Pascal Pour Elle, Ltd. v. Rehder
1:14-cv-07943
| N.D. Ill. | Dec 9, 2014Background
- Pascal Pour Elle (PPE) is a multi-location hair salon; Salon Director Eliza Jin had login credentials for PPE’s salon-management software and other systems.
- PPE began migrating data to Rosy Salon, a cloud-based salon-management program that allegedly provides users the ability to send email/text reminders and requires username/password access.
- Jin was fired in February 2014; PPE deactivated her passwords. Months later, Jin allegedly remotely accessed PPE’s Rosy Salon account, obtained client contact and service data, and used it to solicit clients to a competing salon.
- PPE brought federal claims under the Stored Communications Act (SCA, 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030), and various state-law claims; defendants moved to dismiss under Rule 12(b)(6).
- Court denied dismissal of most federal claims: held PPE adequately alleged Rosy Salon servers are facilities of an electronic communication service and that data was in electronic storage for pleading purposes; dismissed without prejudice PPE’s §1030(a)(5)(C) claim for failure to plead CFAA “damage,” but allowed CFAA claims under §§1030(a)(2)(c) and (a)(4) to proceed based on pled loss exceeding $5,000.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether Rosy Salon servers are “facilities through which an electronic communication service is provided” under the SCA | Rosy Salon provides email/text functions and passworded online access, so its servers qualify as ECS facilities | Rosy Salon merely hosts an application; it is not an internet/telecom or e-mail provider that transports communications | Court: pleadings sufficiently allege Rosy Salon provides ability to send/receive electronic communications; survives Rule 12(b)(6) (factual proof reserved for later) |
| Whether the accessed data was in “electronic storage” under the SCA | PPE alleges its client/payroll data are stored on Rosy servers incidental to transmission and as backups | Defendants say PPE failed to allege which statutory category of storage applied (temporary/incidental or backup) | Court: allegations that communications were stored and accessible on Rosy servers are sufficient at pleading stage; claim survives |
| Whether PPE adequately pleaded CFAA loss/damage (for private right and §1030(a)(5)(C)) | PPE alleges >$5,000 in investigation and security assessment costs incurred in response to the intrusion | Defendants argue costs are not tied to computer impairment/damage and thus insufficient | Court: statutory definition of loss includes reasonable costs responding to an offense; PPE’s allegation of >$5,000 in investigation/security costs suffices for §§1030(a)(2)(c) and (a)(4). But PPE failed to plead “damage” as required by §1030(a)(5)(C); that claim dismissed without prejudice |
Key Cases Cited
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (plausibility standard for pleadings)
- Ashcroft v. Iqbal, 556 U.S. 662 (application of Twombly plausibility standard)
- In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) (narrow view treating ECS providers as underlying transport providers)
- Devine v. Kapasi, 729 F. Supp. 2d 1024 (N.D. Ill. 2010) (network providing passworded on-site/remote access and email can qualify as ECS)
- Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) (analysis distinguishing types of electronic storage under SCA)
- Motorola, Inc. v. Lemko Corp., 609 F. Supp. 2d 760 (N.D. Ill. 2009) (CFAA loss may include costs of responding to an offense)
- Farmers Ins. Exch. v. The Auto Club Grp., 823 F. Supp. 2d 847 (N.D. Ill. 2011) (mere access to data does not by itself constitute CFAA damage)