Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?
Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence.
On February 3, 2014, the United States District Court, Southern District of Texas, denied the defendants’ Motion to Dismiss in Absolute Energy Solutions, LLC v. Trosclair, 2014 WL 360503 (S.D. Tex. Feb. 3, 2014) (related CFAAdigest post). This case involved 2 claims: misappropriation of trade secrets and Computer Fraud and Abuse Act.
Facts of the Case
The facts are fairly typical. According to the Complaint, Absolute Energy, the plaintiff, employed J. Trosclair. On April 18, 2013, Absolute Energy terminated J. Trosclair who then opened SBJ Resources, a company that competed with Absolute Energy. Absolute Energy alleges that upon J. Trosclair’s termination, his authorization to access Absolute Energy’s computer system (including email system) was terminated. R. Trosclair is J. Trosclair’s wife and was not employed by Absolute Energy which alleges R. Trosclair was never authorized to access its computer system.
After his termination, J. Trosclair and R. Trosclair accessed Absolute Energy’s computer system without authorization, sent, received, and forwarded email messages belonging to Absolute Energy, and engaged in a business endeavor that directly competed with Absolute Energy using Absolute Energy’s computer system, including to conduct business with Absolute Energy’s customers.
Absolute Energy Filed a Lawsuit
Absolute Energy filed a lawsuit against J. Trosclair and R. Trosclair for violating 18 U.S.C. § 1030 (a)(2) and (a)(4) of the Computer Fraud and Abuse Act and misappropriation of trade secrets (though it is not clear if this claim was pursuant to the newly enacted Texas Uniform Trade Secrets Act (TUTSA)).
The Trosclairs filed a Motion to Dismiss arguing the following points, and included declarations which contradicted the allegations in the Complaint:
- J. Trosclair was a 25% owner of Absolute Energy which gave him authorization to access its computers;
- the email account he was given was an email address and password for a Google operated email account that utilized computers and servers owned by Google, not Absolute Energy;
- The Google email system was used through J. Trosclair’s own personal computer and information received was automatically downloaded to that computer;
- Absolute Energy did not ever de-activate the Google email account that was assigned to J. Trosclair or notify him that he was not supposed to be using that account from his own personal computer;
- R. Trosclair’s only use of the Google email account was when she was gathering emails to forward to their attorney for purposes of an earlier lawsuit that J. Trosclair had filed against Absolute Energy in state court;
- Absolute Energy did not have a written employment agreement nor did it promulgate employee guidelines that prohibited employees from emailing Absolute Energy documents to other personal computers; and
- Absolute Energy failed to adequately plead a loss pursuant to 18 U.S.C. § 1030(g).
Absolute Energy filed a Response to the Motion to Dismiss in which it argued the following points:
- The allegations in the Complaint were adequate to support the CFAA claim and, instead of attacking the sufficiency of the allegations, the Trosclairs include declarations as evidence to contradict the substance of the allegations, which is improper for a Rule 12(b)(6) motion to dismiss;
- The allegations in the Complaint were sufficient to establish a loss as it alleged the Trosclairs caused a loss that exceeded $5,000 in value; and
- Given that for purposes of a Rule 12(b)(6) motion to dismiss the allegations asserted in the Complaint are to be taken as true, the motion should be denied.
Legal Principles and Court’s Analysis in Denying the Motion to Dismiss
The primary reason why the court denied the motion to dismiss is, what many laymen may feel like is a technicality, but in reality is a well-settled principle when dealing with motions to dismiss; that is, they are generally not the proper vehicle for addressing factual disputes. Generally they are intended for such cases where you say, “even if we assume that everything the plaintiff says is true, he still has no case because of x, y or z …” In this case, the Trosclairs tried to dispute the veracity of Absolute Energy’s factual allegations which, by definition, created a factual dispute that almost always requires denial of a motion to dismiss on such grounds. And, it did.
Point of Law 1. A motion to dismiss a Computer Fraud and Abuse Act claim in which the the defendants’ argue that the plaintiff’s allegations are false because, contrary to plaintiff’s allegations, the defendants really were authorized to access plaintiff’s computers, is an argument that raises a factual dispute that could not be decided on a motion to dismiss. This is a procedural issue that is germane to all motions to dismiss, regardless of the particular subject matter of the claim.
In ruling on the motion, the court also provided some succinct statements of important principles concerning the Computer Fraud and Abuse Act:
Point of Law 2. The elements to a Section 1030(a)(2) claim require a plaintiff to show that a defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information, (4) from any protected computer, and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
Point of Law 3. The elements to a Section 1030(a)(4) claim require a plaintiff to show that a defendant: (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
Point of Law 4. The court reaffirmed its adherence to the Intended Use Theory that is followed in the Fifth Circuit which stated that “[a]ccess to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.” quoting United States v. John, 597 F.3d 263, 272 (5th Cir. 2010).
Finally, the court addressed the 18 U.S.C. § 1030(g) jurisdictional loss issue.
Point of Law 5. To satisfy the loss requirement and state a civil claim under the CFAA, plaintiff is not required to allege details or the exact nature of the loss. Rather, plaintiff must simply allege sufficient damages to establish that the elements of a 18 U.S.C. § 1030(g) claim have been met.
My Thoughts on the Case
Did the plaintiff adequate plead an unauthorized access to a protected computer?
Regarding the dispute over the access issue, I believe the court was correct in its ruling based on the arguments that counsel presented in their motions. As a general rule, a motion to dismiss should be denied when the arguments supporting the motion are that the plaintiff’s facts are wrong, as was the case here. However, I have a problem with it — and regular readers know that if I have a problem with a successful CFAA case, there just may be a problem there!
I recently defended a CFAA case in which the plaintiff’s allegations of access were simply bald allegations that were too vague and conclusory to determine how the wrongful access purportedly occurred or, more importantly, what protected computer was even accessed. In my view, two things that should be required for any CFAA wrongful access claim are (1) specificity as to what protected computer was accessed and (2) how the plaintiff believes the access occurred, in general. Because neither of these points had been pleaded in my case, in my motion to dismiss I thoroughly briefed the law that says a court is not always required to accept the plaintiff’s allegations as true because in cases where the plaintiff makes nothing more than “bald allegations” because they are conclusory and, as a matter of law, not entitled to be assumed true. Here is the general gist of the three questions a court should ask per this argument, a “no” to any one question means the allegations in the complaint are insufficient:
- Ignoring all “bald allegations” and “legal conclusions,” do the “factual allegations” support the elements of the claim?
- If so, does common sense and judicial experience suggest the plaintiff’s theory of the claim is plausible or that there are more likely alternative explanations?
- If not, are the factual allegations supporting the discrete nuances of the claim strong enough to nudge the claim across the line from conceivable to plausible?
If you are interested in reading more of this argument, here is the Brief in Support of Motion to Dismiss Amended Complaint. There are also significant issues with the “information and belief” allegations, which is another issue that I briefed in the foregoing motion, which could be helpful in this case as they are used quite freely.
There are several key allegations in Absolute Energy’s Complaint that are pleaded as bald allegations and/or pleaded on information and belief and, therefore, should not be entitled to the presumption of truth:
“12. Upon information and belief, Jason and Rhonda did, after Jason’s termination from Absolute, access on multiple occasions the computer system and e-mail system and accounts of Absolute, without the knowledge, permission, or authorization of Absolute.”
- “computer system and e-mail system and accounts” is too generic of an allegation — which specific device or account is being claimed as a protected computer that was wrongfully accessed?
- without more specificity as to what actual device or account was accessed, such a generic allegation should not suffice
- how were the accesses accomplished? this too is important to know because it sheds a lot of light on the plausibility issue mentioned in the 3 question test.
“10. Upon termination of Jason Trosclair’s employment, his authorization to access the computer system and e-mail accounts and/or system of Absolute was terminated.”
- This goes to the plausibility issue — how was his authorization terminated?
- Was he notified in an exit interview? Were his credentials revoked? Was there a policy somewhere that said it was terminated?
- Without some specificity on this issue, this is nothing more than a “threadbare” legal conclusion that is not entitled to a presumption of truth.
- Now add in the fact that he was a 25% owner of the company and his access to the email account was never shut off — does the mere fact that plaintiff pleaded “his authorization … was terminated” with nothing more push this across the line from conceivable to plausible?
The court ruled on the issues presented by counsel and, based on the arguments in the motions and responses, it made the safe ruling. However, based on the facts we learned from the Trosclair’s declarations, there are some significant issues that Absolute Energy will need to address with its case — if not its Complaint — otherwise this may be a short lived victory.
Did the Plaintiff adequately plead the jurisdictional threshold $5,000 loss?
Not even close (IMHO). I have written extensively about the $5,000 loss requirement (see posts). Have you, the readers of this blog, been paying attention? Let’s find out … according to the court:
Plaintiff has alleged a loss exceeding $5,000. See Complaint, ¶ 23. To state a claim under the CFAA, Plaintiff is not required to allege … details or the exact nature of the loss. Rather, Plaintiff must simply allege sufficient damages to establish that the elements of a Section 1030(g) claim have been met, as Plaintiff has done here. [The court then footnotes the following:] Plaintiff’s damages allegations are sparse but are sufficient for present purposes, when read in light of the allegations in ¶ 29 of the Complaint. Because it is better practice, Plaintiff will be required to elaborate on the damages in an amended complaint ….”
What do you think? Do you see what I see? 3 references to damages?!?! Damages??? Ok, let’s review: Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz
Let’s have a look at what Absolute Energy pleaded as its loss:
And then we have Paragraph 29, which the court found to be important:
Let me put this as simply as I can:
LOSSES ARE NOT DAMAGES!
A LOSS MUST BE A COST UNLESS THERE IS AN INTERRUPTION OF SERVICE, WHICH IS NOT PLEADED HERE.
What did Absolute Energy plead?
- “actual damages in excess of $75,000” NO!
- “obtaining value of more than $5,000” NO!
- “obtained information with a value in excess of $5,000” NO!
- “loss of business” NO!
- “loss of prospective business” NO!
- “economic costs associated with Defendants’ tortious acts” MAYBE
- “attorneys’ fees” MAYBE
I have said all I can say about this case for now and it will be interesting to see how it progresses.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service business law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.