Lime Crunch Inc. v. Johansen
1:20-cv-05709
N.D. Ill.
Sep 30, 2022
Check Treatment
Docket

LIME CRUNCH INC. and NOW MARKETING SERVICES INC. v. CHRISTOPHER JOHANSEN

No. 20 C 5709

IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

September 30, 2022

Judge Virginia M. Kendall

Case: 1:20-cv-05709 Document #: 43 Filed: 09/30/22 Page 1 of 12 PageID #:857

MEMORANDUM OPINION AND ORDER

At one point in time, Matthew Hanni and Defendant Christopher Johansen had a solid working relationship. Hanni had two web design companies and Johansen was a salesman for those companies and was paid on commission. For some reason, their working relationship ended on unfriendly terms and Hanni has filed a number of lawsuits against Johansen. In this most recent litigation, Plaintiffs, Lime Crunch, Inc. (“Lime Crunch”) and Now Marketing Services, Inc. (“Now Marketing”), sued Johansen for violating the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”), 15 U.S.C. § 7704, and the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. § 1030. Johansen moved for summary judgment. (Dkt. 25). Because Plaintiffs failed to put forward sufficient evidence to establish standing under either statute, Defendant‘s motion [25] is granted.

BACKGROUND

Matthew Hanni owns both Plaintiff corporations, Lime Crunch, Inc. (“Lime Crunch”) and Now Marketing Services, Inc. (“Now Marketing”). (Dkt. 31 ¶ 1). Hanni operates the businesses from his personal residence and does not hold a degree in computer science or computer security. (Id.). Hanni also does not employ anyone with a degree or certification in computer science or computer security. (Id.). Plaintiffs provide services such as graphic design and web development. (Id. ¶ 2). Christopher Johansen and Matthew Hanni were formerly friends and business associates, and Now Marketing employed Johansen as a salesman. (Id. ¶ 3). Johansen received pay on a commission basis for his work for Now Marketing. (Id. ¶ 4). While employed, Johansen utilized an email address provided to him by Now Marketing, cjohansen@nowms.com, to fulfill his obligations. (Id.). Now Marketing also provided Johansen with a Lenovo Laptop in 2017, which the corporation subsequently retrieved and did not replace. (Id. ¶ 5).

Following Johansen‘s “less than amicable split”1 from Now Marketing, he sent the following email to a list of 102 contacts2 from his personal Gmail account:

Hi,

As you have probably heard I am no longer with Now Marketing Services, Inc. I wish them the best in their endeavors.

I am currently going out on my own so I can provide cutting edge digital marketing services and more to my clients and local business owners.

If you have time to meet in the next few weeks I would love to get together with you in person to discuss your current marketing goals and help you achieve those.

Committed to your Success,

Christopher Johansen.

(Id. ¶ 8; Dkt. 26-1 Ex. 1). Included amongst the recipients of this email were corporate email addresses hosted by Plaintiffs. (Id. ¶ 9). Johansen went on to send several other “blasts” to his contact list, including these corporate email addresses. (Id. ¶ 10).3

Johansen‘s login credentials for the assigned email, cjohansen@nowms.com, were revoked after his split from Now Marketing. (Id. ¶ 11). As a result, his email stopped working on his personal laptop and cell phone. (Id.). Defendant claims he did not “go back into the Microsoft Outlook settings on his devices in order to disable the auto-connect features related to his former work email account. As Defendant now understands the facts, his old email thus continued to automatically ‘ping’ the Plaintiffs’ email server looking to connect every time Defendant opened his Microsoft Outlook program.” (Id. ¶ 12). Plaintiffs responded in their Rule 56.1 answers: “Disputed in part. Plaintiffs lack knowledge sufficient to form a belief as to what Defendant‘s understanding is.” (Dkt. 31 ¶ 12). Plaintiffs do admit the underlying substance of this claim in their response memorandum, however, stating one of the agreed upon facts is: “Defendant‘s phone or other devices attempted to access [Now Marketing‘s] email server thousands of times subsequent to the termination of his business relationship with the Company.” (Dkt. 30 at 3).

The Defendant requested from each Plaintiff “[a]ll receipts, proofs of payment invoices, payroll records, and other documents relating, or in any way supporting, [their] claim of financial damage or injury in [this case].” (Dkt. 31 ¶ 15; Dkt. 26 Ex. 2; Dkt. 26 Ex. 3). In response, Plaintiffs produced forty-three invoices to LimeCrunch from ‘CloudLinux’ for subscription purchases billed to matt@limecrunch.com, ranging from $1.40 per month to $45 per month.4 (Dkt. 31 ¶ 16; Dkt. 26 Ex. 2; Dkt. 26 Ex. 3). The response also included seventeen invoices billed to matt@limecrunch.com from “ipgeolocation via Paddle.com” at the price of $15.75 per month. (Id.). Now Marketing produced no documents in response to the request by Defendant for costs and expenses incurred by Now Marketing. (Id. ¶ 17). Instead, Plaintiffs claim without citation to any evidence in the record, “[t]he costs and expenses incurred by [Now Marketing] in connection herewith relate to the expenditure of Mr. Hanni‘s time and effort and have been previously enumerated in Plaintiff‘s mandatory initial disclosures tendered to Defendant.” (Id.).

STANDARD OF REVIEW

Summary judgment is proper when “the pleadings, the discovery and disclosure materials on file, and any affidavits show that there is no genuine issue as to any material fact and that the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56. In determining whether a genuine issue of material fact exists, the Court must view the evidence and draw all reasonable inferences in favor of the party opposing the motion. See ; see also . However, the Court will “limit its analysis of the facts on summary judgment to evidence that is properly identified and supported in the parties’ [Local Rule 56.1] statement.” .

DISCUSSION

A. Count I: Violations of CAN-SPAM Act of 2003, 15 U.S.C. § 7704

Plaintiff Lime Crunch alleges in Count I that Defendant violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”). 15 U.S.C. § 7704. In the CAN-SPAM Act, Congress provided standing for “adversely affected” providers of “Internet Access Service.” 15 U.S.C. § 7706(g). Defendant argues Plaintiff Lime Crunch lacks standing both for failure to demonstrate its status as an Internet access service provider and for failure to demonstrate Lime Crunch was “adversely affected.” (Dkt. 27).

The term “Internet access service” is defined in the CAN-SPAM Act as “a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers.” 15 U.S.C. § 7706(g); 15 U.S.C. § 7702(11); 47 U.S.C. § 231(e)(4). Lime Crunch disputes Defendant‘s characterization that “owing to the relatively modest size of [Lime Crunch‘s] business, the manner by which it came to control and house its servers, and the education level of its founder and chief executive, that the protections expressly afforded to internet access service providers under the CAN-SPAM Act do not apply to them.” (Dkt. 30). Lime Crunch however presents no contrary evidence to support qualification as an IAS provider. When the status of a plaintiff as an IAS provider is reasonably in question, the Ninth Circuit found courts should “closely examine the alleged harms attributable to spam.” .

Congress requires an IAS provider filing suit under the CAN-SPAM Act be “adversely affected” by a violation of § 7704(a)(1), (b), or (d) or by a “pattern or practice that violates paragraph (2), (3), (4), or (5) of section 7704(a) of this title.” 15 U.S.C. § 7706(g)(1). Paragraphs (2) through (5) of § 7704(a) of the CAN-SPAM Act prohibit deceptive subject headings, transmission of commercial email after objection, exclusion of a return email address or other opt-out provisions, and exclusion of identification of an email as an advertisement or a valid physical postal address of the sender. 15 U.S.C. § 7704(a)(2)–(5). Lime Crunch argues Johansen‘s actions amount to a pattern or practice within the meaning of § 7706(g)(1). (Dkt. 30). Lime Crunch does not allege the emails had materially false or materially misleading headers (§ 7704(a)(1)), were the result of harvesting (§ 7704(b)), or included sexually oriented material (§ 7704 (d)).

For support, Lime Crunch points to Johansen‘s admission that he sent multiple emails to Lime Crunch‘s server, including one that lacked the opt-out provisions and physical address required by the Act. (Dkt. 30). Lime Crunch argues that because the statutory language sets no minimum number of emails for liability, the Court should deny summary judgment and allow Plaintiffs to move forward with electronic discovery on how many emails Johansen sent. (Id.). Certainly, Rule 56(d) permits deferral of summary judgment where the non-movant puts forward by affidavit or declaration specific reasons as to why certain information is unavailable to justify its opposition. Yet, here, Plaintiff failed to provide any such explanation in the declaration of Hanni beyond stating, “I learned only of the three unique spam emails referenced in the Complaint when my clients advised me of their receipt of same. I have not yet ascertained the total number of spam messages transmitted by Defendant over the LCI email server and cannot do so without additional discovery in this case.” (Dkt. 31 Ex. 1 ¶ 21).

In passing the CAN-SPAM Act, Congress intended “to limit enforcement actions to those best suited to detect, investigate, and, if appropriate, prosecute violations of the CAN-SPAM Act those well-equipped to efficiently and effectively pursue legal actions against persons engaged in unlawful practices and enforce federal law for the benefit of all consumers.” See . If Lime Crunch operates as an IAS provider, the corporation should be able to put forward evidence of a “pattern or practice” at this point in the litigation.

Lime Crunch alleges in the Complaint that the emails sent by Defendant “adversely affected Lime Crunch‘s server response time, led to higher bandwidth utilization, and forced the company to devote its limited human resources and labor to assess and mitigate the impact of these unlawful communications.” (Dkt. 1 ¶ 30). In its answer to the Defendant‘s Local Rule 56.1 statement, Plaintiff claims, “In order to remediate the potential technical adverse effects of spam—including without limitation the intrinsic reductions of available bandwidth and server response time—I spent time managing, deploying, and updating customizing spam filters on behalf of [Lime Crunch]. The infiltration of spam on an email server does incalculable damage to customer confidence. Accordingly, I spent time on the telephone with clients to address their concerns regarding the spam messages sent by Defendant specifically.” (Dkt. 31 Ex. 1 ¶¶ 22–23).

The Ninth Circuit explained a harm under the CAN-SPAM Act should be “something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business. . . . We expect a legitimate service provider to secure adequate bandwidth and storage capacity and take reasonable precautions, such as implementing spam filters, as part of its normal operations.” ; see also (“While Plaintiff argues that employee time was spent on spam-related issues, Plaintiff concedes that it has no records detailing employee time. Plaintiff also spent money on email filtering, though the cost of email filtering did not increase due to the emails at issue. Such ordinary filtering costs do not constitute a harm.”).

It is beyond common sense that an adversely affected IAS provider could not present evidence of the harm beyond mere allegations. This Court has before it no reports or data demonstrating harm to the computers or servers at issue nor specifics about an alleged redirection of human resources. Damage to customer confidence is clearly not the type of harm Congress intended to address in passing the CAN-SPAM Act. Hanni‘s claim that he only learned of the three “spam emails” in the Complaint when clients advised him of their receipt of the emails further calls into question any claim of adverse effect. Although the full extent of the messages is disputed and Plaintiff calls for further discovery, it is clear any impact did not rise to the level of raising internal alarms beyond issues of customer confidence in the few instances noted. Plaintiff points to only three emails, attached to the Complaint, while Defendant admits to sending two additional emails wishing “Happy Halloween” and “Merry Christmas”, as well as “a few other ‘blasts’ to his contact list.” (Dkt. 1 Ex. 1–3; Dkt. 31 ¶ 10).

“To survive summary judgment, the non-moving party must show evidence sufficient to establish every element that is essential to its claim and for which it will bear the burden of proof at trial.” . “[T]he plain language of Rule 56(c) mandates the entry of summary judgment, after adequate time for discovery and upon motion, against a party who fails to make a showing sufficient to establish the existence of an element essential to that party‘s case, and on which that party will bear the burden of proof at trial.” . “One of the principal purposes of the summary judgment rule is to isolate and dispose of factually unsupported claims or defenses.” . The moving party has the initial burden of demonstrating the absence of a genuine issue of material fact. . After doing so, the non-moving party must show there is a genuine issue for trial by doing “more than simply show[ing] there is some metaphysical doubt as to the material facts.” .

Lime Crunch cannot survive summary judgment by simply arguing against Defendant‘s claims without providing evidence to the contrary. See . Lime Crunch fails to provide sufficient evidence to support a claim that the corporation was “adversely affected” as required to establish standing under the CAN-SPAM Act. As such, Defendant‘s motion for summary judgment as to Count I is granted.

B. Counts II & III: Violations of the CFAA of 1986, 18 U.S.C. § 1030

Plaintiff Now Marketing brings Count II and Count III under the Computer Fraud and Abuse Act of 1986 (“CFAA”). 18 U.S.C. § 1030. The CFAA limits civil actions to unlawful computer access resulting in damage and loss of at least $5,000. 18 U.S.C. § 1030(g); 18 U.S.C. § 1030(e)(8) & (11). In Count II, Now Marketing alleges Defendant violated the CFAA by gaining “Unauthorized Email Server Access” resulting in damages over $5,000. (Dkt. 1 at 6–7). In Count III, Now Marketing alleges Defendant violated the CFAA by gaining “Unauthorized Web Server Access” resulting in damages over $5,000. (Dkt. 1 at 7–9). Plaintiff does not claim in either count that “access” was obtained but rather that Defendant attempted to access the email server and web server. (Id. at 6–9). However, Plaintiff fails to produce evidence demonstrating the minimum required financial loss is satisfied under either count.

Congress designed and narrowly tailored the CFAA to computer crimes that rise to a level where a compelling federal interest exists. See (citing 132 Cong. Rec. S14453 (daily ed. Oct. 1, 1986) (statement of co-sponsor Sen. Trible) (“This bill will assert Federal jurisdiction over computer crimes only in those cases in which there is a compelling Federal interest. This reflects my belief and the Judiciary Committee‘s belief that the States can and should handle most such crimes, and that Federal jurisdiction in this area should be asserted narrowly.”)); see also .

The CFAA provides for a private right of action “only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 18 U.S.C. § 1030(g). These subclasses are:

  1. loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
  2. the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
  3. physical injury to any person;
  4. a threat to public health or safety;
  5. damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.

18 U.S.C. § 1030(c)(4)(A)(i)(I-V). The parties argue over whether a private right of action is authorized for an attempt to access a server. However, the Court need not delve into this specific statutory interpretation considering the complete lack of evidence for meeting the statutory minimum in damages.

The term “loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). The term “damage” is defined in the CFAA as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). Courts have interpreted the term loss as defined by “costs” to the victims, which are “expenditures to address or remedy the violation.” ; see also (“[C]osts not related to computer impairment or computer damages are not compensable under the CFAA.”) (citations omitted). In support of meeting the minimum for loss, Plaintiff admits no documents “were produced in connection with the costs and expenses incurred by [Now Marketing].” (Dkt. 30 ¶ 17).

Plaintiff‘s memorandum response offers only, “the Record consists of credible, specific evidence that Plaintiffs sustained damage or loss as a consequence of the conduct alleged in Counts II and III of the Complaint,” citing to three paragraphs in Hanni‘s declaration. In this portion of Hanni‘s declaration he claims:

20. These consistent brute force attacks on the nowms.com email server required me to dedicate—at NOWMS‘s expense—a conservative estimate of an additional 1.0 hour per week for the nearly three years that they persisted. The value of that additional labor alone, at my normal rate of $95 per hour, is equal to approximately $14,250.00.

29. Thus, it was necessary to dedicate approximately 2 hours weekly at a cost of $95 per hour to the analysis of server vulnerabilities and access logs, a practice which remains ongoing due to the continued—but now anonymously sourced—attacks on the server. Accordingly, the value of my labor devoted to the prevention of a crippling attack to my companies is equal to approximately $25,000 to date

30. I also made expenditures to upgrade to a hardened operating system ($540 annually), purchased additional security software and bulk IP lookup subscriptions (approximately $372 annually), and developed scripts to identify IP addresses from which attacks were originating ($200).

(Dkt. 31 Ex. 1 ¶¶ 20, 29–30).

Hanni‘s allegations made without any supporting evidence are entirely insufficient to survive summary judgment, the point in litigation where the non-moving party “must show evidence sufficient to establish every element that is essential to its claim and for which it will bear the burden of proof at trial.” . Now Marketing does not place into the record any invoices, time logs, or further details about the work that was supposedly conducted by Hanni amounting to the alleged costs. Furthermore, while Hanni disputes the pings were “unsuccessful” even though access was never granted, Hanni cites only to a copy of logs documenting the “pings,” which provides no basis for finding these “pings” resulted in an investigation or other damages. (Dkt. 31 ¶¶ 26–27; Dkt. 31 Ex. 6). Instead, it appears that the mechanisms in place successfully blocked the attempted access. “In response to a summary judgment motion . . . the plaintiff can no longer rest on such ‘mere allegations,’ but must ‘set forth’ by affidavit or other evidence ‘specific facts.‘” . While Hanni advances claims of expenditures in his declaration, the claims lack entirely any specificity regarding time spent or work conducted. Defendant‘s motion for summary judgment on Counts II and III is granted.

CONCLUSION

For the foregoing reasons, Defendant‘s motion for summary judgment [25] is granted. Plaintiffs Lime Crunch and Now Marketing fails to establish the elements required for standing under the CFAA and CAN-SPAM Act. 15 U.S.C. § 7704; 18 U.S.C. § 1030

Virginia M. Kendall

United States District Judge

Date: September 30, 2022

Notes

1
Defendant writes in his Local Rule 56.1 statement that there was a “less than amicable split.” (Dkt. 26 ¶ 7). Plaintiffs state in their Local Rule 56.1 answers: “Plaintiffs dispute each purported material fact contained in paragraph 7.” (Dkt. 31 ¶ 7). Plaintiffs then admit in their memorandum response that one of the agreed upon facts is: “The business relationship between Defendant and [Now Marketing] ended less than amicably.” (Dkt. 30 at 3).
2
Plaintiffs dispute this number, claiming that the original email‘s “To:” field was left empty by Defendant, resulting in a lack of knowledge as to the quantity or identity of recipients. However, Defendant attached this email as Exhibit 1, supporting this claim.
3
Plaintiffs again dispute the claims in Dkt. 31 ¶¶ 9–10 since the original email‘s “To:” field was left empty by Defendant, and therefore Plaintiffs lack knowledge as to the quantity or identity of recipients. However, Plaintiffs then admit this fact in their memorandum response, stating as an agreed upon fact: “After this split with [Now Marketing], Defendant sent from his Gmail account a number of commercial emails to a number of recipients whose email was hosted on Plaintiff [Lime Crunch‘s] email server.” (Dkt. 30 at 3).
4
The Exhibits attached by Defendant evidence thirty expenditures of $45.00, eight expenditures of $15.40, four expenditures of $14.00, and one expenditure of $1.40.
Read the detailed case summary