Bashaw et al v. Johnson
Filing
19
MEMORANDUM AND ORDER granting in part and denying in part 6 Plaintiffs' Motion to Dismiss Defendant's Counterclaims. Signed by District Judge John W. Lungstrum on 5/9/2012. (ses)
IN THE UNITED STATES DISTRICT COURT
DISTRICT OF KANSAS
Brooke Bashaw, Katie Sellers
and Lauren Spalsbury,
Plaintiffs,
v.
Case No. 11-2693-JWL
Jeremiah Johnson,
Defendant.
MEMORANDUM AND ORDER
Plaintiffs are former employees of defendant Jeremiah Johnson and/or defendant’s law
firm. Plaintiffs filed this diversity lawsuit alleging that defendant required plaintiffs to wear
skirts in the office and then used an application on his iPhone and iPad to conduct video
surveillance of the area beneath a particular desk in the office such that defendant secretly
obtained video recordings of plaintiffs’ legs, lower torsos and undergarments. Plaintiffs assert
state law claims of invasion of privacy; outrage; and breach of fiduciary duty. Defendant has
counterclaimed for violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.
(CFAA), and breach of contract. Specifically, he contends that plaintiffs, in violation of the
CFAA, accessed defendant’s iPhone and iPad in excess of their authorization and deleted data
from those devices. He further contends that plaintiffs breached a confidentiality agreement by
disclosing to the district attorney’s office information obtained during a confidential mediation
session.
This matter is presently before the court on plaintiffs’ motion to dismiss defendant’s
counterclaims for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6).
As will be explained, the motion is granted in part and denied in part.1 The motion is granted
with respect to defendant’s CFAA counterclaim and that claim is dismissed in its entirety. With
respect to defendant’s breach of contract counterclaim, the motion is granted to the extent
defendant claims he was exposed to an increased risk of criminal prosecution as a result of the
alleged breach and is denied to the extent defendant claims he incurred attorneys’ fees as a result
of the breach.
Computer Fraud and Abuse Act Claim
Count I of the counterclaim complaint asserts that one or more plaintiffs violated the
Computer Fraud and Abuse Act (CFAA) by accessing, without authorization or in excess of their
authorization, defendant’s iPad, iPhone and one or more of defendant’s computers and deleting
unspecified data from those devices. Defendant asserts that he has been damaged by the actions
of plaintiffs and that the damages “would exceed” at least $5000 in value “and would be a threat
or invasion of the public interest and confidential information contained therein.” Plaintiffs
move to dismiss this counterclaim on the grounds that the claim fails under Iqbal/Twombly in
at least two respects–defendant does not sufficiently allege the nature of his damages within the
meaning of the CFAA and defendant does not sufficiently allege a qualifying “loss” within the
1
Although plaintiff Brooke Bashaw has not joined in the motion to dismiss, the court
sua sponte dismisses defendant’s counterclaims against Ms. Bashaw to the same extent as it
dismisses those claims against the other plaintiffs.
2
meaning of the CFAA.2 As will be explained, the court concludes that defendant has adequately
pled neither damages nor loss within the meaning of the CFAA. Dismissal of the counterclaim,
then, is warranted.
The CFAA is a federal statute that criminalizes certain activities in connection with
computers. See 18 U.S.C. § 1030. Despite the criminal nature of the CFAA, it does provide a
private civil cause of action under limited circumstances. See id. § 1030(g); TriTeq & Sec. LLC
v. Innovative Secured Solutions, LLC, 2012 WL 394229, at *5 (N.D. Ill. Feb. 1, 2012). Pursuant
to § 1030(g), a civil action may be brought only if the conduct “involves 1 of the factors set forth
in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 18 U.S.C. § 1030(g). In
other words, a plaintiff alleging a violation under § 1030(g) must allege the conduct involved
one of the following factors:
(I) loss to 1 or more persons during any 1–year period . . . aggregating at least
$5,000 in value; (II) the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or care of 1 or more
individuals; (III) physical injury to any person; (IV) a threat to public health or
safety; [or] (V) damage affecting a computer used by or for an entity of the United
States Government in furtherance of the administration of justice, national
defense, or national security.
Id. § 1030(c)(4)(A)(i)(I)-(V).
In his counterclaim, defendant states claims against plaintiffs under § 1030(g) for
violations of § 1030(a)(2), (a)(4) and (a)(5). Each of these subsections, with some variation,
2
Plaintiffs also contend that defendant cannot plausibly allege facts in support of the
“without authorization” or “exceeds authorization” element of his CFAA claim. Because
dismissal of the CFAA claim is clearly appropriate on other grounds, the court declines to
address this issue.
3
prohibits accessing a protected computer without authorization and obtaining information from
the computer. According to the counterclaim complaint, each of these asserted violations are
based on conduct (as required by § 1030(g)) involving a loss aggregating at least $5,000 in
value.3 For each of these asserted violations, then, defendant must allege a “loss” within the
meaning of the CFAA. In addition, subsection (a)(5) contains an express “damage” requirement
such that defendant must also adequately allege “damage” within the meaning of the statute for
purposes of his subsection (a)(5) claim. See TriTeq Lock, 2012 WL 394229, at *5. Thus, to state
a claim under § 1030(g) for violation of § 1030(a)(5) based upon § 1030(c)(4)(A)(i)(I), a
plaintiff must allege both “damage” and a “loss” aggregating at least $5,000 in value. Id.
The CFAA defines the term “damage” as “any impairment to the integrity or availability
of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). In construing this term,
courts have determined that “damage” refers to “the destruction, corruption, or deletion of
electronic files, the physical destruction of a hard drive, or any ‘diminution in the completeness
or usability of the data on a computer system.’” See TriTeq Lock, 2012 WL 394229 at *6 (citing
cases). Defendant conclusorily alleges in this counterclaim that he “has been damaged” but he
does not assert the nature of such damage. In his submissions on the motion, he claims that he
suffered damages because “data was erased.” No where in his submissions or his counterclaim
complaint does defendant identify the data that was allegedly erased. This allegation, then,
3
Although defendant’s counterclaim also references a “threat or invasion of the public
interest,” that circumstance is not one of the enumerated circumstances set forth in subsection
(c)(4)(A)(I). Thus, the only circumstance identified in the counterclaim that fits within the
enumerated circumstances of the statute is the asserted loss in excess of $5,000.
4
essentially parrots the statutory language and is insufficiently factual to frame plausibly the
damages element of defendant’s CFAA claim. See TriTeq Lock, 2012 WL 394229, at *6
(plaintiff did not sufficiently allege “damage” for purposes of CFAA claim where complaint
alleged only that defendant caused damage but failed to allege any facts “to give color to this
bare assertion of damage”); Ipreo Holdings LLC v. Thomson Reuters Corp., 2011 WL 855872,
at *7 (S.D.N.Y. Mar. 8, 2011) (the complaint must allege with some particularity “damage” as
defined by the CFAA); Fink v. Time Warner Cable, 2009 WL 2207920, at *4 (S.D.N.Y. July 23,
2009) (dismissing CFAA claim under Iqbal where plaintiff alleged only that defendant caused
damage by impairing the availability of data). For this reason, defendant cannot state a claim
for relief under subsection (a)(5).
Similarly, defendant has not adequately pled a qualifying “loss” for purposes of the
CFAA. Under the CFAA, “the term ‘loss’ means any reasonable cost to any victim, including
the cost of responding to an offense, conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C.
§ 1030(e)(11). The majority of courts have construed the term “loss” to include only two types
of injury–costs incurred (such as lost revenues) because the computer’s service was interrupted
and costs to investigate and respond to computer intrusion or damage. See TriTeq Lock, 2012
WL 394229, at *6-7 (collecting cases); Trademotion, LLC v. Marketcliq, Inc., ___ F. Supp. 2d
___, 2012 WL 682465, at *6 (M.D. Fla. Mar. 2, 2012).
In his counterclaim, defendant has not alleged that he suffered any “loss” under the
5
CFAA. While he alleges that unspecified losses “would exceed” $5,000 in value, he does not
allege that he actually incurred losses in that amount. He does not allege or identify any
investigative or response costs incurred as a result of the alleged CFAA violation and he does
not allege any lost revenues or other losses incurred due to any interruption in service. In his
submissions, he contends that qualifying losses under the statute include “for example” the
prorated salaries or wages of employees who spent time restoring a backup of deleted data or
recreating lost work, but he does not suggest that his employees performed these tasks or that
he incurred costs relating to such tasks. Because he has not alleged any loss under the statute,
defendant cannot maintain a CFAA claim for violations of any of the subsections identified in
his counterclaim complaint. This claim is dismissed in its entirety.
Breach of Contract
For his second counterclaim, defendant alleges that the parties participated in a
confidential mediation session and executed an agreement that any communications made in
connection with the mediation would be deemed confidential. According to defendant,
plaintiffs, after the mediation failed, violated the confidentiality agreement by providing
information obtained during the mediation process to the district attorney, who was at that time
investigating whether to pursue criminal charges against defendant relating to the subject of
plaintiffs’ lawsuit. Defendant alleges that the district attorney then contacted defendant’s
criminal attorney by telephone to discuss the pending investigation against defendant in light of
the information disclosed from the mediation. Defendant contends that plaintiffs breached the
6
confidentiality agreement and alleges damages “including but not limited to attorneys’ fees and
costs, and the potential that the matter under investigation by the Johnson County District
Attorney’s office would be formally commenced” against defendant.
Plaintiffs move to dismiss this claim on the grounds that the damages alleged by
defendant are speculative and contingent and, as such, are not recoverable under Kansas law.4
With respect to defendant’s claim of damages in the form of attorneys fees, plaintiffs assert that
defendant had retained a criminal lawyer prior to the mediation and that his counterclaim alleges
only one phone call in which his criminal lawyer participated as a result of the information
provided by plaintiffs to the district attorney. He alleges no other activity involving his criminal
lawyer resulting from any breach of the confidentiality agreement. With respect to the asserted
“potential” that formal charges would be filed against defendant, plaintiffs contend that such
4
Prior to their discussion of defendant’s asserted damages, plaintiffs “note” certain
situations in which a disclosure of information obtained at the mediation would not constitute
a violation of the parties’ confidentiality agreement. Plaintiffs’ first scenario concerns a
personal injury lawsuit concerning a car accident. Plaintiffs’ second scenario assumes that
defendant here, during the pre-suit mediation, threatened to contact law enforcement about
pursuing criminal charges against plaintiffs for “computer crimes” if plaintiffs proceeded
with a civil suit against him. According to plaintiffs, “if” defendant made such threats, then
plaintiffs’ counsel had a duty to contact the district attorney to discuss the merits of the
threatened criminal charges and could do so without violating the agreement.
The court cannot ascertain whether the example provided by plaintiffs is intended as
an actual or hypothetical example. Moreover, this argument–to the extent it is one–is not
addressed in any substantive way in plaintiffs’ reply brief. Finally, there are several
instances in plaintiffs’ motion in which the asserted basis for dismissal is clearly limited to
the damages aspect of defendants’ counterclaim. For these reasons, the court reads plaintiffs’
motion as seeking dismissal of the counterclaim solely on the basis of the speculative nature
of defendant’s damages.
7
damages are clearly speculative or contingent as no such charges have been filed to date.
In response, defendant first contends that plaintiffs’ argument “ignores other potential
claims arising from Plaintiffs’ conduct, including but not limited to negligent and intentional
interference with potential business relations.” Of course, it is not plaintiffs’ responsibility to
discern any and all potential claims that might arise from the allegations in Count II when
defendant has expressly limited that count to a counterclaim for breach of contract. If defendant
believes that these allegations form the basis for a counterclaim in addition to breach of contract,
it is incumbent upon him to allege that claim. He has not done so at this juncture and the court
takes the counterclaim at face value–as asserting only a counterclaim for breach of contract.
Turning back to defendant’s claim for damages incurred as a result of the alleged breach
of contract, plaintiffs have not directed the court to any authority for their assertion that
“pointing to one phone call is not enough” to state a non-speculative claim for damages. While
incurring fees for one phone call may not state a sizeable claim for damages, it is certainly a
plausible claim for damages stemming from the alleged breach. See J.R. Simplot v. Chevron
Pipeline Co., 563 F.3d 1102, 1116 (10th Cir. 2009) (measure of damages for breach of contract
may include attorneys’ fees incurred as a result of the breach); Shughart Thomson & Kilroy, P.C.
v. Max Rieke & Bros., Inc., 24 Kan. App. 2d 205, 206 (1997) (referencing judgment that
included attorney fees incurred as a result of breach of contract). Plaintiffs’ motion to dismiss
on this basis is denied.
With respect to defendant’s asserted damages in the form of an increased risk of criminal
prosecution, defendant does not respond at all to plaintiffs’ argument that such “damages” are
8
speculative in that criminal charges have not been filed against defendant. It appears, then, that
defendant concedes that this element of his claim for damages is appropriately dismissed. But
even aside from defendant’s concession, the court would dismiss without prejudice this aspect
of defendant’s claim for damages. The mere possibility that defendant may be at an increased
risk for criminal prosecution is speculative–it is entirely dependent on the potential future actions
of a third party. Defendant’s hypothetical speculation about the possibility of future injury is
insufficient to show the requisite actual harm stemming from the alleged breach of contract. See
State ex rel. Stovall v. Reliance Ins. Co., 278 Kan. 777, 789, 107 P.3d 1219 (2005) (“A party is
not entitled to recover damages ‘not the proximate result of the breach of contract and those
which are remote, contingent, and speculative in character.”’).
In so deciding, the court finds particularly persuasive the decisions of numerous courts
holding, in the context of data security breaches, that an allegation of an increased risk of
identity theft, without more, does not amount to actual damage. See Reilly v. Ceridian Corp.,
664 F.3d 38, 42-43 (3rd Cir. 2011) (affirming dismissal of claims for breach of contract and
negligence relating to increased risk of identity theft where allegations of hypothetical, future
injury were insufficient to plead actual injury); Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629,
635-40 (7th Cir. 2007) (affirming grant of motion for judgment on the pleadings on negligence
claim; allegations of information exposure and risk of identity theft does not constitute
compensable injury); Brit Ins. Holdings N.V. v. Krantz, 2012 WL 28342, at *7-9 (N.D. Ohio Jan.
5, 2012) (granting 12(b)(6) motion on counterclaims for breach of contract and negligence where
defendants alleged increased risk of identity theft; hypothetical future harm insufficient to
9
demonstrate that defendants suffered actual harm as required for claims); Belle Chasse
Automotive Care, Inc. v. Advanced Auto Parts, Inc., 2009 WL 799760, at *2 (E.D. La. Mar. 24,
2009) (granting 12(b)(6) motion on negligence claim where plaintiff alleged only increased risk
of credit card fraud and identity theft, plus credit monitoring measures); Kahle v. Litton Loan
Servicing LP, 486 F. Supp. 2d 705, 712 (S.D. Ohio 2007) (plaintiff cannot recover when “no
unauthorized use of her personal information has occurred”); Key v. DSW, Inc., 454 F. Supp. 2d
684, 690 (S.D. Ohio 2006) (“[i]n the identity theft context, courts have embraced the general rule
that an alleged increase in risk of future injury is not an ‘actual or imminent’ injury”); Hendricks
v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 781-82 (W.D. Mich.2006) (plaintiff cannot
recover for “a potential future loss which has not actually occurred”); Forbes v. Wells Fargo
Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006) (plaintiff cannot recover for the
“perceived risk of future harm”).
For the foregoing reasons, the court dismisses that aspect of defendant’s claim for
damages relating to an increased risk of criminal prosecution. Without expressing any opinion
on the viability of an amendment, defendant may move to amend his counterclaim with respect
to his damages at some future date if criminal charges are initiated against him.
IT IS THEREFORE ORDERED BY THE COURT THAT plaintiffs’ motion to
dismiss defendant’s counterclaims (doc. 6) is granted in part and denied in part.
IT IS SO ORDERED.
10
Dated this 9th day of May, 2012, at Kansas City, Kansas.
s/ John W. Lungstrum
John W. Lungstrum
United States District Judge
11
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?