698 F. Supp. 2d 1309 | M.D. Fla. | 2010
CLARITY SERVICES, INC., Plaintiff,
v.
Dean BARNEY, Defendant.
United States District Court, M.D. Florida, Tampa Division.
*1310 Christopher Thomas Abrunzo, Cody Fowler Davis, Davis & Harmon, PA, Richard George Salazar, Fowler White Boggs, Tampa, FL, for Plaintiff.
Ryan D. Barack, Kwall, Showers & Barack, PA, Clearwater, FL, for Defendant.
ORDER
STEVEN D. MERRYDAY, District Judge.
Clarity Services, Inc., ("Clarity") sues (Doc. 1) Dean Barneya former employeefor "breach of employee duty of loyalty," conversion, fraudulent misrepresentation, and violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Barney moves (Doc. 24) for summary judgment, and Clarity responds (Doc. 35) in opposition.
Standard of Review
Summary judgment is proper if the evidence shows "that there is no genuine issue as to any material fact and that the movant is entitled to judgment as a matter of law." Rule 56(c), Federal Rules of Civil Procedure. A disputed fact is material if the fact "might affect the outcome of the suit under the governing law." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S. Ct. 2505, 91 L. Ed. 2d 202 (1986). A dispute is genuine "if the evidence is such that a reasonable jury could return a verdict for the non-moving party." Anderson, 477 U.S. at 248, 106 S. Ct. 2505. The movant bears the burden of establishing the absence of a dispute over a material fact. Reynolds v. Bridgestone/Firestone, Inc., 989 F.2d 465, 469 (11th Cir.1993). The evidence and factual inferences from the evidence are construed favorably to the party opposing summary judgment. Reynolds, 989 F.2d at 469.
Background
A. Employment
In 2007, Tim Ranney recruited Barney to work for CL Verify, a credit bureau based out of Pinellas County, Florida. Barney worked for CL Verify from his home office in Utah. In February, 2008, Barney and Ranney discussed a new venture, and in early April, 2008, Ranney resigned from CL Verify and formed the new venture, which eventually became Clarity Services, Inc. (the plaintiff in this case). Barney resigned from CL Verify in April but agreed to assist CL Verify "in interviewing and hiring a replacement for [his] position and transitioning the duties of that position." (Doc. 27 at 14) Although Barney thought that CL Verify would cease paying him after his resignation, *1311 Barney continued to receive monthly paychecks from CL Verify.
Upon learning of Barney's formal resignation from CL Verify, Ranney offered Barney a job at Clarity. On May 15, 2008, Barney began working for Clarity from his home office in Utah. However, Barney informed Ranney that Barney would continue to perform "transition" work for CL Verify. Over the next several months, Barney worked almost exclusively for Clarity. However, Barney interviewed three candidates to replace him at CL Verify. CL Verify offered the job to each candidate, but each candidate declined the offer.
In September, 2008, Barney attended a sales meeting for CL Verify in Kennesaw, Georgia. CL Verify asked Barney to attend the meeting to discuss CL Verify's clients with CL Verify's salesmen. Ranney discovered that Barney attended the meeting, and on September 30, 2008, Ranney called Barney to confront him about attending the CL Verify meeting. During the phone call, Barney resigned from Clarity. Ranney remembers no detail about the conversation other than Barney's resignation. (Doc. 28 at 14)
B. Technological Detail
As the "director of analytics" for Clarity, Barney required a computer and software to analyze consumer credit data from Clarity's clients. At the end of May, 2008, Barney purchased a laptop computer, and Clarity reimbursed Barney for the cost of the laptop. Although Barney had resigned from CL Verify, Barney also kept in his home office a laptop provided by CL Verify. Barney testified in his deposition that he used the Clarity laptop exclusively for Clarity business and the CL Verify laptop exclusively for CL Verify business. (Doc. 27 at 12)
Shortly after hiring Barney, Ranney purchased a server at the Consonus Data Center in Salt Lake City, Utah. Barney used the Clarity laptop as a terminal to retrieve the data on the server. Barney testified that all the consumer data "would be transmitted to and from that server for analytics. . . . So every step was made not to ever expose that kind of [consumer credit] data." (Doc. 27 at 42-43)
While at Clarity, Barney used an email address provided by Clarity for all electronic correspondence with Clarity employees and clients. Clarity provided the email address through Google's mail service, which stores each email on a remote server. Barney testified that he never deleted emails (other than spam) from his email accounts. Barney testified that he stored no Clarity data on the laptop computer; Barney's Clarity emails remained on the remote Google server, and all of Clarity's consumer data remained on the Consonus server in Salt Lake City.
C. Post-resignation Events
In an October 2, 2008, email to Ranney, Barney stated:
I am prepared to send back the equipment. Do you wish me to hang on to equipment until you are comfortable with Certegy, ID Analytics, and TU? Would you like to trade equipment for final review of Certegy and ID Analytics data? I will need data from Certegy and ID Analytics to return to Darren Mower and Paydayisland. You can still use for your purposes of course. I saw the pricing from TransUnion . . . it is the best pricing I have seen . . . Jakub at Certegy is still looking for hard-copy of agreement. I will correspond from this point on through my personal email. . .
Dean.
(Doc. 28 at 34) Several hours later, Ranney responded, "Thanks for the note. Quite honestly this week, I haven't worried about the gear. I'm in the process of getting my hands around everything and will catch up with you early next week." *1312 (Doc. 28 at 34) The next morning, Ranney emailed Barney again:
Dean:
I have one housekeeping issue that I'd appreciate your help with. When you have a minute, would you send me an email or letter regarding your resignation. You can put anything you want in the letter, but for my purposes, it's the documentation from an accounting standpoint to tie to the termination of payroll for you.
Thanks,
Tim
(Doc. 28 at 35) That same morning, Barney called Jakub Petri, who worked for a Clarity client. Without divulging that he had resigned from Clarity, Barney asked Petri to email Barney an updated data file. Barney testified that he opened neither the email nor the data file. (Doc. 27 at 47) However, Brian Ketelson, a Clarity employee, examined Barney's email account and concluded that the email had been opened. (Doc. 29 at 10)
That afternoon, Barney received an email from Clarity's lawyer, which states:
I am counsel to Clarity Services, Inc., and have just been advised that you may have been engaged in a very serious form of business fraud and theft of data belonging to Clarity Services, Inc. I understand that you were formerly an employee of Clarity Services, Inc., but resigned your position on Tuesday of this week. Nevertheless, notwithstanding such resignation and without advising Certegy that you were no longer with Clarity, you subsequently induced Certegy to transmit such information to your former email address at Clarity, which you still had unauthorized access to. You had no right to receive that proprietary database information belonging to Clarity which is potentially worth hundreds of thousands, if not millions of dollars.
(Doc. 28 at 36) An hour later, Barney sent the following email to Ranney, Petri, and Clarity's lawyer:
To all parties:
I gave notice to Tim Ranney notifying him that I would continue the work of handling data relationships until further notification from Tim. I directed Jakub Petri to send a file this morning so that Tim and Clarity Services would have that file in his/their possession for future work. I was not aware [of] any trouble until the attached email [from Clarity's lawyer] was forward[ed] to me from Tim.
I can assure everyone that no data has been compromised. In fact, I have not [had] access to the file sent by Jakub this morning. Tim should be able to verify that the email that contains the file is in an "unread" status.
I apologize for causing any trouble or misunderstanding, the only intent was to help Tim continue work moving forward. I have not had contact with Tim Ranney, but from this time forward I will not contact or answer any calls from Clarity vendors.
Thanks,
Dean
(Doc. 28 at 37)
On or about October 3, 2008, Ranney asked Ketelson to discontinue Barney's access to his Clarity email account and the Consonus server. To discontinue Barney's access to the server, Ketelson contacted Consonus and received a phone call twenty minutes later confirming that Barney's access privileges had been removed. To discontinue Barney's access to the Clarity email service, Ketelson logged on as an administrator of the email system and suspended Barney's account. (Doc. 290 at 8) According to Ketelson, although the email account remains intact, Barney cannot retrieve any information from the account.
*1313 On Saturday, October 4, 2008, Barney decided to package the laptop and other equipment for shipment to Clarity's offices in Florida. Barney worried that "sensitive" consumer data might remain on the laptop. To prevent Clarity's "suffer[ing] any exposure if [the computer] was lost in transit,"[1] Barney "reset" the laptop. According to Barney, a user "resets" a laptop by booting the computer, pressing one of the function keys during startup, and selecting an option to "restore the computer back to factory state." (Doc. 27 at 44) Resetting the computer permanently deletes all information stored on the computer and re-installs the operating system.
In an October 5, 2008, email, Barney informed Ranney that the equipment was packed in three boxes and asked Ranney to arrange for delivery. On October 16, 2008, Ranney notified Barney that the three boxes of equipment had arrived at Clarity's offices in Florida. Upon receiving the boxes, Ranney asked Ketelson to inventory and examine the contents of the boxes.
D. Computer Forensics
Ketelson opened the three boxes, which contained two large monitors, a laptop, and power cables and other peripheral equipment for the laptop. (Doc. 29 at 16) Ketelson stored the monitors in a closet and then plugged in and turned on the laptop. Upon booting the laptop, Ketelson "observed that the laptop was reset into a condition where the out-of-box experience was triggered in Windows." Ketelson turned off the laptop, removed the hard drives, and began searching for a "data recovery vendor." (Doc. 29 at 17) Ketelson commissioned a data recovery vendor to analyze the hard drives, and the vendor stated that the drives "had been zeroed out, which is a term in the computer industry for a drive that had beenzeros had written to the blank sectors so that no data on the drive could be recovered." (Doc. 29 at 17) Several months later, Ketelson asked the vendor to conduct a full forensic analysis on the hard drives. The vendor determined that someone used a utility "to physically zero out the drives," but the vendor could not determine when the drives were erased. Ketelson could identify no information that Barney had removed from the Consonus server. (Doc. 29 at 14).
Discussion
Although primarily a criminal statute, the Computer Fraud and Abuse Act provides a civil remedy to any person who suffers damage or loss from a violation of the Act. See 18 U.S.C. 1030(g). To recover, Clarity must prove that Barney (1) intentionally "accessed" a computer, (2) lacked authorization or exceeded his authorized access to the computer, (3) obtained information from the computer, and (4) caused a loss of at least $5,000.00 to Clarity. See 18 U.S.C. 1030(a)(2)(C).[2] Clarity alleges that Barney violated the Act by (1) reading the email from Jakub Petri after resigning from Clarity and (2) resetting the Clarity-issued laptop.
*1314 A. Reading the Email
Construed favorably to Clarity, the summary judgment evidence shows that Barney intentionally "accessed" a protected computer and "obtained information" by reading the email from Jakub Petri. However, the parties dispute whether Barney read the email "without authorization" or "exceeded his authorization" by reading the email after resigning. Clarity argues that Barney's authorization to retrieve his email terminated at the moment he resigned from Clarity. Barney argues that his authorization terminated when Ketelson suspended the email account on October 3, 2008. Because Clarity fails to show that Barney attempted to access the email account after Ketelson suspended the account, Barney argues that he neither accessed the account without authorization nor exceeded his authorized access. The parties' argument reveals a split of authority defining "authorization" under the Computer Fraud and Abuse Act.
Clarity relies on an expansive, agency definition of "authorization" promoted in International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006), and Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (W.D.Wash.2000). Citrin held that an employee's "authorization to access the [employer's] laptop terminated when, having already engaged in misconduct and decided to quit [his employment] in violation of his employment contract, [the employee] resolved to destroy files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee." 440 F.3d at 420. The employee's "breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship." 440 F.3d at 420-21.
Barney relies on a narrower definition of authorization "[A] violation for accessing "without authorization" occurs only where initial access is not permitted. And a violation for "exceeding authorized access" occurs where initial access is permitted but the access of certain information is not permitted." Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D.Ga.2007). Both the Ninth Circuit and an array of district courts approve this narrower definition.[3]
*1315 As Judge Presnell persuasively argues in Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *5-6 (M.D.Fla.2006), the narrower definition implements the plain meaning of the statutory language:
The term, "without authorization," is not defined by the CFAA. Nonetheless, "authorization" is commonly understood as "[t]he act of conferring authority; permission." The American Heritage Dictionary, 89 (1976). On the other hand, the CFAA defines "exceeds authorized access" as follows: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter[.]" 18 U.S.C. § 1030(e)(6). The CFAA targets access "without authorization" in six separate offenses (§§ 1030(a)(1), (a)(2), (a)(3), (a)(4), (a)(5)(ii), (a)(5)(iii)), only three of which also reach persons "exceeding authorized access" (§§ 1030(a)(1), (a)(2), (a)(4)). Thus, it is plain from the outset that Congress singled out two groups of accessers, those "without authorization" (or those below authorization, meaning those having no permission to access whatsoevertypically outsiders, as well as insiders that are not permitted any computer access) and those exceeding authorization (or those above authorization, meaning those that go beyond the permitted access granted to themtypically insiders exceeding whatever access is permitted to them)....
Citrin relegates the work performed by "exceeds authorized access" to those outside the principal-agent relationship (e.g., ex-employee) that are permitted a minimum level of access to a computer, and then exceed that access. But this effectively turns the plain reading of the statutory definition of "exceeds authorized access" on its head. The statutory definition appears purposefully aimed at the company insider that already has authorizationnot the non-agent outsider with public access to a company website. Citrin agreed that the CFAA's distinguished use of "without authorization" and "exceeds authorized access" resulted in "[m]uddying the picture some." In this Court's view, the plain meaning brings clarity to the picture and illuminates the straightforward intention of Congress, i.e., "without authorization" means no access authorization and "exceeds authorized access" means to go beyond the access permitted. While Citrin attempts to stretch "without authorization" to cover those with access authorization (albeit those with adverse interests), Congress did not so stipulate.[4]
*1316 Furthermore, if an employee's authorization terminates at the moment the employee acquires an interest adverse to the employer, an employee who checks personal email at work commits a federal crime. See Orin Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1634 (2003) (explaining that the agency theory of authorization extends liability to "an employee's use of an employer's computer for anything other than work-related activities."). A strikingly broad interpretation of a criminal statute, the agency definition violates the rule of lenity, which requires a narrow construction of ambiguous terms in a criminal statute. LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1134-35 (9th Cir.2009) (rejecting the agency definition of authorization because "the rule of lenity, which is rooted in considerations of notice, requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government."); Lockheed Martin, 2006 WL 2683058, at *7 (noting that the agency definition of authorization "is especially disconcerting given that the CFAA is a criminal statute with a civil cause of action. To the extent `without authorization' or `exceeds authorized access' can be considered ambiguous terms, the rule of lenity, a rule of statutory construction for criminal statutes, requires a restrained, narrow interpretation.").
Clarity's claim fails under the narrow definition of authorization. Clarity presents no evidence that Barney lacked authorization to read the email from Jakub Petri or that Barney exceeded his authorized access by reading the email. Although he resigned from Clarity on September 30, 2008, Barney retained full access to the Clarity email account until October 3, 2008, when Ketelson suspended the account. Clarity presents no evidence that Barney attempted to access his email account after October 3, 2008.
B. Resetting the Laptop
Clarity also argues that Barney "accessed and `scrubbed' Clarity data after he had terminated his employment with Clarity, and thus, exceeded his authorized access under the CFAA." (Doc. 35 at 7) Favorably construed, the summary judgment evidence establishes that Barney "accessed" the laptop by booting the laptop and restoring the laptop's factory settings. However, Clarity presents no evidence that Barney "obtained" any information from the laptop; Barney merely deleted all the information.
Furthermore, Clarity fails to establish that Barney exceeded his authorized access to the laptop. To show that Barney exceeded his authorized access to the laptop or accessed the laptop without authorization, Clarity must evidence an attempt to restrict Barney's access to the laptop. The record reveals that Barney enjoyed unrestricted access to all of the information on the laptop throughout his employment. Barney could read, modify, or delete any file on the laptop. Furthermore, Clarity failed to impose any restriction on Barney's access to the laptop after he resigned. Instead, Ranney dismissed Barney's first attempt to return the laptop. Ranney stated, "Quite honestly this week, I haven't worried about the gear. I'm in the process of getting my hands around everything and will catch up with you early next week." (Doc. 28 at 34) Because Barney enjoyed unrestricted access to the information on the laptop when he reset the laptop, Barney neither accessed the laptop "without authorization" nor "exceeded his authorized access" to the laptop.
Construed favorably to Clarity, the summary judgment evidence fails to establish that Barney (1) "accessed" his email account or the laptop without authorization or (2) exceeded his authorized access to the email account or the laptop. Furthermore, *1317 Clarity fails to show that Barney "obtained" any information from the laptop before restoring the laptop's factory settings. Accordingly, Barney's motion for summary judgment is GRANTED with respect to Count I.
Conclusion
Barney's motion (Doc. 24) for summary judgment is GRANTED IN PART as to Count I and otherwise DENIED WITHOUT PREJUDICE. Pre-trial disposition of the Computer Fraud and Abuse Act claim, the sole basis for federal jurisdiction over this lawsuit, presents an occasion for discretion in exercising subject matter jurisdiction over Clarity's remaining claims. See 28 U.S.C. § 1367(c)(3). Supplemental jurisdiction over Clarity's state law claims in Counts II, III, and IV is DECLINED, and Clarity's state law claims are DISMISSED WITHOUT PREJUDICE.[5]See Giordano v. City of New York, 274 F.3d 740, 755 (2d Cir.2001); Hankins v. The Gap, Inc., 84 F.3d 797, 802-03 (6th Cir. 1996) (stating that summary judgment for the defendant on federal claims warrants declining exercise of supplemental jurisdiction over pendent state claims); Bradley Scott Shannon, A Summary Judgment Is Not a Dismissal!, 56 Drake L.Rev. 1, 12 (2007) ("[F]ederal courts overwhelmingly have held, pursuant to § 1367(c)(3), that jurisdiction of supplemental claims may be declined following a grant of summary judgment as to a plaintiff's original claims.") (collecting cases). The motions in limine (Docs. 45 and 46) and the motions to allow electric equipment into the courtroom (Docs. 49, 50, and 51) are DENIED AS MOOT. The Clerk is directed to (1) enter judgment against Clarity and in favor of Barney on Count I, (2) terminate any pending motion, and (3) close the case.
NOTES
[1] Many states have enacted a data breach notification statute, which requires disclosure of a breach of the security of a database containing personal information. See, e.g., Section 817.5681, Florida Statutes; see also Brandon Faulkner, Hacking into Data Breach Notification Laws, 59 Fla. L. Rev. 1097 (2007) (analyzing the various state a federal approaches to regulating the companies that compile databases of personal identification information). Florida's statute imposes a $1,000 fine for "each day the breach goes undisclosed for up to 30 days and, thereafter, $50,000 for each 30-day period or portion thereof for up to 180 days." Section 817.5681(b)(3), Florida Statutes.
[2] Section 1030(a)(2)(C) proscribes "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer."
[3] See, e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009) (rejecting Citrin's analysis and stating, "No language in the CFAA supports [the employer's] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest."); Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929, 934-37 (W.D.Tenn.2008) (rejecting Citrin and Shurgard; "[The employee] was permitted access to [the employer's] network and any information on that network. The fact that [the employee] did not have permission to subsequently misuse the data he accessed by sharing it with any of his former employer's competitors is another matter that may be circumscribed by a different statute."); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 967 (D.Ariz.2008) ("`A violation for accessing `without authorization' occurs only where initial access is not permitted. And a violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted."); Diamond Power Int'l v. Davidson, 540 F. Supp. 2d 1322, 1342 (N.D.Ga.2007) (stating that a violation of the Computer Fraud and Abuse Act "does not depend upon the defendant's unauthorized use of information, but rather upon the defendant's unauthorized use of access" (emphasis in original)); Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4-7 (M.D.Fla. Aug. 1, 2006); International Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 498 (D.Md.2005) ("[T]o the extent that [the employee] may have breached the Registration Agreement by using the information obtained for purposes contrary to the policies established by the [employer's constitution], it does not follow, as a matter of law, that she was not authorized to access the information, or that she did so in excess of her authorization in violation of the CFAA.").
[4] The narrower view is also consistent with the legislative history of the Computer Fraud and Abuse Act:
[I]n 1986 Congress amended the CFAA to substitute the phrase "exceeds authorized access" for the phrase "or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend." S.Rep.No. 99-432, at 9, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2486. By enacting this amendment, and providing an express definition for "exceeds authorized access," the intent was to "eliminate coverage for authorized access that aims at `purposes to which such authorization does not extend,'" thereby "remov[ing] from the sweep of the statute one of the murkier grounds of liability, under which a [person's] access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization." S.Rep.No. 99-432, at 21, U.S.Code Cong. & Admin.News 1986, pp. 2479, 2494-95.
International Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 499 (D.Md.2005).
[5] Pursuant to 28 U.S.C. § 1367(d), "The period of limitations for any claim asserted under [Section 1367(a)], and for any other claim in the same action that is voluntarily dismissed at the same time as or after the dismissal of the claim under [Section 1367(a)], shall be tolled while the claim is pending and for a period of 30 days after it is dismissed unless State law provides for a longer tolling period."