215 F. Supp. 3d 1226
D. Wyo.2016Background
- Central Bank & Trust (CB&T) employed Smith (CFO), Kiolbasa (Cheyenne branch president), and Thomas (assistant cashier); all had broad electronic access to CB&T’s servers and confidential customer and financial data.
- While still employed (and after Thomas’s earlier resignation), Smith and Kiolbasa created cloud “drop box” accounts and copied large amounts of CB&T electronic data to them; one drop box was labeled for Farmers State Bank (FSB), a direct competitor.
- Kiolbasa emailed a list of potential customers to FSB personnel and shortly after resigning, the defendants (Smith, Thomas, Kiolbasa) acquired controlling interest in FSB; FSB then obtained numerous CB&T accounts worth millions.
- CB&T sued under federal statutes (three CFAA counts and one Stored Communications Act count) and several state-law claims alleging theft/misuse of proprietary information; defendants moved to dismiss under Rule 12(b)(6).
- The court evaluated whether alleged access was “without authorization” or “exceeded authorized access” under the CFAA and whether CB&T qualified as a protected “facility” or alleged unauthorized access under the SCA.
- The court dismissed all federal claims for failure to plead unauthorized access (finding employees had authorized access to the data) and declined supplemental jurisdiction over state claims, dismissing them without prejudice.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether CFAA liability exists where employees with legitimate credentials copied employer data and later used it for a competitor | CFAA covers employees who misuse legitimately accessed data; the circuit split should be resolved in plaintiff’s favor | CFAA requires accessing data without permission or accessing areas beyond authorized bounds; here employees had authorized access | Dismissed: under the court’s adopted narrow view, access was authorized so CFAA claims fail |
| Whether SCA §2701 applies where employees copied employer-stored electronic data to external accounts | SCA prohibits unauthorized access to stored electronic communications and applies here | SCA protects facilities operated by ECS providers, not ordinary employer servers; and no unauthorized access alleged | Dismissed: CB&T is not an SCA “facility” and no unauthorized access was alleged |
| Whether the Tenth Circuit’s unsettled law requires denial of dismissal because of circuit split | Plaintiff urged the court to adopt broader circuits’ approach | Defendants argued Tenth Circuit district courts follow narrower approach; plaintiff’s facts insufficient under narrow reading | Court followed persuasive Tenth Circuit district-court precedent adopting narrow interpretation and dismissed federal claims |
| Whether federal jurisdiction should retain state claims after dismissal of federal claims | Plaintiff urged retention because state claims implicate important federal interests | Defendants argued federal claims fail and state claims should be remanded | Court declined supplemental jurisdiction and dismissed state claims so parties may pursue them in Wyoming state court |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading standard; plausibility)
- International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) (broad CFAA interpretation treating misuse as exceedance)
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (narrow CFAA interpretation focusing on lack of authorization)
- WEC Carolina Energy Sols., LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (definitional framework for "without authorization" and "exceeds authorized access")
- United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (broad view applying CFAA to misuse by authorized users)
- Garcia v. City of Laredo, Tex., 702 F.3d 788 (5th Cir. 2012) (SCA protects ECS providers’ facilities, not ordinary user-owned computers)