdiction over the matter, the Court declines to rule on Lenkowski's 12(b)(6) motion as it relates to the remaining counts of Maintenx's complaint, and will dismiss the entire complaint without prejudice. Because the Court is dismissing Maintenx's complaint, the remaining portions of Lenkowski's motion are moot.
STANDARD OF REVIEW
Federal Rule of Civil Procedure 12(b)(6) allows the court to dismiss a complaint for failure to state a claim upon which relief can be granted. When ruling on a motion to dismiss under Rule 12(b)(6), the court "must accept as true all of the factual allegations contained in the complaint" and construe them in the light most favorable to the plaintiff. Swierkiewicz v. Sorema N.A., 534 U.S. 506, 508 (2002); Chaparro v. Carnival Corp., 693 F.3d 1333, 1335 (11th Cir. 2012). Legal conclusions, on the other hand, "must be supported by factual allegations" in order to be cloaked with the presumption of truth. Aschroft v. Iqbal, 556 U.S. 662, 664 (2009). "When there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief." Id.
DISCUSSION
Maintenx asserts a claim under § 1030(g) of the CFAA, which provides a civil remedy to any person who suffers damage or loss at the hands of a person who violated specified provisions of the Act. Maintenx alleges that it suffered damage or loss by Lenkowski's violation of subsections §§ 1030(a)(2)(C), 1030(a)(4), and 1030(a)(5)(A)—(C). For the reasons enumerated in this Order, Maintenx's allegations, as presented, do not plausibly establish an entitlement to relief.
A. Maintenx has not sufficiently alleged that
Lenkowski was using a protected computer
Each of the subsections on which Maintenx bases its claims requires the use of a "protected computer." See §§ 1030(a)(2)(C), (a)(4), and (a)(5)(A)—(C). Aside from referring to a "protected computer" in its complaint, Maintenx does not elaborate on why the computers qualify as "protected computers" under the CFAA. A protected computer is one "which is used in or affecting interstate or foreign commerce or communication." § 1030(e)(2)(B). "Although this is not a particularly high standard, the complete absence of any relevant allegations render the complaint deficient." LaBovick and LaBovick, P.A. v. Simovitch, No. 12-80061-CV, 2012 WL 920767, at *3 (M.D. Fla. 2012).
B. Maintenx has not sufficiently alleged that
Lenkowski accessed the computer without
authorization or by exceeding his authorized use
A bigger problem for Maintenx is that four of the subsections, §§ 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C), make it an unlawful for a person to engage in certain conduct using a computer if the computer is accessed "without authorization" or by "exceed[ing] authorized access." Maintenx conclusorily alleges that Lenkowski accessed Maintenx's computer without authorization, and that he exceeded his authorized access. But the facts Maintenx presents do not support either of these conclusions.
"[A]n employer gives an employee 'authorization' to access a company computer when the employer gives the employee permission to use it." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). Maintenx repeatedly and quite plainly admits that it gave Lenkowski access to its computer system and all of its data. Maintenx has not alleged facts showing that Lenkowski obtained the data at issue by using a computer without authorization. See Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267, 1272 (M.D. Ala. 2010) (rejecting plaintiff's claim that defendants accessed its computer "without authorization" because, when the alleged CFAA violation occurred, the defendants were all employed by the plaintiff and had permission to access its computers). Maintenx's conclusory allegation that Lenkowski engaged in the underlying conduct without authorization is thus insufficient.
"Exceeds authorized access," on the other hand, means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 18 U.S.C. § 1030(e)(6). To sufficiently allege that Lenkowski exceeded his authorized access, Maintenx must describe an attempt to restrict Lenkowski's access to its computer systems, and assert that Lenkowski violated that restriction. See Clarity Services, Inc. v. Barney, 698 F.Supp.2d 1309, 1316 (M.D. Fla. 2010). Maintenx does not allege that it had limited Lenkowski's scope of access, but rather, makes it abundantly clear that Lenkowski was given unfettered access to all of its data. To the extent Maintenx attempts to derive support for its allegation by maintaining that Lenkowski's use of the data was improper, "'exceeds authorized access' should not be confused with exceeds authorized use." Bell, 690 F.Supp.2d at 1272. As our sister court so aptly put it,
the language of the CFAA does not speak to employees who properly accessed information, but subsequently used it to the detriment of their employers: either one has been granted access or has not. Employers cannot use the CFAA to grant
access to information and then sue an employee who uses that information in a manner undesired by the employer.Power Equipment Maintenance, Inc. v. AIRCO Power Services, Inc., 953 F.Supp.2d 1290, 1296 (S.D. Ga. 2013). The facts put forth by Maintenx support the notion that Lenkowski misused data he obtained from Maintenx's computers, not that he somehow exceeded his seemingly unfettered access.
Because Maintenx has not sufficiently alleged that Lenkowski accessed a computer without authorization or by exceeding his authorized access, Maintenx's claim is deficient as it relates to §§ 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C).
C. Maintenx has not sufficiently alleged that
Lenkowski's actions caused damage
Sections 1030(a)(4) and 1030(a)(5)(A)—(C) also require that the defendant's activities on the computer result in damage, another element which Maintenx has not sufficiently alleged. The statute defines damage as "any impairment to the integrity or availability of data, a program, a system, or information." § 1030(e)(8). In this context, "integrity" means "some diminution in the completeness or useability of data or information on a computer system." Resdev v. Lot Builders, No. 6:04-CV-1374ORL31DAB, 2005 WL 1924743, at *5 (M.D. Fla. 2005). As for the term "availability," it indicates that a party "may prove damage by showing that the defendant's actions somehow made certain data or program not readily obtainable." Cheney v. IPD Analytics, L.L.C., No. 08-23188-CIV, 2009 WL 3806171, at *6 (M.D. Fla. 2009).
Noticeably absent from Maintenx's complaint are any factual allegations that Lenkowski caused damage of this nature to Maintenx's computer system. Maintenx's assertions are premised in its belief that Lenkowski copied certain files onto a removable storage device. But "[t]he copying of information from a computer onto [an external device] is a relatively common function that typically does not, by itself, cause permanent deletion of the original computer files," which is the type of harm contemplated by § 1030(a)(5)(A). Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2013 WL 2683058 at *8 (M.D. Fla. 2006). Thus, without more, this allegation is insufficient.
Maintenx asserts that it "has and will continue to suffer damages, including but not limited to attorney's fees and costs as a result of Lenkowski's unauthorized access to and . . . disclosure of Maintenx data and records." But it appears that Maintenx has confused the requirement to show damage with the requirement to show loss, as mandated in §§ 1030(a)(4) and (a)(5)(C). Loss is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." § 1030(e)(11). So where Maintenx purports to plead damage, it actually pleads loss, and the complaint lacks any factual allegations tending to indicate that Lenkowski's actions resulted in damage.
CONCLUSION
The Court concludes that Maintenx's complaint, riddled with conclusory allegations seemingly unsupported by the facts put forth, does not sufficiently allege a claim under the CFAA. Accordingly, the complaint must be dismissed. See Iqbal, 556 U.S. at 663 ("[T]he tenet that a court must accept a complaint's allegations as true is inapplicable to threadbare recitals of a cause of action's elements, supported by mere conclusory statements."). Despite its belief that Maintenx's CFAA claim is quite tenuous, the Court will give Maintenx 14 days to file a facially sufficient complaint, curing the insufficiencies detailed in this Order, if they can be cured.
It is therefore ORDERED AND ADGUDGED that:
1. Defendant Jeremy Lenkowski's Motion to Abstain, Stay And/Or Dismiss Complaint and Strike Portions of Complaint with Incorporated Memorandum of Law (Dkt. #9) is granted, in part, as stated herein.
2. Plaintiff Maintenx Management Inc.'s Complaint for Damages and Injunctive Relief and Jury Trial Demanded is dismissed without prejudice.
3. Plaintiff may file an amended complaint within fourteen (14) days of this Order. Failure to file an amended complaint during this time shall result in the closure of this case.
DONE AND ORDERED at Tampa, Florida on this 26th day of January, 2015.
/s/_________
JAMES S. MOODY, JR.
UNITED STATES DISTRICT JUDGE
Copies furnished to:
Counsel/Parties of Record
S:\Even\2014\14-cv-2440 mot to abstain stay dismiss.docx