Gupta v. Franklin et al

Filing 42

MEMORANDUM OPINION AND ORDER that Defendants' motions to dismiss 12 , 13 and 14 are DENIED. Signed by Magistrate Judge Katherine P. Nelson on 11/9/17. (srr)

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF ALABAMA SOUTHERN DIVISION SUNIL GUPTA, M.D., LLC, (d/b/a RETINA SPECIALITY INSTITUTE) Plaintiff, v. ALAN FRANKLIN, TRACY WILSON, and MONICA PAYTON Defendants. ) ) ) ) ) ) ) ) ) ) ) CIVIL ACTION NO. 17-00335-N MEMORANDUM OPINION AND ORDER On July 21, 2017, Plaintiff Sunil Gupta, M.D. LLC d/b/a Retina Specialty Institute (herein after “Plaintiff” or “RSI”) filed a two count complaint against Defendants Dr. Alan Franklin, Tracy Wilson, and Monica Payton (herein after referred to by their last names or as “Defendants”). (Doc. 1). According to the Complaint, this Court has jurisdiction over this matter pursuant to 28 U.S.C. § 1331, as Count One asserts a claim arising under the laws of the United States. The Court has supplemental jurisdiction over Count Two, a state law claim, pursuant to 28 U.S.C. §1367(a). The Complaint also states that this Court has diversity jurisdiction pursuant to 28 U.S.C. § 1332 as the amount in controversy exceeds $75,000 and the parties are citizens of different states. With the consent of the parties, the Court has designated the undersigned Magistrate Judge to conduct all proceedings and order the entry of judgment in this 1 civil action, in accordance with 28 U.S.C. § 636(c), Federal Rule of Civil Procedure 73, and S.D. Ala. GenLR 73. (See Docs. 27-28). Pursuant to Federal Rule of Civil Procedure 12(b)(6), Franklin filed a motion to dismiss both counts. (Doc. 12). Pro se Defendants Wilson and Payton have adopted Defendant Franklin’s motion. (Docs. 13-14). Plaintiff and Defendants filed a timely response and reply. (Doc. 18-19). Upon consideration, and for the reasons discussed herein, the motions to dismiss (Docs. 12, 13, and 14) are DENIED. BACKGROUND RSI is a Delaware limited liability corporation, formed by Sunil Gupta, M.D. Its principal place of business is in Escambia County, Florida. (Doc. 1 at 2). The membership of RSI is comprised of three physicians who are Florida citizens. (Doc. 1 at 2-3). RSI also employs a number of other physicians (ophthalmologists) specializing in the treatment of retina disease and injury. (Id.). Defendant Franklin, is a physician, former employee, former member, former and manager of RSI. (Doc. 1 at 3, ¶ 12). Defendants Wilson and Payton, both ophthalmic technicians, were formerly employed by RSI. (Id. at ¶¶ 13-14). All Defendants were employed at RSI’s Mobile, Alabama location. (Doc. 1 at 3). In February 2017, following an interview process and other preparations, Franklin accepted employment with Mobile Infirmary Medical Center, Diagnostic and Medical Clinic (“DMC”). In early March 2017, Wilson and Payton applied for employment with DMC. According to the Complaint, before resigning from employment with RSI, “…Franklin instructed Wilson and Payton to download 2 confidential RSI patient data from RSI’s practice management system on a portable hard drive provided by Franklin.” (Doc. 1 at 4, ¶19). Per the Complaint: Wilson and Payton used an RSI computer to log into RSI’s practice management system, which required a password and/or login credentials, and download confidential RSI patient data and other confidential RSI data. The confidential RSI patient information included patient names, addresses, phone numbers, medical notes, insurance information, and appointment schedules for tens of thousands of RSI patients….Franklin also downloaded, with the assistance of Payton and Wilson, retinal scans of a number of RSI patients from RSI’s network onto a portable hard drive supplied by Franklin….On the same day that Franklin, Wilson, and Payton downloaded the confidential RSI patient data from RSI’s practice management system, they provided the information to DMC so DMC would have contact information to use in communicating with patients after Dr. Franklin moved to DMC. (Doc. 1 at 4-5, ¶¶ 20-21). The Complaint alleges that there were RSI policies prohibiting such access and use, and that the Defendants knew about these policies. (Doc. 1 at 5, ¶¶ 22-23). Plaintiff alleges that Defendants’ conduct amounts to violations of the Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030 (Count One) and the Alabama Digital Crime Act, codified at Ala. Code §13A-8-112 (Count Two). STANDARD OF REVIEW When considering a Rule 12(b)(6) motion to dismiss, the Court must accept as true the allegations set forth in the complaint drawing all reasonable inferences in the light most favorable to the plaintiff. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555–56 (2007). Even so, a complaint offering mere “labels and conclusions” or “a formulaic recitation of the elements of a cause of action” is insufficient. Ashcroft v. Iqbal, 556 U.S 662, 678 (2009) (quoting Twombly, 550 U.S. at 555); accord Fin. Sec. 3 Assurance. Inc. v. Stephens, Inc., 500 F.3d 1276, 1282–83 (11th Cir. 2007). Further, the complaint must “contain sufficient factual matter, accepted as true, ‘to state a claim to relief that is plausible on its face.” ‘ Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 570). Put another way, a plaintiff must plead “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. This so-called “plausibility standard” is not akin to a probability requirement; rather, the plaintiff must allege sufficient facts such that it is reasonable to expect that discovery will lead to evidence supporting the claim. Id. ANALYSIS I. Computer Fraud and Abuse Act (Count One) Count One alleges that all Defendants have violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §§ 1030 et seq., as follows: 28. Defendants intentionally accessed and downloaded confidential RSI patient information from RSI’s practice management system using RSI computers without authorization. 29. Defendants acted in concert with DMC to use the information for an improper purpose and in violation of RSI policies and procedures and applicable state and federal laws, including HIPAA 30. RSI’s computer network and practice management system that were wrongfully accessed by Defendants are used in interstate commerce. 31. Defendants’ unlawful actions have caused RSI to suffer loss and damages, including without limitation costs of responding to Defendants’ conduct, conducting a damage assessment, and other costs. RSI’s losses resulting from Defendants’ conduct exceed $5,000.00. 4 (Doc. 1, Complaint at 6). The Complaint also contains allegations that the Defendants were aware of RSI’s policies prohibiting RSI employees from downloading patient information for personal use or for use by anyone other than a RSI employee. (Doc. 1 at 5, ¶22-23). The policy prohibited RSI employees from downloading patient information without express approval from practice management. (Id.). The CFAA defines seven categories of conduct that can give rise to civil or criminal liability. Those seven categories of conduct are contained within § 1030(a)(1)-(7). Construing the allegations liberally, as detailed in its Complaint and response brief it appears Plaintiff is asserting that Defendants accessed a protected computer in excess of their authority to do so, with resulting damage and/or loss. (Docs. 1 and 18 at 4-5). Thus, the Court assumes Plaintiff is alleging that Defendants violated subsections (a)(2)(C), (a)(4), (a)(5) and/or (a)(6) of 18 U.S.C. § 1030, which provide in relevant part that civil liability may be imposed upon whoever: (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— … (C) information from any protected computer -or(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; 5 -or(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. or (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if— (A) such trafficking affects interstate or foreign commerce…. 18 U.S.C. § 1030(a)(2)(C), (a)(4), (a)(5) and (a)(6). Though the CFAA is primarily a criminal statute, a civil cause of action may be brought under the CFAA pursuant to § 1030(g), which states: Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclause[] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. 6 18 U.S.C. § 1030(g). Plaintiff’s complaint appears to rely upon subclause (I), which permits an action only if the plaintiff incurs a minimum “loss to 1 or more persons during any 1-year period…aggregating at least $5,000 in value[]” as a result of the defendant’s violation of the CFAA. 18 U.S.C. § 1030(c)(4)(A)(i)(I). (See Doc. 1, Complaint at ¶ 31). The CFAA provides that: the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offenses, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C. § 1030(e)(11). With regard to “loss,” The Court of Appeals for the Eleventh Circuit has held that The plain language of the statutory definition includes two separate types of loss: (1) reasonable costs incurred in connection with such activities as responding to a violation, assessing the damage done, and restoring the affected data, program system, or information to its condition prior to the violation; and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. See 18 U.S.C. § 1030(e)(11). The statute is written in the disjunctive, making the first type of loss independent of an interruption of service. Yoder, 774 F.3d at 1073. Contrary to the assertion of the court in Continental Group, this interpretation does not reduce “interruption of service” to surplusage. See Cont’l Grp., 622 F.Supp.2d at 1371. “Loss” includes the direct costs of responding to the violation in the first portion of the definition, and consequential damages resulting from interruption of service in the second. Thus, under a plain reading of the statute, [Plaintiff’s] loss from [Defendant’s] violation of the CFAA does not need to be related to an interruption of service in order to be compensable. Brown Jordan Int’l, Inc. v. Carmicle, 846 F.3d 1167, 1174 (11th Cir. 2017). The Complaint alleges costs in excess of $5,000 associated with responding to Defendants’ conduct. (Doc. 1 at 6). 7 1. The meaning of “exceeds authorized access” Each of the CFAA provisions upon which it appears Plaintiff is relying, i.e. (a)(2)(C), (a)(4), (a)(5) and/or (a)(6), (save for § 1030(a)(5)(A)) require that access to the protected computer be obtained without authorization or in excess of authorization. See 18 U.S.C. § 1030(e)(6). Defendants’ grounds for their motions to dismiss Count One are summarized as follows: RSI’ s Count I alleges that Dr. Franklin, and defendants Wilson and Payton (collectively “Defendants”), violated the CFAA by accessing RSI’s practice management system “without authorization”. See RSI Complaint, ¶ 28. RSI alleges that Defendants “used an RSI computer to log into RSI’s practice management system, which required a password and/or login credentials, and download[ed] confidential RSI patient data and other confidential RSI data” along with “retinal scans of a number of RSI patients”. See RSI Complaint, ¶ 19-20. RSI alleges that Defendants “were not authorized to download the confidential RSI patient information.” See RSI Complaint, ¶ 22 (Emphasis added). RSI’s claims are due to be dismissed because the alleged conduct does not violate CFAA…. RSI has not alleged that Defendants acted either “without authorization” or in excess of their “authorized access”. (Doc. 12 at 2-3)(emphasis in original). The parties seem to agree that the Defendants were authorized to access the protected computers1, as well as the medical records contained therein. However, 1 Pursuant to § 1030(e)(2) the term “protected computer” means a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. 8 Plaintiff argues that accessing these records, in violation of company policies, and for an unauthorized purpose amounts to access in excess of Defendants’ authorization under the CFAA. The CFAA does not define the phrase “without authorization,” but it defines “exceeds authorized access.” “[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 18 U.S.C. § 1030(e)(6). As the Middle District of Florida observed in Enhanced Recovery, LLC v. Frady: …[T]he application of this term and its definition have bedeviled the courts. Some have interpreted the definition broadly, reading into it a theory of agency, such that an employee’s authorization is revoked, and thus she “exceeds authorized access,” whenever she obtains information with a subjective intent that is unlawful or contrary to her employer’s interests, even though the employee actually had authorization to access the information. See, e.g., United States v. John, 597 F.3d 263, 271–72 (5th Cir.2010) (“authorization” as used in the CFAA “may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system” if the use is in furtherance of a crime); Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006) (employee’s authorization to access a computer ended, for purposes of 18 U.S.C. § 1030(a)(5), once the employee breached his duty of loyalty to the employer); Aquent LLC, 2014 WL 5780293, at *4–5 (employee exceeded authorized access by abusing access to confidential information to share it with a competitor). Under this theory, where an employee accesses confidential information for personal purposes inconsistent with the employer’s interests, that employee has exceeded her authorized access to the information….Other courts, including the majority of district courts in this Circuit that have considered the question, have adopted a narrower definition of “exceeds authorized access.” As one put it, “[q]uite simply, without authorization means exactly that: the employee was not granted access by his employer. 18 U.S.C. § 1030. 9 Similarly, exceeds authorized access simply means that, while an employee’s initial access was permitted, the employee accessed information for which the employer had not provided permission.” AIRCO, 953 F.Supp.2d at 1296; see also, e.g., Clarity Services, Inc., 698 F.Supp.2d at 1315; Trademotion, 857 F.Supp.2d at 1289–91; Diamond Power Int’l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D.Ga.2007). Many courts outside of the Eleventh Circuit have also adopted this narrower interpretation. E.g., WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 203–07 (4th Cir.2012); United States v. Nosal, 676 F.3d 854, 858 (9th Cir.2012); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 968 (D.Ariz.2008). Under the narrow interpretation, an employee who has actually been granted access to information does not “exceed authorized access” by virtue of the employee’s subjective intent or by subsequently violating company policies on the use of the information. AIRCO, 953 F.Supp.2d at 1296; WEC Carolina, 687 F.3d at 206–07; Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267, 1272 (M.D.Ala.2010) (“ ‘Exceeds authorized access’ should not be confused with exceeds authorized use.”) (citing Diamond Power Int’l, 540 F.Supp.2d at 1343). Nor does an employee “exceed authorized access” by obtaining information that she is permitted to access, but “in a manner” that is not authorized. WEC Carolina, 687 F.3d at 205–07; Nosal, 676 F.3d at 856–63. Rather, an individual “exceeds authorized access” by gaining access to specific information that her employer simply did not give her permission to access. Diamond Power Int’l, 540 F.Supp.2d at 1343…. 2015 WL 1470852, at *6 (M.D. Fla. Mar. 31, 2015). Not surprisingly, Plaintiff urges the Court to adopt the broad interpretation and Defendants urge the Court to adopt the narrow interpretation In Enhanced Recovery, the Court granted a motion to dismiss a CFAA claim holding, …[T]he Court concludes that “[u]nder the more reasoned view, a violation for accessing ‘without authorization’ occurs only where initial access is not permitted. And a violation for ‘exceeding authorized access’ occurs where initial access is permitted but the access of certain information is not permitted.” Diamond Power Int’l, 540 F.Supp.2d at 1343. “The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper ‘access’ of computer information. It does not prohibit misuse or misappropriation.” Id. In this regard, the narrower interpretation is a “sensible reading of the text and legislative history of a statute whose general purpose is to punish 10 hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere.” Nosal, 676 F.3d at 863. As such, in this Court’s view, the CFAA’s definition of “exceeds authorized access” does not reach an employee who has actually been granted access to confidential information, but who accesses that information for the improper purpose of removing or disclosing the employer’s information. 2015 WL 1470852, at *9 (M.D. Fla. Mar. 31, 2015). The Court has reviewed the cases submitted by both parties, and Defendants are correct that several district courts within this circuit have held that conduct similar to that alleged here does not meet the definition of “exceeds authorized access” under the CFAA. See e.g. Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267 (M.D.Ala.2010); Lockheed Martin Corp. v. Speed, 2006 WL 2683050 (M.D. Fla. Aug 1., 2006); Diamond Power Intern. Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007); Enhanced Recovery Co., LLC v. Frady, 2015 WL 1470852, at *1 (M.D. Fla. Mar. 31, 2015). Though persuasive, the decisions of district courts within this circuit are not binding on the other district courts within the circuit, nor are cases from other circuits. McGinley v. Houston, 361 F. 3d 1328, 1331 (11th Cir. 2004)(internal citations omitted)(“The general rule is that a district judge’s decision neither binds another district judge nor binds him, although a judge ought to give great weight to his own prior decisions….A circuit court’s decision binds the district courts sitting within its jurisdiction while a decision by the Supreme Court binds all circuit and district courts.”). The only applicable binding case the Court has found addressing the meaning of “exceeds authorized access” under the CFAA is United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In 11 Rodriguez, an employee of the Social Security Administration (“SSA”) appealed his conviction under § 1030(a)(2)(B) of the CFAA for accessing sensitive personal information on certain individuals via the SSA’s computer systems. 628 F.3d at 1260. The SSA had established a policy that prohibited an employee from obtaining information from its databases without a business reason. Id. The appellate court upheld the CFAA conviction because the employee accessed personal information that was not related to SSA’s business purposes. Id. at 1263. While distinguishing the facts before it from other cases, the appellate court specifically noted that the employer informed the employee that he was not “authorized to obtain personal information for nonbusiness reasons.” Id. Similarly, in this case, the Complaint alleges as follows: On January 16, 2017, RSI distributed a memorandum to all employees regarding uses and disclosure of the company’s proprietary information and trade secrets (the “Memorandum”). The Memorandum reminded the employees of their obligations under HIPAA. It stated that it was impermissible for employees to download patient information for personal use or for use by anyone other than an RSI employee. It also stated than no employee should download any patient information without express approval from practice management…. All employees were directed to sign the Memorandum acknowledging they had received it, read it, understood its provisions, and would adhere to RSI’s policies and procedures regarding access to confidential patient information. (Doc. 1 at 5, ¶¶ 22-23).2 It appears that some of the conduct Plaintiff alleges violates the CFAA, would be in direct violation of this policy. For example, if a defendant 2 Plaintiff submitted what appears to be a copy of the referenced Memorandum with its response to sthe motion to dismiss. (Doc. 18 at 23). This exhibit was not considered “As a general rule, the district court must ‘limit[ ] its consideration to the pleadings and exhibits attached thereto’ when deciding a Rule 12(b)(6) motion to dismiss.” Lewis v. Asplundh Tree Expert Co., 305 F. App'x 623, 627 (11th Cir. 2008) (per curiam) (quoting Grossman v. Nationsbank, N.A., 225 F.3d 1228, 1231 12 downloaded patient information for personal use or without express approval from management, the access would be unauthorized. As recently as late July 2017, in an unpublished opinion, the Court of Appeals for the Eleventh Circuit examined the CFAA and its Rodriguez opinion: The CFAA does not define the phrase “without authorization,” but it defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). We have, in one published opinion, expounded on what it means to “exceed authorized access.” See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In Rodriguez, the defendant had access, through his work as a TeleService representative for the Social Security Administration, to certain SSA databases containing sensitive personal information. SSA policy authorized the defendant’s access to the databases only for official business purposes. The defendant knew this, but chose to access the database and obtain information for nonbusiness reasons. See id. at 1263. We concluded that the defendant’s access, which had been in furtherance of nonbusiness purposes, exceeded the authorization the SSA had given him, and affirmed his conviction under the CFAA. See id. at 1263–64. Although it is not entirely clear, one of the lessons from Rodriguez may be that a person exceeds authorized access if he or she uses the access in a way that contravenes any policy or term of use governing the computer in question. So, assuming that the OxBlue Defendants actually violated the [licensing agreement], there is an argument that downloading the screenshots “exceeded authorized access” under Rodriguez. EarthCam, Inc. v. Oxblue Corp., 2017 WL 3188453, at *4 (11th Cir. July 27, 2017). Importantly, a footnote two, found within this section of the EarthCam case states: (11th Cir. 2000) (internal quotation marks omitted)). “If, on a motion under Rule 12(b)(6)…, matters outside the pleadings are presented to and not excluded by the court, the motion must be treated as one for summary judgment under Rule 56. All parties must be given a reasonable opportunity to present all the material that is pertinent to the motion.” Fed. R. Civ. P. 12(d). See also Finn v. Gunter, 722 F.2d 711, 713 (11th Cir. 1984) (“The 12(b)(6) motion thus was converted into a summary judgment motion necessitating all the procedural safeguards of Rule 56.”). 13 We decided Rodriguez in 2010 without the benefit of a national discourse on the CFAA. Since then, several of our sister circuits have roundly criticized decisions like Rodriguez because, in their view, simply defining “authorized access” according to the terms of use of a software or program risks criminalizing everyday behavior. See United States v. Valle, 807 F.3d 508, 527 (2d Cir. 2015); WEC Carolina Energy Sols.LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854, 862–63 (9th Cir. 2012) (en banc). Neither the text, nor the purpose, nor the legislative history of the CFAA, those courts maintain, requires such a draconian outcome. We are, of course, bound by Rodriguez, but note its lack of acceptance. Id. at *4, n.2. While the Court may agree with Enhanced Recovery, the Court must consider the binding authority of Rodriguez, coupled with the observations made by the Court of Appeals in EarthCam. The inquiry here turns on whether Plaintiff’s claims present a plausible claim for relief. The facts here are similar to Rodriguez in that Plaintiff alleges that it had a policy that authorized access to its computerized records only for limited purposes. See Rodriguez, 628 F.3d at 1263 (company policy restricted employee’s authorization to access certain information and the employee admitted that he accessed the information); IPC Sys., Inc. v. Garrigan, 2012 WL 12872028, at *6 (N.D. Ga. May 21, 2012) (relying on Rodriguez and denying dismissal of CFAA claim because fact questions remained about the purpose for which an employee accessed information and whether the employee exceeded his authorized access); cf. Aquent LLC v. Stapleton, 65 F.Supp.3d 1339, 1346 (M.D. Fla. 2014) (finding company policy that required the employee to keep information confidential and to use information for business purposes only akin to the policy in Rodriguez and 14 concluding that the plaintiff stated a claim under the CFAA that the employee exceeded her authorization). The allegations raised by Plaintiff, which the Court must accept as true at this stage contain a plausible claim for relief. Thus, the motions to dismiss, as to Count One, are DENIED.3 II. The Alabama Digital Crime Act (Count Two) In Count Two of the Complaint, Plaintiff alleges that Defendants violated the Alabama Digital Crime Act (“ADCA”), codified at Ala. Code § 13A-8-112, when they “knowingly and exceeding their authorization for use, disclosed, used, controlled and took information or data residing in RSI’s computers, computer system, and computer network.” (Doc. 1 at 7, ¶33). Pursuant to the ADCA, “[a] person who acts without authority or who exceeds authorization of use commits the crime of computer tampering by knowingly:” (1) Accessing and altering, damaging, or destroying any computer, computer system, or computer network. 3 See also Agilysys, Inc. v. Hall, 2017 WL 2903364, at *5, n.2 (N.D. Ga. May 25, 2017)(“The courts debating this issue refer oftentimes to the practical implications of viewing the CFAA so broadly. The Court is troubled by the practical implications of Agilysys’ policy here. Pursuant to Agilysys’ policy, Hall would be liable under the CFAA for every time in his 32 years of employment, that the policy was in place, he accessed the internet for a non-business purpose. This would include checking the news, sports scores, weather, or even an emergency alert. Every other employee of Agilysys would also be liable for the same. See Valle, 807 F.3d at 527 (discussing courts that have recognized the problems with an broad view of the CFAA; a broad view would mean that “any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems”) (quotation omitted). After a review of the court split and the legislative history of the CFAA, the Court does not believe that Congress intended the CFAA to cover such situations. Nevertheless, as noted above, the Court is limited by the Rodriguez opinion and by the Rule 12(b)(6) standard at this early stage of the case.”)(emphasis added). 15 (2) Altering, damaging, deleting, or destroying computer programs or data. (3) Disclosing, using, controlling, or taking computer programs, data, or supporting documentation residing in, or existing internal or external to, a computer, computer system, or network. *** (7) Obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system, or network that is operated by this state, a political subdivision of this state, or a medical institution. (8) Giving a password, identifying code, personal identification number, debit card number, bank account number, or other confidential information about a computer security system to another person without the consent of the person using the computer security system to restrict access to a computer, computer network, computer system, or data. Ala. Code § 13A-8-112(a). Plaintiff cites Ala. Code § 6-5-370 for the provision that “[f]or any injury, either to person or property, amounting to a felony, a civil action may be commenced by the party injured without prosecution of the offender.” (Doc. 1 at 7, ¶ 35). As Defendants point out, “Section 6–5–370 does not create a cause of action; rather, it merely allows a plaintiff to commence a civil action even if the plaintiff does not pursue criminal prosecution of the defendant.” Lewis v. Fraunfelder, 796 So.2d 1067, 1070 (Ala.2000); see also Preskitt v. Lyons, 865 So.2d 424, 429 (Ala.2003) (“§ 6–5–370 only eliminates an obstacle for plaintiffs with a valid cause of action; it does not create a civil cause of action for any injury that amounts to a felony.”) (emphasis added); Thomas v. McKee, 205 F.Supp.2d 1275, 1291 16 (M.D.Ala.2002) (De Ment, J.) (Section 6–5–370 “was merely intended to abrogate the common law rule of suspension which precluded civil damages claims in these circumstances absent the prosecution of the felonious offender.”). However, there may be a remedy under common law, as there is a remedy for criminal violations which result in injury to person or property. See Lollar v. Poe, 622 So.2d 902 (Ala. 1993). In Alabama, “civil liability for acts which constitute a crime ‘will ensue only if the acts complained of violate the legal rights of the plaintiff, constitute a breach of duty owed to the plaintiff, or constitute some cause of action for which relief may be granted.’” Ages Group, L.P. v. Raytheon Aircraft Co., Inc., 22 F.Supp.2d 1310, 1320 (M.D.Ala.1998) (quoting Smitherman v. McCafferty, 622 So.2d 322 (Ala.1993)). Plaintiff argues that Defendants’ conduct violated RSI’s property rights in its computer system, RSI’s privacy rights, interfered with its business relations, and subjected it to the threat of criminal and civil liability due to HIPAA breaches. (Doc. 18 at 19-20; Doc. 1 at 1-2, ¶1; Doc. 1 at 6, ¶ 26). Upon consideration, the Court finds that the facts as alleged present a plausible claim for relief under the Alabama Digital Crimes Act, as the Complaint alleges violations of the legal rights of the Plaintiff, and that the motions to dismiss Count Two pursuant to Fed.R.Civ.P. 12(b)(6) are DENIED. See also D&J Optical, Inc. v. Wallace, 2015 WL 1474146, at *8 (M.D. Ala. Mar. 31, 2015)(denying motion to dismiss a civil ADCA claim). The Court notes, however, that it has not found a 17 single Alabama case, available on Westlaw, involving a civil action brought pursuant to the ADCA. CONCLUSION For the reasons discussed herein, Defendants’ motions to dismiss (Docs. 12, 13, and 14) are DENIED. DONE and ORDERED this the 9th day of November 2017. /s/ Katherine P. Nelson KATHERINE P. NELSON UNITED STATES MAGISTRATE JUDGE 18

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?