JBCHoldings NY, LLC v. Pakter, 931 F. Supp.2d 514 (S.D.N.Y. Mar. 20, 2013)
Plaintiff purchased an executive search firm from the Defendants. Per their agreement, Defendant Janou would continue working for the business; both Defendants entered into a non-compete agreement. Despite the non-competes, the Defendants began setting up a competing business that was discovered when Plaintiff discovered Defendant Janou left her personal email account open on Plaintiff’s computer at work and its emails revealed their nefarious plans and activities while still an insider in Plaintiff’s company.Defendants also obtained client lists and other proprietary information though Plaintiff could only speculate as to precisely what means Defendants used to obtain that information and theorized the following methods: (1) copying it to Janou’s personal laptop and sharing it with the other defendants; (2) lifting it from Plaintiff’s computers using a flash drive; and/or (3) obtaining it remotely via spyware.
On these allegations, Plaintiff sued Defendants for violating the Computer Fraud and Abuse Act, inter alia. The CFAA claim was the only federal claim. Plaintiff sought a TRO and during the hearing the court noted that the CFAA claim seemed deficient as a matter of law. Plaintiff filed an Amended Complaint. Defendants moved to dismiss the Amended Complaint for failure to state a claim, which was granted by this opinion for the following reasons.
- The Second Circuit has not explicitly addressed whether to follow the narrow approach (Strict Access Theory) or the broad approach (Intended Use Theory), but the court determines the narrow approach of the Ninth and Fourth Circuits is the appropriate standard, based in part on the Second Circuit’s CFAA loss jurisprudence: “the Second Circuit affirmed the district court’s reading of [the loss] provision to exclude losses incurred as a result of plaintiff’s misappropriate of proprietary information…. [which] implicitly shows that the statute as a whole does not reach misappropriation of lawfully accessed information. It would be illogical for the statute to prohibit misappropriation of employer information, but not to define loss to include the losses resulting from that misappropriation.” (Note – I am not sure I agree with this given that the CFAA generally compensates for damages, a separate element than loss, which is generally used to set the threshold to get a civil CFAA claim into court. Further analysis of this, however, is beyond the scope of this post.)
- “An employee acts ‘without authorization’ when he accesses a computer without permission to do so; an employee ‘exceeds authorized access’ when he has permission to access certain information on a computer, but accesses other information as to which he lacks permission.”
- “[N]owhere in the Amended Complaint is there any allegation that Janou or Theobalt lacked the authority to access this information…. [A]lthough Janou’s alleged actions violated plaintiffs’ electronic media policy, such misuse does not state a claim under the CFAA, because an employee does not ‘exceed [ ] authorized access’ or act ‘without authorization’ when she misuses information to which she otherwise has access.”
- The Amended Complaint does include certain allegations that, if sufficiently pled, would state a cause of action under the CFAA, however, such allegations were based on Plaintiff’s beliefs of what may have been possible or could have happened, and pleaded “upon information and belief” though Plaintiff admits it does not know whether they are true or not. The court rejected these because “[t]hese are precisely the sort of speculative, ‘naked assertion[s]’ that do not suffice to survive a motion to dismiss.”