Teva Pharm. USA, Inc. v. Sandhu
291 F. Supp. 3d 659
E.D. Pa.2018Background
- Teva alleges former senior director Barinder Sandhu emailed and copied confidential Teva regulatory documents (including an FDA Complete Response Letter and a spreadsheet of regulatory status) to Jeremy Desai, CEO of competitor Apotex; Teva fired Sandhu and sued Sandhu, Desai, and Apotex.
- Teva asserted claims under the CFAA, the Defend Trade Secrets Act (DTSA), Pennsylvania Uniform Trade Secrets Act (PUTSA), and state torts (conversion, unfair competition, tortious interference, breach of fiduciary duty, aiding and abetting).
- Teva’s internal investigation found ~900 Teva files in a personal cloud folder and evidence of emails and USB downloads to Sandhu’s devices.
- Defendants moved to dismiss for failure to state CFAA liability (insufficient allegations of unauthorized access or recoverable loss) and challenged several state-law claims as preempted or inadequately pleaded.
- The court dismissed Teva’s CFAA claim against Sandhu (insider who was authorized to access the data) but allowed CFAA claims to proceed against Desai and Apotex on an indirect-access theory; it allowed DTSA/PUTSA and most state-law claims to proceed, with some dismissals (e.g., conversion as to outsiders) and procedural rulings (injunctive-count dismissal as redundant).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether an employee who had authorized access but misused information can be liable under the CFAA | Sandhu’s misuse of Teva data constitutes "exceeding authorized access" under the CFAA | Defendants: CFAA prohibits unauthorized access only; an employee authorized to access data cannot be liable for later misuse | Court: No — adopts the narrow view: CFAA covers obtaining information beyond authorization, not improper use by an authorized insider; CFAA claim against Sandhu dismissed |
| Whether outsiders who receive stolen data from an authorized insider can be liable under the CFAA | Teva: Desai and Apotex knowingly received misappropriated data and thus are liable | Desai/Apotex: lacked direct access; Teva fails to plead they accessed protected computers | Court: Yes — outsiders may be liable under an indirect-access/inducement theory; CFAA claim against Desai and Apotex survives |
| What qualifies as "loss" under the CFAA for the $5,000 threshold and recoverable damages | Teva: investigation costs and other harms caused by the data transfer are recoverable even without service interruption | Defendants: recoverable loss must be tied to an interruption of service | Court: "Loss" has two categories — (1) reasonable costs responding to an offense (recoverable even without service interruption); (2) revenue lost/costs/consequential damages (recoverable only if caused by interruption of service) |
| Whether DTSA/PUTSA and related state claims were sufficiently pleaded and/or preempted | Teva: identified confidential documents and alleges continuing use after DTSA effective date; alternative tort theories exist | Defendants: DTSA inapplicable (misappropriation pre-dated DTSA) and PUTSA preempts common-law torts | Court: DTSA covers continuing post-enactment use; trade-secret claims adequately pleaded; PUTSA preemption not decided at dismissal — common-law tort claims may proceed as alternative theories |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (plausibility standard for Rule 12(b)(6))
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (pleading standards and plausibility)
- WEC Carolina Energy Sols., LLC v. Miller, 687 F.3d 199 (4th Cir.) (adopts narrow CFAA view: misuse by authorized insider not covered)
- United States v. Nosal, 676 F.3d 854 (9th Cir. en banc) (narrow interpretation of CFAA, focusing on access not use)
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.) (insider authorization bars CFAA liability absent exceeding access)
- Brown Jordan Int’l, Inc. v. Carmicle, 846 F.3d 1167 (11th Cir.) (CFAA "loss" has two categories; not all losses require service interruption)
- Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065 (6th Cir.) (interprets CFAA loss definition as two-part)
- A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630 (4th Cir.) (CFAA loss includes response costs independent of service interruption)
- United States v. MacEwan, 445 F.3d 237 (3d Cir.) (definition of "protected computer" in CFAA contexts)