Yes, Texas is a good state for plaintiffs to bring a CFAA claim.

©2011 Braydon Fuller

©2011 Braydon Fuller

Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?

Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence.

On February 3, 2014, the United States District Court, Southern District of Texas, denied the defendants’ Motion to Dismiss in Absolute Energy Solutions, LLC v. Trosclair, 2014 WL 360503 (S.D. Tex. Feb. 3, 2014) (related CFAAdigest post). This case involved 2 claims: misappropriation of trade secrets and Computer Fraud and Abuse Act.

Facts of the Case

The facts are fairly typical. According to the Complaint, Absolute Energy, the plaintiff, employed J. Trosclair. On April 18, 2013, Absolute Energy terminated J. Trosclair who then opened SBJ Resources, a company that competed with Absolute Energy. Absolute Energy alleges that upon J. Trosclair’s termination, his authorization to access Absolute Energy’s computer system (including email system) was terminated. R. Trosclair is J. Trosclair’s wife and was not employed by Absolute Energy which alleges R. Trosclair was never authorized to access its computer system.

After his termination, J. Trosclair and R. Trosclair accessed Absolute Energy’s computer system without authorization, sent, received, and forwarded email messages belonging to Absolute Energy, and engaged in a business endeavor that directly competed with Absolute Energy using Absolute Energy’s computer system, including to conduct business with Absolute Energy’s customers.

Absolute Energy Filed a Lawsuit

Absolute Energy filed a lawsuit against J. Trosclair and R. Trosclair for violating 18 U.S.C. § 1030 (a)(2) and (a)(4) of the Computer Fraud and Abuse Act and misappropriation of trade secrets (though it is not clear if this claim was pursuant to the newly enacted Texas Uniform Trade Secrets Act (TUTSA)).

The Trosclairs filed a Motion to Dismiss arguing the following points, and included declarations which contradicted the allegations in the Complaint:

  1. J. Trosclair was a 25% owner of Absolute Energy which gave him authorization to access its computers;
  2. the email account he was given was an email address and password for a Google operated email account that utilized computers and servers owned by Google, not Absolute Energy;
  3. The Google email system was used through J. Trosclair’s own personal computer and information received was automatically downloaded to that computer;
  4. Absolute Energy did not ever de-activate the Google email account that was assigned to J. Trosclair or notify him that he was not supposed to be using that account from his own personal computer;
  5. R. Trosclair’s only use of the Google email account was when she was gathering emails to forward to their attorney for purposes of an earlier lawsuit that J. Trosclair had filed against Absolute Energy in state court;
  6. Absolute Energy did not have a written employment agreement nor did it promulgate employee guidelines that prohibited employees from emailing Absolute Energy documents to other personal computers; and
  7. Absolute Energy failed to adequately plead a loss pursuant to 18 U.S.C. § 1030(g).

Absolute Energy filed a Response to the Motion to Dismiss in which it argued the following points:

  1. The allegations in the Complaint were adequate to support the CFAA claim and, instead of attacking the sufficiency of the allegations, the Trosclairs include declarations as evidence to contradict the substance of the allegations, which is improper for a Rule 12(b)(6) motion to dismiss;
  2. The allegations in the Complaint were sufficient to establish a loss as it alleged the Trosclairs caused a loss that exceeded $5,000 in value; and
  3. Given that for purposes of a Rule 12(b)(6) motion to dismiss the allegations asserted in the Complaint are to be taken as true, the motion should be denied.

Legal Principles and Court’s Analysis in Denying the Motion to Dismiss

The primary reason why the court denied the motion to dismiss is, what many laymen may feel like is a technicality, but in reality is a well-settled principle when dealing with motions to dismiss; that is, they are generally not the proper vehicle for addressing factual disputes. Generally they are intended for such cases where you say, “even if we assume that everything the plaintiff says is true, he still has no case because of x, y or z …” In this case, the Trosclairs tried to dispute the veracity of Absolute Energy’s factual allegations which, by definition, created a factual dispute that almost always requires denial of a motion to dismiss on such grounds. And, it did.

Point of Law 1. A motion to dismiss a Computer Fraud and Abuse Act claim in which the the defendants’ argue that the plaintiff’s allegations are false because, contrary to plaintiff’s allegations, the defendants really were authorized to access plaintiff’s computers, is an argument that raises a factual dispute that could not be decided on a motion to dismiss. This is a procedural issue that is germane to all motions to dismiss, regardless of the particular subject matter of the claim.

In ruling on the motion, the court also provided some succinct statements of important principles concerning the Computer Fraud and Abuse Act:

Point of Law 2. The elements to a Section 1030(a)(2) claim require a plaintiff to show that a defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information, (4) from any protected computer, and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 3. The elements to a Section 1030(a)(4) claim require a plaintiff to show that a defendant: (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 4. The court reaffirmed its adherence to the Intended Use Theory that is followed in the Fifth Circuit which stated that “[a]ccess to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.” quoting United States v. John, 597 F.3d 263, 272 (5th Cir. 2010).

Finally, the court addressed the 18 U.S.C. § 1030(g) jurisdictional loss issue.

Point of Law 5. To satisfy the loss requirement and state a civil claim under the CFAA, plaintiff is not required to allege details or the exact nature of the loss. Rather, plaintiff must simply allege sufficient damages to establish that the elements of a 18 U.S.C. § 1030(g) claim have been met.

My Thoughts on the Case

Did the plaintiff adequate plead an unauthorized access to a protected computer?

Regarding the dispute over the access issue, I believe the court was correct in its ruling based on the arguments that counsel presented in their motions. As a general rule, a motion to dismiss should be denied when the arguments supporting the motion are that the plaintiff’s facts are wrong, as was the case here. However, I have a problem with it — and regular readers know that if I have a problem with a successful CFAA case, there just may be a problem there!

I recently defended a CFAA case in which the plaintiff’s allegations of access were simply bald allegations that were too vague and conclusory to determine how the wrongful access purportedly occurred or, more importantly, what protected computer was even accessed. In my view, two things that should be required for any CFAA wrongful access claim are (1) specificity as to what protected computer was accessed and (2) how the plaintiff believes the access occurred, in general. Because neither of these points had been pleaded in my case, in my motion to dismiss I thoroughly briefed the law that says a court is not always required to accept the plaintiff’s allegations as true because in cases where the plaintiff makes nothing more than “bald allegations” because they are conclusory and, as a matter of law, not entitled to be assumed true. Here is the general gist of the three questions a court should ask per this argument, a “no” to any one question means the allegations in the complaint are insufficient:

  1. Ignoring all “bald allegations” and “legal conclusions,” do the “factual allegations” support the elements of the claim?
  2. If so, does common sense and judicial experience suggest the plaintiff’s theory of the claim is plausible or that there are more likely alternative explanations?
  3. If not, are the factual allegations supporting the discrete nuances of the claim strong enough to nudge the claim across the line from conceivable to plausible?

If you are interested in reading more of this argument, here is the Brief in Support of Motion to Dismiss Amended Complaint. There are also significant issues with the “information and belief” allegations, which is another issue that I briefed in the foregoing motion, which could be helpful in this case as they are used quite freely.

There are several key allegations in Absolute Energy’s Complaint that are pleaded as bald allegations and/or pleaded on information and belief and, therefore, should not be entitled to the presumption of truth:

“12.     Upon information and belief, Jason and Rhonda did, after Jason’s termination from Absolute, access on multiple occasions the computer system and e-mail system and accounts of Absolute, without the knowledge, permission, or authorization of Absolute.”

      • “computer system and e-mail system and accounts” is too generic of an allegation — which specific device or account is being claimed as a protected computer that was wrongfully accessed?
      • without more specificity as to what actual device or account was accessed, such a generic allegation should not suffice
      • how were the accesses accomplished? this too is important to know because it sheds a lot of light on the plausibility issue mentioned in the 3 question test.

“10.     Upon termination of Jason Trosclair’s employment, his authorization to access the computer system and e-mail accounts and/or system of Absolute was terminated.”

        • This goes to the plausibility issue — how was his authorization terminated?
        • Was he notified in an exit interview? Were his credentials revoked? Was there a policy somewhere that said it was terminated?
        • Without some specificity on this issue, this is nothing more than a “threadbare” legal conclusion that is not entitled to a presumption of truth.
        • Now add in the fact that he was a 25% owner of the company and his access to the email account was never shut off — does the mere fact that plaintiff pleaded “his authorization … was terminated” with nothing more push this across the line from conceivable to plausible?

The court ruled on the issues presented by counsel and, based on the arguments in the motions and responses, it made the safe ruling. However, based on the facts we learned from the Trosclair’s declarations, there are some significant issues that Absolute Energy will need to address with its case — if not its Complaint — otherwise this may be a short lived victory.

Did the Plaintiff adequately plead the jurisdictional threshold $5,000 loss?

Not even close (IMHO). I have written extensively about the $5,000 loss requirement (see posts). Have you, the readers of this blog, been paying attention? Let’s find out … according to the court:

Plaintiff has alleged a loss exceeding $5,000. See Complaint, ¶ 23. To state a claim under the CFAA, Plaintiff is not required to allege … details or the exact nature of the loss. Rather, Plaintiff must simply allege sufficient damages to establish that the elements of a Section 1030(g) claim have been met, as Plaintiff has done here. [The court then footnotes the following:] Plaintiff’s damages allegations are sparse but are sufficient for present purposes, when read in light of the allegations in ¶ 29 of the Complaint. Because it is better practice, Plaintiff will be required to elaborate on the damages in an amended complaint ….”

What do you think? Do you see what I see? 3 references to damages?!?! Damages??? Ok, let’s review: Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

Let’s have a look at what Absolute Energy pleaded as its loss:

Absolute Energy - Loss

And then we have Paragraph 29, which the court found to be important:

Let me put this as simply as I can:

LOSSES ARE NOT DAMAGES!

A LOSS MUST BE A COST UNLESS THERE IS AN INTERRUPTION OF SERVICE, WHICH IS NOT PLEADED HERE.

What did Absolute Energy plead?

  • “actual damages in excess of $75,000″ NO!
  • “obtaining value of more than $5,000″ NO!
  • “obtained information with a value in excess of $5,000″ NO!
  • “loss of business” NO!
  • “loss of prospective business” NO!
  • “economic costs associated with Defendants’ tortious acts” MAYBE
  • “attorneys’ fees” MAYBE

I have said all I can say about this case for now and it will be interesting to see how it progresses.

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

District Court Finds Breach of Contractual Limits on Access Violates the CFAA

TRILOGY

TRILOGY (Photo credit: Liqueur Felix)

TAKEAWAY: Businesses (and anyone else) that allow others to access to their computers should have contractual agreements with those persons that clearly specify the restrictions on their authorization to access and use the computers and data. 

This is the lesson of United States v. Cave, 2013 WL 3766550 (D. Neb. July 16, 2013), a case in which the court found that a memorandum of understanding that restricted the defendant’s access to a database as being only for professional use in his job also set the limits of authorized access for purposes of the Computer Fraud and Abuse Act. This is an example of the Intended Use Theory of access under the CFAA that was also followed by Custom Hardware Engineering & Consulting, Inc. v. Dowell, 2013 WL 252945 (E.D. Mo. Jan. 23, 2013), which I blogged about here: Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act (I also explain the Trilogy of Access Theories in this post: Intended Use Theory, Strict Access Theory, and Agency Theory).

While the Ninth and Fourth Circuits have received a lot of recent attention for adhering to the Strict Access Theory, the majority of circuit courts that have ruled on this issue still follow the Intended-Use Theory, including the First, Third, Fifth, Eighth, and Eleventh Circuits. With the Intended-Use Theory, it is very important to have some form of contractual or other objectively verifiable restrictions on the authorization to access the computer and data to demonstrate to the court that there were restrictions in place and the defendant had actual notice of those restrictions.

Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act

A recent district court opinion relied on employment agreement restrictions to determine whether the employees exceeded their authorized access to the employer’s computers. In doing so, the court used the Intended-Use Theory of access to determine whether there may have been a violation of the Computer Fraud and Abuse Act (CFAA), highlighting the need for companies to have well-written agreements that objectively establish such intended use.

Specifically, the court looked to two restrictions in the employment agreements that happen to be the same restrictions I make sure my clients have in their employment agreements:

  1. the employee’s use of the computer and data was restricted to the period of employment (limited duration); and
  2. the employee’s use of the computer and data was restricted to being only for the benefit of employer (intended use). 

Notice the italicized text “and data” — that is another restriction that I include in these agreements. Why? Because, most of the agreements that are litigated under the CFAA involve restrictions on the access to and use of the computers but most of the underlying factual scenarios for those same cases involve the usage of the data obtained by the access — not just the access to the computer. The case discussed here is Custom Hardware Engineering & Consulting, Inc. v. Dowell, 2013 WL 252945 (E.D. Mo. Jan. 23, 2013), and it exemplifies this point quite well.

While it is always important to have well written employment agreements and/or acceptable computer use policies, it is even more important to have these in jurisdictions that follow the Intended-Use Theory of access because under this theory the courts look to the restrictions placed upon and known by the employee to determine whether authorized access is exceeded. In United States v. John, 597 F.3d 263, 271 (5th Cir. 2010), the court explained its “intended-use analysis” as follows: access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given is exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements.

Trilogy of Access Theories

There are three theories of access under the Computer Fraud and Abuse Act: Intended-Use Theory, Strict Access Theory, and Agency Theory. I explain this trilogy of access theories with more detail in this post: New “Employment” Computer Fraud and Abuse Act case … but with a twist! though the cases under the Strict Access Theory have changed since that time.

The Intended-Use Theory is followed by the following jurisdictions (as of this writing): Fifth Circuit (United States v. John and United States v. Phillips), Eleventh Circuit (United States v. Rodriguez), Eighth Circuit, which includes Missouri (United States v. Teague), Third Circuit (United States v. Tolliver) and possibly the First Circuit (United States v. MorrisUnited States v. Czubinski) as the rationale for the Intended-Use Theory is derived from the second factor in Morris. 

The Strict Access Theory is followed by the Ninth Circuit (United States v. Nosal a/k/a Nosal II) and Fourth Circuit (WEC Carolina Energy Solutions LLC v. Miller).

The Agency Theory is followed by the Seventh Circuit (International Airport Centers, LLC v. Citrin).

TAKEAWAYS: The important takeaways from the Custom Hardware Engineering & Consulting, Inc. v. Dowell case are that your business really needs to have solid employment agreements or acceptable use policies that restrict (1) the duration for which access is authorized, (2) the intended-use for which access is authorized, and (3) that these restrictions apply to not only the computers but also the data that is accessible from those computers.

If you would like to talk with me about legal issues concerning computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Current Employee May Have Violated Computer Fraud and Abuse Act by Downloading for Secret New Employer

A federal district court in Mississippi refused to dismiss the Computer Fraud and Abuse Act claims against an individual who, during the term of his employment downloaded confidential information for a new employer. While employed by the plaintiff, the defendant had secretly negotiated an employment agreement with a new company but, before announcing his resignation he accessed the plaintiff’s computers and downloaded a substantial amount of its sensitive confidential business information. The District Court found this could be an unauthorized access under the Computer Fraud and Abuse Act: “Several courts have recognized however, that ‘once an employee is working for himself or another, his authority to access the computer ends, even if he or she is still employed at the present employer.'” Unified Brands, Inc. v. Teders, 868 F. Supp.2d 572 (S.D. Miss. 2012) (quoting Continental Group, Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp.2d 1357, 1372 (S.D. Fla. 2009)).

What I find interesting about this case is that it seems to rely on the rationale of the Agency Theory that is followed by the Seventh Circuit as opposed to the Intended Use Theory that is followed by the Fifth Circuit (which includes Mississippi) and the Eleventh Circuit (which includes Florida). Cases following the Agency Theory are becoming a rarity these days (see Citrin Lives!). For a more detailed explanation of the three primary theories of access you can read more HERE. What will be interesting is to see what path the parties take should there be a motion for summary judgment in the future.

Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about the law in general, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com) and I will be more than happy to talk with you!

-Shawn E. Tuma