UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF ILLINOIS PEORIA DIVISION
May 12, 2009
BLOOMINGTON-NORMAL SEATING COMPANY, INC., PLAINTIFF,
JASON ALBRITTON, DEFENDANT.
The opinion of the court was delivered by: Michael M. Mihm United States District Judge
Plaintiff Bloomington-Normal Seating Company, Inc. ("Bloomington") filed a Complaint against Defendant Jason Albritton ("Albritton"). Before the Court is Albritton's Motion to Dismiss Bloomington's Complaint. For the reasons set forth below, the Court DENIES the Motion [#8].
According to the Complaint, Bloomington is a maker of automotive seating which maintains its confidential budgetary information, accounting information, and human resources information on a password-protected computerized system, and limits access to this information to those employees who have a need to know such information in order to perform their job functions. Bloomington contends that it requires all of its employees to enter into a confidentiality agreement in which they agree not to engage in the unauthorized use or disclosure of the confidential information. Further, Bloomington states that it maintains an internet and email policy to maintain the integrity of its electronic data and its information system. This internet and email policy provides that, without specific authorization, employees are not to access another's email, or internet accounts; listen to or publish another person's email or electronic communications; or download any computer programs or files without the express permission of the Information Systems Department.
Bloomington hired Albritton to be its sales and purchasing coordinator and alleges that it took reasonable steps to ensure that he maintained the confidentiality of information to which he had access and restricted his access to information that he did not need to perform his job. Bloomington asserts that Albritton misappropriated its confidential information by, among other things, accessing and obtaining information that he was not authorized to view and disclosing this information to individuals not authorized to receive such information. Specifically, the Complaint alleges that Albritton accessed confidential information without authorization, accessed his manager's email, transmitted computer commands resulting in email transmissions of various confidential budget and human resources information to co-workers, activated commands which caused unauthorized activation and use of certain software on Bloomington's equipment, transmitted commands resulting in approximately 1,200 unauthorized instant messages (some of which disseminated confidential information), transmitted commands to set up unauthorized remote access to other computers, and performed many of these actions by the unauthorized use of a Bloomington administrator's password. (Compl. ¶¶ 15-16). Bloomington's Complaint includes two counts: Count I for violation of the Federal Computer Fraud and Abuse Act ("CFAA") and Count II for violation of the Stored Communications Act ("SCA").
Albritton moves to dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(6), arguing that Bloomington cannot prove any set of facts in support of its claims that would entitle it to relief.
A complaint should not be dismissed unless it appears from the pleadings that the plaintiff could prove no set of facts in support of his claim which would entitle him to relief. See Conley v. Gibson, 355 U.S. 41 (1957); Gould v. Artisoft, Inc., 1 F.3d 544, 548 (7th Cir. 1993). Rather, a complaint should be construed broadly and liberally in conformity with the mandate in Federal Rules of Civil Procedure 8(f).
For purposes of a motion to dismiss, the complaint is construed in the light most favorable to the plaintiff, its well-pleaded factual allegations are taken as true, and all reasonably-drawn inferences are drawn in favor of the plaintiff. See Albright v. Oliver, 510 U.S. 266, 268 (1994); Hishon v. King & Spalding, 467 U.S. 69 (1984); Lanigan v. Village of East Hazel Crest, 110 F.3d 467 (7th Cir. 1997); M.C.M. Partners, Inc. v. Andrews-Bartlett & Assoc., Inc., 62 F.3d 967, 969 (7th Cir. 1995); Early v. Bankers Life & Cas. Co., 959 F.2d 75 (7th Cir. 1992).
1. Count I: Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et. seq.
Albritton argues that Bloomington does not adequately state a claim under the CFAA because Bloomington failed to allege damage and loss. The CFAA describes a violator of the statute:
Whoever (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct knowingly causes damage without authorization to a protected computer; (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and by conduct.caused. loss to 1 or more persons during any 1-year period.aggregating at least $5,000 in value. 18 U.S.C. § 1030(a)(5)
The statute defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information. 18 U.S.C. § 1030(e)(8). The statute defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting any damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or consequential damages incurred because of the interruption of service." 18 U.S.C. § 1030(e)(11). The statute further states:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). 18 U.S.C. § 1030(g).
Under the CFAA, damage is limited to the destruction or impairment of the integrity or availability of data and information; an employee causes "damage" when he destroys company data. Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Intl. Inc., No. 07 C 5902, 2009 WL 743215 at * 2-3 (N.D. Ill. March 19, 2009). Merely downloading and emailing confidential information is insufficient to show damages. Id. at 2. "Loss" is limited to costs that are directly associated with, or with addressing, an unauthorized computer-access event. Garelli Wong & Associates, Inc. v. Nichols, 551 Supp. 704, 711 (N.D. Ill. 2008). On a motion to dismiss, an allegation that a plaintiff paid for a damage assessment of a defendant's computer could satisfy the loss requirement. Del Monte Fresh Produce, 2009 WL 743215 at * 4.
This Court must first decide whether the CFAA requires a plaintiff to plead damage and loss or whether pleading damage or loss is sufficient. The interpretation of Section 1030 has created substantial disagreement and both parties cite to numerous district court cases to support their proposition. Compare Wong, 551 Supp. at 708 (holding that "[a] thorough reading of the text above shows that it is necessary for a plaintiff to plead both damage and loss in order to properly allege a civil CFAA claim") and Del Monte Fresh Produce, 2009 WL 743215 at * 3 (holding that "[a] plaintiff that has not suffered any damage may still prevail on a CFAA claim by showing that it has suffered a loss"). It does not appear that the Seventh Circuit has offered its opinion as to how to interpret 18 U.S.C. § 1030(g). After reading the relevant cases and reviewing the statute, this Court concludes that under the most natural reading of section 1030(g), either an allegation of damage or loss would suffice.
Bloomington's Complaint alleges Albritton violated the statute by intentionally accessing BSC's protected computer and without authorization, retrieved and disseminated Bloomington's confidential data and, as a result of such conduct, recklessly caused Bloomington to suffer damages and loss in excess of $5,000. (Compl. ¶ 28). Further, Bloomington alleges that Albritton's actions compromised the confidentiality of its information and impaired the integrity and security of its computer system through the creation of unauthorized remote access and the unauthorized use of its administrator's password. Bloomington states that Albritton's conduct required it to undertake an investigation and damage assessment to uncover the extent of the activity, to restore the system to its condition prior to the offense, and to institute remedial security measures. (Compl. ¶ 30).
The Court finds that, at a minimum, Bloomington has alleged that Albritton's conduct caused it to suffer a loss of at least $5,000. As such, Bloomington has properly alleged a civil cause of action under CFAA, and the Court cannot say that Bloomington can prove no set of facts in support of its claim which would entitle it to relief.
2. Stored Communications Act, 18 U.S.C. § 2701 et. seq.
Albritton argues that Bloomington does not adequately state a claim under the SCA because the purpose of the SCA is to protect customers utilizing an internet provider and/or email storage facility's services from computer hackers, but that Bloomington does not allege that it is an internet provider or a storage facility.
The SCA is violated when a person or entity "intentionally accesses without authorization a facility through which an electronic communication service is provided," or "intentionally exceeds an authorization to access that facility," and "thereby obtains ... a wire or electronic communication while it is in storage in such system...." 18 U.S.C. § 2701(a). The statute continues:
Cause of action. [A]ny provider of electronic communication service, subscriber, or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity which engaged in that violation such relief as may be appropriate.
18 U.S.C. § 2707(a)
The statute defines "aggrieved person" as a "person who was a party to any intercepted wire, oral, or electronic communication or a person against whom the interception was directed." 18 U.S.C. § 2510(11). "Electronic communication service" is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications." 18 U.S.C. § 2510(15). "Electronic storage" is defined as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and [ ] any storage of such communication by an electronic communication service for purposes of backup protection of such communication." 18 U.S.C. § 2510(17)(A), (B). The statute defines "user" as "any person or entity who uses an electronic communication service." 18 U.S.C. § 2510(13).
The aim of the SCA is, in part, to protect individuals' privacy interests in personal and proprietary information. Kaufman v. Nest Seekers, LLC, 05 CV 6782, 2006 WL 2807177, *4 (S.D.N.Y. Sept. 26, 2006) citing S.Rep. No. 99- 541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, at 3557. Section 2701 "addresses the growing problem of unauthorized persons deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are not intended to be available to the public." Id., citing S.Rep. No. 99-541, at 35; 1986 U.S.C.C.A.N. at 3589. A defendant violates the SCA when he intentionally accesses his co-workers' email accounts without authorization. Cedar Hill Associates, Inc. v. Paget, 04 C 0557, 2005 WL 3430562, *3 (N.D. Ill. Dec. 9, 2005); see also Cardinal Health 414, Inc. v. Adams, 582 F.Supp.2d 967, 976 (M.D. Tenn. 2008) ("[W]here the facts indisputably present a case of an individual logging onto another's email account without permission and reviewing the material therein, a summary judgment finding of an SCA violation is appropriate.") (internal citation omitted.)
Bloomington alleges that it was an "other person aggrieved" when Albritton accessed its protected computer and, without authorization, 'obtained' an 'electronic communication [i.e. his manager's email] while it was in electronic storage' and transmitted [Bloomington's] electronic data." (Compl. ¶ 37). The Court finds that Bloomington has properly alleged a civil cause of action under the SCA.
For the reasons set forth herein, the Court DENIES Albritton's Motion to Dismiss [#8]. The Court notes that the relief Bloomington seeks includes an entry of an injunction, pursuant to section (g) of the CFAA, against Albritton, enjoining him from engaging in acts and practices of the CFAA. The Court will schedule a status telephone conference with the parties to discuss whether Bloomington seeks emergency injunctive relief.
© 1992-2009 VersusLaw Inc.