Farmers Bank & Trust, N.A. v. Witthuhn et al
Filing
94
MEMORANDUM AND ORDER denying 40 Motion for Partial Summary Judgment; denying 42 Motion to Dismiss State Law Claims ; denying 65 Motion for Leave to Amend Complaint. Plaintiff is granted leave to file an amended motion for leave to amend, attaching a revised proposed amended complaint that complies with this Memorandum and Order by no later than October 24, 2011. Signed by District Judge Julie A. Robinson on 10/13/2011. (pp)
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF KANSAS
FARMERS BANK & TRUST, N.A.
)
)
Plaintiff,
)
)
)
vs.
)
)
RAY WITTHUHN and TONETTA
)
STIEBEN,
)
)
Defendants.
)
____________________________________)
Case No. 11-2011-JAR
MEMORANDUM AND ORDER
Plaintiff Farmers Bank & Trust, N.A. (“Farmers”) alleges several claims against its
former employees, defendants Ray Witthuhn and Tonetta Stieben.1 Plaintiff alleges a federal
claim in Count III for violations of the Computer Fraud and Abuse Act (“CFAA”), and Kansas
state law claims for breach of contract, violation of the Kansas Uniform Trade Secrets Act,
conversion, civil conspiracy, unfair competition, and breach of loyalty.
Before the Court are defendants’ Motion for Partial Summary Judgment (Doc. 40) and
Motion to Dismiss Plaintiff’s State Law Claims (Doc. 42), and plaintiff’s Motion for Leave to
File Second Amended Complaint (Doc. 65). Defendants seek summary judgment on Count III,
which alleges various violations of the CFAA, and ask that the Court decline to exercise
supplemental jurisdiction and dismiss the remaining state law claims. Plaintiff seeks to amend
its complaint to add a defendant, correct certain citations to the CFAA, and make additional
factual statements “regarding the conduct of Defendants Witthuhn and Stieben,” including
1
Defendant Brent Kerr was dismissed from this case after defendants’ dispositive motions were filed (Doc.
64).
adding another state law claim. The motions are fully briefed and the Court is prepared to rule.
As described more fully below, the Court denies defendants’ motion for partial summary
judgment because there is a genuine issue of material fact as to three of the four alleged statutory
violations. Because the Court denies the motion for partial summary judgment, it also denies the
motion to dismiss. The Court further denies plaintiff’s motion for leave to amend the complaint,
but allows plaintiff additional time to file a revised motion to amend, attaching a proposed
amended complaint that complies with this Memorandum and Order.
I.
Uncontroverted Facts
Rule 56(c)(4) provides that opposing affidavits submitted on summary judgment must be
made on personal knowledge and shall set forth such facts as would be admissible in evidence.2
Fed. R. Evid. 602 requires that a testifying witness “ha[ve] personal knowledge of the matter”
testified to.3 “Under the personal knowledge standard, an affidavit is inadmissible if ‘the witness
could not have actually perceived or observed that which he testifies to.’”4 Statements of “mere
belief in an affidavit must be disregarded.”5 Defendants object to plaintiff’s reliance on Gene
Dikeman’s affidavit in its response to the motion for partial summary judgment on the basis that
certain statements are not based on personal knowledge and constitute inadmissible hearsay.
The Court declines to strike the affidavit on personal knowledge grounds because Dikeman
makes clear that the facts in paragraphs 3 through 5 constitute information provided to him.
However, the Court agrees that these paragraphs are inadmissible hearsay. Each of the three
2
Fed. R. Civ. P. 56(c)(4).
3
Fed. R. Evid. 602.
4
Argo v. Blue Cross Blue Shield, 452 F.3d 1193, 1200 (10th Cir. 2006).
5
Id. (quoting Tavery v. United States, 32 F.3d 1423, 1427 n.4 (10th Cir. 1994)).
paragraphs is introduced by the statement that he “was informed that,” but the affidavit does not
identify the declarant. In the plaintiff’s statement of additional uncontroverted facts, it offers
these facts for the truth of the matter asserted. Under these circumstances, the Court finds that
the statements are inadmissible hearsay and it does not consider paragraphs 3 through 5 of the
Dikeman affidavit on summary judgment.6
With this evidentiary ruling in mind, the following facts are uncontroverted, or viewed in
the light most favorable to plaintiff. Defendants Witthuhn and Stieben were bank officers for
Farmers—Witthuhn was the Vice President and Stieben was Assistant Vice President. They
were entrusted with Farmers’ confidential information and trade secrets. Farmers’ internal
computer systems are password protected with restricted access. Access to Farmers’ customers’
personal and financial information is limited to those with a business reason for knowing such
information. Defendants were not authorized to access this information for non-bank purposes,
nor were they permitted to copy or delete this information for competitive purposes.
On December 27, 2010, defendants announced their intention to resign their employment,
but between December 27 and January 3, 2011, they still had passwords and could access
Farmers’ computer systems. Defendants deleted substantial amounts of data from Farmers’
computers, including customers’ personal and financial information and Farmers’ confidential
business information. Defendants were not permitted to delete Farmers’ customers’ personal and
financial information or Farmers’ confidential business information without the supervision of
Farmers Bank IT personnel. Defendants did not have permission to delete any of Farmers’ files
or emails containing Farmers’ customers’ personal and financial information or Farmers’
6
Defendants object to paragraph 9 of the Dikeman affidavit in a footnote, but because the fact that this
paragraph is offered to support an uncontroverted fact that is supported by additional evidence, the Court need not
rule on this objection.
business information.
By at least January 4, 2011, Farmers believed that defendants were involved in
downloading a substantial amount of material or data from Farmers’ computer system. Despite
Farmers’ belief, it allowed defendants to return to work and to continue working on January 5, 6,
and 7. Dikeman, Farmers’ President, testified that “[w]e had gone into a high-security mode and
were watching everything they were doing.”7 On January 7, 2011, Farmers’ representatives took
defendants’ keys, cut off their access to the computer networks and changed the locks at the
branch office.
II.
Motion for Partial Summary Judgment and Motion to Dismiss
A.
Summary Judgment Standard
Summary judgment is appropriate if the moving party demonstrates that there is “no
genuine issue as to any material fact” and that it is “entitled to a judgment as a matter of law.”8
In applying this standard, the court views the evidence and all reasonable inferences therefrom in
the light most favorable to the nonmoving party.9 “There is no genuine issue of material fact
unless the evidence, construed in the light most favorable to the nonmoving party, is such that a
reasonable jury could return a verdict for the nonmoving party.”10 A fact is “material” if, under
the applicable substantive law, it is “essential to the proper disposition of the claim.”11 An issue
of fact is “genuine” if “‘the evidence is such that a reasonable jury could return a verdict for the
7
Doc. 41, Attach. 2 at 67.
8
Fed. R. Civ. P. 56(a).
9
City of Harriman v. Bell, 590 F.3d 1176, 1181 (10th Cir. 2010).
10
Bones v. Honeywell Int’l, Inc., 366 F.3d 869, 875 (10th Cir. 2004).
11
Wright ex rel. Trust Co. of Kan. v. Abbott Labs., Inc., 259 F.3d 1226, 1231–32 (10th Cir. 2001) (citing
Adler v. Wal-Mart Stores, Inc., 144 F.3d 664, 670 (10th Cir. 1998)).
non-moving party.’”12
The moving party initially must show the absence of a genuine issue of material fact and
entitlement to judgment as a matter of law.13 In attempting to meet this standard, a movant that
does not bear the ultimate burden of persuasion at trial need not negate the other party’s claim;
rather, the movant need simply point out to the court a lack of evidence for the other party on an
essential element of that party’s claim.14
Once the movant has met this initial burden, the burden shifts to the nonmoving party to
“set forth specific facts showing that there is a genuine issue for trial.”15 The nonmoving party
may not simply rest upon its pleadings to satisfy its burden.16 Rather, the nonmoving party must
“set forth specific facts that would be admissible in evidence in the event of trial from which a
rational trier of fact could find for the nonmovant.”17 To accomplish this, the facts “must be
identified by reference to an affidavit, a deposition transcript, or a specific exhibit incorporated
therein.”18 The non-moving party cannot avoid summary judgment by repeating conclusory
12
Thomas v. Metro. Life Ins. Co., 631 F.3d 1153, 1160 (10th Cir. 2011) (quoting Anderson v. Liberty Lobby,
Inc., 477 U.S. 242, 248 (1986)).
13
Spaulding v. United Trasp. Union, 279 F.3d 901, 904 (10th Cir. 2002) (citing Celotex Corp. v. Catrett,
477 U.S. 317, 322–23 (1986)).
14
Adams v. Am. Guar. & Liab. Ins. Co., 233 F.3d 1242, 1246 (10th Cir. 2000) (citing Adler, 144 F.3d at
671); see also Kannady v. City of Kiowa, 590 F.3d 1161, 1169 (10th Cir. 2010).
15
Anderson, 477 U.S. at 256; Celotex, 477 U.S. at 324; Spaulding, 279 F.3d at 904 (citing Matsushita Elec.
Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986)).
16
Anderson, 477 U.S. at 256; accord Eck v. Parke, Davis & Co., 256 F.3d 1013, 1017 (10th Cir. 2001).
17
Mitchell v. City of Moore, Okla., 218 F.3d 1190, 1197–98 (10th Cir. 2000) (quoting Adler, 144 F.3d at
671); see Kannady, 590 F.3d at 1169.
18
Adams, 233 F.3d at 1246.
5
opinions, allegations unsupported by specific facts, or speculation.19 In responding to a motion
for summary judgment, “a party cannot rest on ignorance of facts, on speculation, or on
suspicion and may not escape summary judgment in the mere hope that something will turn up at
trial.”20 When examining the underlying facts of the case, the Court is cognizant that it may not
make credibility determinations or weigh the evidence.21 Summary judgment is not a
“disfavored procedural shortcut”; on the contrary, it is an important procedure “designed to
secure the just, speedy and inexpensive determination of every action.”22
B.
Discussion
Count III of the Amended Verified Complaint for Injunctive Relief and Damages
(“Complaint”) alleges a violation of the CFAA against both defendants. The CFAA is a criminal
statute targeting computer fraud that provides a civil cause of action for violations of the
CFAA.23 To maintain a civil action under the CFAA, the conduct must involve one of the
factors set forth in subclauses (I) through (V) of § 1030(c)(4)(A)(i). Here, plaintiff alleges that it
has suffered damages or loss aggregating to at least $5000 due to defendants’ conduct, which
falls under subclause (I), and alleges defendants violated four different provisions of the CFAA.
1.
18 U.S.C. § 1030(a)(2)(C) and (a)(4)
18 U.S.C. § 1030(a)(2)(C) imposes liability against “whoever . . . intentionally accesses a
computer without authorization or exceeds authorized access, and thereby obtains . . . (C)
19
Argo v. Blue Cross & Blue Shield of Kan., Inc., 452 F.3d 1193, 1199 (10th Cir. 2006) (citation omitted).
20
Conaway v. Smith, 853 F.2d 789, 794 (10th Cir. 1988).
21
Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986).
22
Celotex, 477 U.S. at 327 (quoting Fed. R. Civ. P. 1).
23
18 U.S.C. § 1030(g).
6
information from any protected computer.” And 18 U.S.C. § 1030(a)(4) imposes liability against
whoever “knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access.” Plaintiff argues that defendants are liable under
these subsections because they either accessed information without authorization, or exceeded
their authorized access by deleting information between the time when they announced their
resignations and January 7, 2011.
There is a split of authority about the meaning of “authorization” under the CFAA. On
the one hand, there is a line of cases construing the term to depend on whether the employee
violated a duty of loyalty or acted with an interest adverse to the employer—the Citrin cases.24
On the other hand, several courts determine authorization based on the “employer’s decision to
allow or terminate an employee’s authorization”25—the Brekka cases.26 Judge Lungstrum
recently followed the reasoning in the Brekka line of cases,27 and this approach has “recently
gained critical mass.”28 This Court is persuaded by the reasoning in Brekka and US Bioservices
Corp. and applies this approach in determining whether there is a genuine issue of material fact
that defendants violated the CFAA when they accessed and deleted files from Farmers’ computer
system between the time that they announced their resignations and the time their computer
access was terminated.
24
Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006); see US Bioservices Corp.v. Lugo,
595 F. Supp. 2d 1189, 1193 (D. Kan. 2009) (collecting cases).
25
Lewis-Burke Assocs., LLC v. Widder, 725 F. Supp. 2d 187, 192–93 (D.D.C. 2010).
26
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); see Lewis-Burke Assocs., LLC, 725
F. Supp. 2d at 192–93.(collecting cases).
27
US Bioservices Corp., 595 F. Supp. at 1192.
28
Lewis-Burke Assocs., LLC, 725 F. Supp. 2d at 193.
7
To the extent plaintiff maintains that defendants were not initially authorized to access
the Farmers’ computer system, the Court agrees with defendants that the uncontroverted facts
belie this contention under the Brekka line of reasoning. The uncontroverted facts establish that
defendants were permitted to access Farmers’ confidential and proprietary information prior to
January 7, 2011. They had passwords to Farmers’ computer system and access to restricted
information. Plaintiff argues that company policy only allowed defendants to access this
information for a business reasons, but this argument would require the Court to follow the
Citrin line of cases and determine whether defendants were acting in the interest of Farmers—a
standard that this Court has already declined to follow.29 Instead, the Court looks to whether
Farmers permitted defendants to access this information. Because it is uncontroverted that
defendants were permitted to access the information at issue, no reasonable jury could determine
that liability under the CFAA could lie based on defendants’ unauthorized access to the
information in Farmers’ computer system.
Plaintiff next argues that defendants are liable under the CFAA because they exceeded
their authorized access by deleting information in Farmers’ computer system. Defendants
contend that plaintiff’s Complaint does not include a claim for exceeding authorized access and
that the uncontroverted facts establish that defendants accessed information that they were
permitted to access in the first place. Plaintiff responds that notwithstanding the initial access,
29
See, e.g., Brekka, 581 F.3d at 1135 (“a person uses a computer ‘without authorization’ under
§§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as
when a hacker accesses someone’s computer without any permission), or when the employer has rescinded
permission to access the computer and the defendant uses the computer anyway.”); Lewis-Burke Assocs., LLC, 725
F. Supp. 2d at 192 (“an employer’s decision to allow or terminate an employee’s authorization is the determining
factor as to whether the employee is with or without authorization.”); US Bioservices Corp., 595 F. Supp. 2d at 1193
(“An interpretation based on agency principles would inappropriately expand federal jurisdiction by broadly
sweeping in conduct in which a defendant accesses a company computer with ‘adverse interests.’”).
8
defendants exceeded their authorization by deleting substantial amounts of data from Farmers’
computer system. Defendants reply that Farmers allowed employees to delete information in
some instances and that the Bank’s policy does not require that they obtain prior approval before
deleting documents.
While the Complaint does not explicitly identify the “exceeds authorized access”
violation in its recitation of statutory claims, its factual averments include that “Defendants were
not authorized to access this information for non-bank purposes. Nor were they permitted to
copy and delete this information for competitive purposes.”30 Therefore, defendants were on
notice of plaintiff’s claim that defendants violated the statute by deleting information that they
were not permitted to delete and the lack of a specific statutory recitation of the “exceeds
authorized access” provision is not fatal to this theory of liability.31
“‘[E]xceeds authorized access’ means to access a computer with authorization and to use
such access to obtain or alter information in the computer that the accesser is not entitled so to
obtain or alter.”32 Brekka explains:
As this definition makes clear, an individual who is authorized to
use a computer for certain purposes but goes beyond those
limitations is considered by the CFAA as someone who has
“exceed[ed] authorized access.” On the other hand, a person who
uses a computer “without authorization” has no rights, limited or
otherwise, to access the computer in question. In other words, for
purposes of the CFAA, when an employer authorizes an employee
to use a company computer subject to certain limitations, the
30
The proposed second amended complaint continues to allege statutory violations under subsections
(a)(2)(C) and (a)(4) for accessing without authorization and does not include an explicit statement that it claims
defendants exceeded their authorized access.
31
See Fed. R. Civ. P. 8(a); Bryson v. Gonzales, 534 F.3d 1282, 1286–87 (10th Cir. 2008).
32
18 U.S.C. § 1030(e)(6).
9
employee remains authorized to use the computer even if the
employee violates those limitations. It is the employer’s decision
to allow or to terminate an employee’s authorization to access a
computer that determines whether the employee is with or
“without authorization.”33
And Judge Lungstrum has stated that exceeding authorized access occurs “when the defendant
has permission to access the computer in the first place, but then accesses certain information to
which he is not entitled.”34
There is no question that defendants were authorized to access Farmers’ confidential and
proprietary information in the first place, but the Court finds that there is a genuine issue of
material fact about whether defendants used their access to “obtain or alter information in the
computer” that they were not “entitled so to obtain or alter.” It is uncontroverted that defendants
deleted substantial amounts of data from Farmers’ computers, including customers’ personal and
financial information and Farmers’ confidential business information. And regardless of
whether Farmers had a policy that required defendants to obtain prior approval to delete that
information, it is uncontroverted that these defendants did not have permission to delete any of
Farmers’ files or emails containing Farmers’ customers’ personal and financial information or
Farmers’ business information. Moreover, Farmers’ had an Information Security and
Unauthorized Access Policy that required retention of information for certain purposes and
provides that “records shall generally be destroyed, or sterilized, under Bank IT personnel
supervision.”35 Given all of these facts, a reasonable jury could conclude that defendants
33
Brekka, 581 F.3d at 1133.
34
US Bioservices Corp., 595 F. Supp. at 1193.
35
Doc. 66, Ex. B, Part III.6.
10
exceeded their authorization by deleting information in Farmers’ computer system that they were
not authorized to delete.36
2.
18 U.S.C. § 1030(a)(5)(C)
Section 1030(a)(5)(C) provides liability when a defendant “intentionally accesses a
protected computer without authorization, and as a result of such conduct, causes damage and
loss.” Unlike the subsections discussed above, this subsection does not contain an “exceeds
authorized access” provision. Defendants may only be liable under this provision if they
intentionally accessed a protected computer “without authorization.” Again, the Court applies
the Brekka approach, so defendants may only be without authorization if they were without
permission.37 It is uncontroverted that defendants were authorized to access Farmers’ computer
system, so no reasonable jury could conclude that defendants are liable under this provision.
3.
18 U.S.C. § 1030(a)(5)(A)
Section 1030(a)(5)(A) provides liability when a defendant “knowingly causes the
transmission of a program, information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected computer.” Damage is defined
under the statute as “any impairment to the integrity or availability of data, a program, a system,
or information.”38 Unlike subsection (a)(5)(C), this section creates liability for knowingly
36
Compare Bro-Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378, 405–08 (E.D. Pa. 2009) (applying
Brekka reasoning and finding genuine issue of material fact that deletions of files and emails exceeded authorized
access because plaintiff submitted evidence that the departing employees were not permitted to delete such files,
even though they were permitted to access the information), with Clarity Servs., Inc. v. Barney, 698 F. Supp. 2d
1309, 1316 (M.D. Fla. 2010) (granting summary judgment where the uncontroverted facts showed that the departing
employee had unrestricted access to read, write, and delete files).
37
Brekka, 581 F.3d at 1133; Burke Assocs., LLC, 725 F. Supp. 2d at 193; US Bioservices Corp., 595 F.
Supp. at 1193.
38
18 U.S.C. § 1030(e)(8).
11
causing transmission of something that causes damage without authorization, as compared to
damage that is the result of access without authorization. Because it is uncontroverted that
defendants were not permitted to delete files and emails from Farmers’ computer system, a
reasonable jury could conclude that they violated this subsection.
Accepting the uncontroverted facts as true and viewing the evidence in the light most
favorable to plaintiff, there is no question that defendants were authorized to access confidential
and business information on Farmers’ computer system and that Farmers permitted this access
until January 7, 2011 when defendants’ computer access was terminated. Indeed, despite its
awareness that defendants were deleting files on January 4, 2011, Farmers decided not to
terminate defendants’ access to its computer system until January 7. There is a genuine issue of
material fact, however, about whether defendants were authorized to delete information in
Farmers’ computer system. Because three of the four alleged CFAA violations hinge on whether
defendants exceeded their authorized access, or caused damage from the unauthorized deletion
of information, these claims must be decided by a jury. On the other hand, summary judgment is
appropriate on plaintiff’s claim under 18 U.S.C. § 1030(a)(5)(C) because liability under this
provision rests solely on damage sustained from intentional unauthorized access. Since the
Court denies the motion for partial summary judgment on the federal claim, defendants’ motion
to dismiss, asking that the Court decline to exercise supplemental jurisdiction over the state law
claims, must be denied.
III.
Motion for Leave to Amend Complaint
Plaintiff also filed a motion for leave to amend the complaint, seeking to add Community
12
Bank as a defendant, correct certain CFAA citations, and add certain factual allegations.
Defendants object that the proposed amendment is futile for the reasons set forth in their motion
for summary judgment. That is, defendants contend that plaintiff’s CFAA claims fail as a matter
of law because it is uncontroverted that defendants were authorized to access Farmers’
computers and that they did not exceed that authorized access.
Under Fed. R. Civ. P. 15(a), leave to amend should be freely granted, however “the
district court may deny leave to amend where the amendment would be futile. A proposed
amendment is futile of the complaint, as amended, would be subject to dismissal.”39 The Court
has ruled that there is a genuine issue of material fact about whether defendants exceeded their
authorized access, as contemplated by the CFAA, when they deleted information from Farmers’
computer system. For this reason, the Court is unable to conclude that plaintiff’s proposed
second amended complaint is futile insofar as it amends the CFAA claims under § 1030,
subsections (a)(2)(C), (a)(4), and (a)(5)(A). However, the amendment would be futile with
respect to plaintiff’s proposed amendment to subsection (a)(5)(C). The Court has also ruled that
liability under the CFAA may not be premised on defendants’ unauthorized access, but instead,
on the claim that they exceeded their authorized access. Therefore, plaintiff’s motion to amend
is denied, but plaintiff is granted leave to file a revised motion for leave to amend the complaint,
attaching a proposed pleading that complies with this Memorandum and Order.
IT IS THEREFORE ORDERED BY THE COURT that defendants’ Motion for
Summary Partial Judgment (Doc. 40) and Motion to Dismiss Plaintiff’s State Law Claims (Doc.
42) are denied.
39
Jefferson Cnty. Sch. Dist. No. R-1 v. Moody’s Investors’s Servs., Inc., 175 F.3d 848, 859 (10th Cir. 1999).
13
IT IS FURTHER ORDERED that plaintiff’s Motion for Leave to File Second
Amended Complaint (Doc. 65) is denied. Plaintiff is granted leave to file an amended motion
for leave to amend, attaching a revised proposed amended complaint that complies with this
Memorandum and Order by no later than October 24, 2011.
Dated: October 13, 2011
S/ Julie A. Robinson
JULIE A. ROBINSON
UNITED STATES DISTRICT JUDGE
14
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?