Schlumberger Technology Corp v McReynolds et al
Filing
21
MEMORANDUM RULING granting in part and denying in part 9 Motion for Partial Dismissal Pursuant to Rule 12(b)(6). The motion is granted insofar as it seeks a more definite statement under Rule 12(e) and denied insofar as it seeks to dismiss the Plaintiff's claims under the CFAA pursuant to Rule 12(b)(6). IT IS FURTHER ORDERED that the Plaintiff file an amended complaint in accordance with this opinion by Monday, 9/19/2016. Signed by Judge Elizabeth E Foote on 9/1/2016. (crt,Keifer, K)
UNITED STATES DISTRICT COURT
WESTERN DISTRICT OF LOUISIANA
SHREVEPORT DIVISION
SCHLUMBERGER TECHNOLOGY CORP.
CIVIL ACTION NO. 15-2455
VERSUS
JUDGE ELIZABETH ERNY FOOTE
DONALD MCREYNOLDS ET AL.
MAGISTRATE JUDGE HORNSBY
MEMORANDUM RULING
Before the Court is a Motion for Partial Dismissal Pursuant to Rule 12(b)(6), filed by
Defendants Donald McReynolds (“McReynolds”) and ARKLATEX Wireline Service, LLC
(“ArkLaTex”). Record Document 9. The motion asks the Court to either dismiss the
Plaintiff’s Computer Fraud and Abuse Act (“CFAA”) claims pursuant to Federal Rule of Civil
Procedure 12(b)(6) or require the Plaintiff to amend its complaint with a more definite
statement pursuant to Rule 12(e). For the reasons announced below, the Court declines
to dismiss the Plaintiff’s CFAA claims but orders the Plaintiff to amend its complaint with
a more definite statement concerning its claims under CFAA.
I.
Allegations in the Complaint
Plaintiff Schlumberger Technology Corp. (“Schlumberger”) alleges that McReynolds,
while Schlumberger’s employee, extracted confidential and proprietary data from
Schlumberger computers for the benefit of Schlumberger’s rival and McReynold’s
subsequent employer, ArkLaTex.
Record Document 1.
Page 1 of 14
Based on this allegation,
Schlumberger asserts claims under the CFAA, the Louisiana Unfair Trade Practices Act
(“LUTPA”), and the common law duty of loyalty. Record Document 1.
According to the complaint, McReynolds was a Schlumberger employee working in
Louisiana when the events that gave rise to this suit allegedly took place. As its employee,
McReynolds allegedly owed Schlumberger “a fiduciary duty of loyalty to [Schlumberger]
not to disclose to third persons without [Schlumberger’s] prior written approval, on his own
account or an account of others, [Schlumberger’s] confidential and proprietary information
that [McReynolds] accessed during the course of his employment with [Schlumberger].”
Record Document 1, p. 3. Schlumberger alleges that while its headquarters are located
in Texas, it provides services around the globe, including Louisiana. Record Document 1,
p. 3.
The complaint alleges that at some point in the summer of 2015, McReynolds
decided he would resign from Schlumberger and work for ArkLaTex. Before resigning from
Schlumberger but after making the decision to change employers, McReynolds allegedly
“accessed [Schlumberger’s] company-issued computer and, without authorization and
exceeding his authorized access, downloaded and removed confidential and proprietary
electronic business records and/or information that was transferred to ArkLaTex and used
by ArkLaTex.”
Record Document 1, p. 3.
According to Schlumberger, McReynolds
extracted information about its products, customer pricing information, customer quotes,
and internal reports.
Record Document 1, p. 4.
Schlumberger further alleges that
ArkLaTex “knowingly participated in McReynolds’ violation of the Computer Fraud Abuse
Page 2 of 14
Act by either directly encouraging or ratifying his efforts to access and misappropriate
[Schlumberger’s] confidential and proprietary information for use by ArkLaTex in
competing against [Schlumberger].” Record Document 1, p. 5-6.
Due to the conduct alleged above, Schlumberger has, according to the complaint,
“incurred costs in excess of $5,000 . . . in responding to McReynolds’ conduct, investigating
McReynolds’ conduct, conducting a damage assessment into McReynolds’ conduct, and
restoring the data or information to the same condition as prior to the offense.” Record
Document 1, p. 5.
II.
Standards
To survive a challenge under Rule 12(b)(6), "a complaint must contain sufficient
factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'"
Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S.
544, 570 (2007)). Courts are required to accept the plaintiff's "well-pleaded" facts as true
and construe the complaint in a light favorable to that plaintiff. In re Great Lakes Dredge
& Dock Co., 624 F.3d 201, 210 (5th Cir. 2010) (citations omitted). Nonetheless, courts are
not required to accept the veracity of legal conclusions framed as factual allegations.
Iqbal, 556 U.S. at 678 (reasoning that under Rule 8, it is not sufficient to merely recite a
cause of action's elements with supporting conclusory statements). Overall, determining
when a complaint states a plausible claim is a context-specific task, requiring courts to rely
on judicial experience and common sense to assess when a complaint crosses the line from
conceivable to plausible. Id. at 678-80.
Page 3 of 14
A claim is facially plausible when a plaintiff pleads factual content that permits the
court to reasonably infer a defendant is liable for the alleged misconduct. Iqbal, 556 U.S.
at 678-79. This plausibility standard is not a probability requirement, "but it asks for more
than a sheer possibility that a defendant has acted unlawfully." Id. "Where a complaint
pleads facts that are ‘merely consistent with' a defendant's liability, it ‘stops short of the
line between possibility and plausibility of ‘entitlement to relief.'" Id. (quoting Twombly,
550 U.S. at 557). On the other hand, as long as it raises a plausible right of recovery and
puts the defendant on notice of the plaintiff’s claim and the grounds upon which it rests,
the complaint does not need to specify detailed factual allegations. See Twombly, 550 U.S.
at 555.
Under Rule 12(e), “[a] party may move for a more definite statement of a pleading
to which a responsive pleading is allowed but which is so vague or ambiguous that the
party cannot reasonably prepare a response.” Fed. R. Civ. P. 12(e). According to the Fifth
Circuit, “If a complaint is ambiguous or does not contain sufficient information to allow a
responsive pleading to be framed, the proper remedy is a motion for a more definite
statement under Rule 12(e) F.R.C.P.” In re McWilliams, 22 F.3d 1095 (5th Cir. 1994)
(quoting Sisk v. Tex. Parks and Wildlife Dep't, 644 F.2d 1056, 1059 (5th Cir. Unit A 1981)).
III.
Discussion
Although principally a criminal statute, the CFAA provides for civil liability where a
person, inter alia:
Page 4 of 14
knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such conduct
furthers the intended fraud and obtains anything of value, unless the object
of the fraud and the thing obtained consists only of the use of the computer
and the value of such use is not more than $5,000 in any 1-year period.
18 U.S.C. § 1030(a)(4) (2012). To establish a civil claim under § 1030(a)(4), a plaintiff
must prove the following five elements: (1) the defendant has accessed a protected
computer; (2) the defendant has done so without authorization or by exceeding such
authorization as was granted; (3) the defendant has done so knowingly and with intent to
defraud; (4) in doing so the defendant has furthered the intended fraud and obtained
anything of value; and (5) the plaintiff has incurred “loss . . . during any 1-year period .
. . aggregating at least $5,000 in damages.” See id. § 1030(a)(4), (c)(4)(A)(i)(I), (g);
Associated Pump & Supply Co., LLC v. Dupre, No. CIV.A. 14-9, 2014 WL 1330196, at *5
(E.D. La. Apr. 3, 2014) (citing Bridal Expo, Inc. v. van Florestein, No. CIV.A.
4:08-CV-03777, 2009 WL 255862, at *8 (S.D. Tex. Feb. 3, 2009)). The Defendants argue
that because the allegations made in Schlumberger’s complaint are conclusory, it is not
plausible that Schlumberger could prevail on the first, second, or fifth element of its CFAA
claim against McReynolds. The Defendants also argue that even if the complaint states
a plausible claim against McReynolds, Schlumberger’s allegations concerning ArkLaTex are
too vague to state a plausible CFAA claim against ArkLaTex under a theory of vicarious
liability.
Page 5 of 14
A. CFAA Claim Against McReynolds
i. Whether the Computer that McReynolds Accessed Is Protected
The computer that McReynolds allegedly accessed to take proprietary data from
Schlumberger must be a “protected computer” as the CFAA defines that term. The CFAA
defines a protected computer as “a computer . . . which is used in or affecting interstate
or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B). “Pleading specific
facts that the defendant accessed a computer connected to the internet is sufficient to
establish that the accessed computer was ‘protected.’” Simmonds Equip., LLC v. GGR Int'l,
Inc., 126 F. Supp. 3d 855, 863 (S.D. Tex. 2015) (citing Merritt Hawkins & Associates v.
Gresham (Hawkins I), 948 F. Supp. 2d 671, 674 (N.D. Tex. 2013)). But even where a
complaint fails to allege that the computer at issue is connected to the Internet, a court
may reasonably infer that the computer was used in or affects interstate commerce from
other specific facts alleged in the complaint. See Quantlab Techs. Ltd. (BVI) v. Godlevsky,
719 F. Supp. 2d 766, 775-76 (S.D. Tex. 2010). Specifically, courts have found they can
reasonably infer a computer was used in interstate commerce where the complaint alleges
that the plaintiff uses its computers to engage in global financial markets, id., sell products
across state lines, Nordstrom Consulting, Inc. v. M & S Tech., Inc., No. 06 C 3234, 2008
WL 623660, at *12 (N.D. Ill. March 4, 2008), and communicate between offices across
state lines, Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 318-19 (D. Conn. 2008). Although
Schlumberger has not alleged that the computer from which McReynolds allegedly
extracted proprietary information was connected to the Internet, it has alleged that it does
Page 6 of 14
business across the globe and that McReynolds worked in Louisiana even though
Schlumberger’s headquarters are in Texas.
These allegations create a reasonable
inference that at the very least, McReynolds used his computer to communicate with
offices in other states. Accordingly, the Court finds that Schlumberger has sufficiently
plead the first element of its CFAA claim against McReynolds. See id.
ii. Whether McReynolds’ Access Was without Authorization or Exceeded His
Authorization
The complaint must plausibly show that McReynolds was either without
authorization or exceeded his authorization when he allegedly downloaded proprietary data
from Schlumberger. Schlumberger argues that even though McReynolds was authorized
to access the data he allegedly extracted, he nevertheless exceeded his authorization
because he used that data in ways that violated his fiduciary duty to Schlumberger. The
Defendants counter that neither the CFAA nor caselaw interpreting the CFAA can
accommodate this expansive theory of exceeding authorization. Under § 1030(e)(6),
“exceeds authorized access” means “to access a computer with authorization and to use
such access to obtain or alter information in the computer that the accesser is not entitled
so to obtain or alter.”
18 U.S.C. § 1030(e)(6).
The CFAA does not further define
“authorized” or “authorization” as § 1030(e)(6) uses those terms. Since the Fifth Circuit’s
decision in United States v. John, 597 F.3d 263 (5th Cir. 2010), however, district courts in
the Fifth Circuit have held that “a user exceeds his authorization if he knows or reasonably
should know that he has exceeded the purposes for which he was granted access.” Merritt
Hawkins & Associates, LLC v. Gresham (Hawkins II), 79 F. Supp. 3d 625, 634 (N.D. Tex.
Page 7 of 14
2015) (citing John, 597 F.3d at 271-73). District courts have further held that a user
knows or should know that he exceeds the purposes for which he was granted access
when he is aware or should be aware that he is subject to a policy or agreement that
prohibits his disclosure of proprietary data without his employer’s consent and he
nonetheless divulges that proprietary data to others without consent. See Hawkins II, 79
F. Supp. 3d at 629, 634-35; Associated Pump, 2014 WL 1330196, at *1, *6 (“[T]he Fifth
Circuit may recognize a CFAA claim . . . where there is a broad confidentiality agreement
to delineate the parameters of authorized access.”); Beta Tech., Inc. v. Meyers, No. CIV.A.
H-13-1282, 2013 WL 5602930, at *1, *3 (S.D. Tex. Oct. 10, 2013) (“Like the defendant
in John, Meyers's authorization to use Plaintiff's computer system and the data contained
therein was circumscribed by company policy.”).
The Defendants argue that Schlumberger’s complaint fails to plead that McReynolds
exceeded his authorization because it does not allege that he was subject to any type of
nondisclosure policy or agreement. In response, Schlumberger argues that McReynolds’
fiduciary duty to Schlumberger was sufficient to put him on notice that he exceeded the
purposes for which he was granted access to his computer when he downloaded
proprietary information from that computer in order to share it with Schlumberger’s
competitor. While Schlumberger’s argument is appealing, the fact that the CFAA creates
both civil and criminal liability prevents the Court from expanding the definition of
exceeding authorization under the CFAA beyond the bounds set by its sister courts in the
Fifth Circuit. Where a court is interpreting a statute that gives rise to criminal liability, it
Page 8 of 14
must apply "the canon of strict construction of criminal statutes, or rule of lenity." United
States v. Lanier, 520 U.S. 259, 266 (1997). This limiting construction also comports with
John, in which the Fifth Circuit was careful to distinguish the facts before it, which involved
access to a computer for the purpose of perpetuating a criminal fraud, from the facts
before the Ninth Circuit in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009),
which involved access to a computer for the purpose of breaching a common law duty of
loyalty. 597 F.3d at 272-73. In Brekka, the Ninth Circuit held that a user does not exceed
his authorization under the CFAA when he is authorized to access a computer but uses that
computer for purposes that breach his duty of loyalty to his employer. 581 F.3d at 113435. The Ninth Circuit reasoned that its narrow construction of the statute was justified
because “ambiguity concerning the ambit of criminal statues should be resolved in favor
of lenity.” Id. at 1134. Faced with this holding, the Fifth Circuit in John concluded that
there were “no such concerns in the present case” because a user has reason to know that
he is not authorized to access data in furtherance of a crime. 597 F.3d at 273. Brekka and
the Fifth Circuit’s reading of Brekka in John caution this Court against deciding that users
know or should know that they exceed their authorization when they use a computer in
ways that breach their duty of loyalty to their employer. The Court therefore declines to
hold that a user exceeds his authorization under the CFAA when he uses a computer in
breach of his fiduciary duty to his employer.
The question remaining is whether the Court may reasonably infer from the
allegation that McReynolds owed Schlumberger a fiduciary duty that there was a policy or
Page 9 of 14
agreement preventing McReynolds from sharing proprietary data with third parties without
Schlumberger’s consent. This allegation is by itself an insufficient basis for the Court to
reasonably infer that there was such a policy or agreement. However, the remedy for this
defect in Schlumberger’s complaint is not dismissal under Rule 12(b)(6) but, as the
Defendants ask, a more definite statement pursuant to Rule 12(e). The Court therefore
orders Schlumberger to amend its complaint to provide more specificity on how
McReynolds exceeded his authorization when he extracted data from Schlumberger,
including whether McReynolds breached a nondisclosure agreement or policy to which he
was subject during his employment with Schlumberger.
iii. Whether Schlumberger Suffered at Least $5,000 in Loss that is
Cognizable under the CFAA
The complaint must allege "loss . . . during any 1-year period . . . aggregating at
least $5,000 in damages.” See 18 U.S.C. § 1030 (c)(4)(A)(i)(I), (g). The statute defines
loss as: “any reasonable cost to any victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data, program, system, or information
to its condition prior to the offense, and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption of service.” Id. § 1030(e)(11).
The Court finds that Schlumberger’s complaint has pled loss. Schlumberger alleges that
it has “incurred costs in excess of $5,000 . . . in responding to McReynolds’ conduct,
investigating McReynolds’ conduct, conducting a damage assessment into McReynolds’
conduct, and restoring the data or information to the same condition as prior to the
offense.” Record Document 1, p. 5. While it is true that these allegations match the
Page 10 of 14
definition of loss found in the CFAA, that is because the definition of loss under the CFAA
is more detailed and fact-intensive than definitions discussed elsewhere in this opinion, not
(necessarily) because Schlumberger has made conclusory allegations. Other courts have
sustained similarly generic allegations of loss. See Beta Tech., 2013 WL 5602930, at *4
(holding that plaintiff pled loss under the CFAA when it alleged that it “incurred, and
continues to incur, significant expenses in assessing and recovering the data deleted from
the computer”). Schlumberger has therefore sufficiently pled loss under the CFAA.
The Defendants also argue that Schlumberger has failed to sufficiently allege that
it has suffered “damage” under the CFAA. The CFAA creates a private right of action for
any person who, inter alia, “suffers damage or loss by reason of a violation of this section.”
18 U.S.C. § 1030(g). Because of the inclusion of “or” in this precondition for a private suit,
Schlumberger need not show damages if it has instead demonstrated loss. Therefore,
because Schlumberger has pled loss, it does not need to plead damages under the CFAA.
B. CFAA Claim Against ArkLaTex
The Defendants argue that Schlumberger’s allegations against ArkLaTex are too
conclusory to plead a claim of vicarious liability under the CFAA. Although the question of
whether the CFAA permits vicarious liability is unsettled, even those courts adopting a
more expansive interpretation of CFAA liability require the plaintiff to allege that the
vicariously liable party has encouraged, directed, or otherwise affirmatively acted in
support of the party directly violating the statute.1 See Butera & Andrews v. Int'l Bus.
1
The Court assumes without deciding that the CFAA permits vicarious liability.
The Fifth Circuit has provided no guidance on whether a party can be vicariously liable
Page 11 of 14
Machines Corp., 456 F. Supp. 2d 104, 112 n.6 (D.D.C. 2006).
For instance, in Charles
Schwab & Co. v. Carter, a district court held that where a plaintiff alleges that a defendant
directed the plaintiff’s employee to email proprietary information to that defendant, the
plaintiff pleads a viable claim of vicarious liability under the CFAA because the defendant
“affirmatively urged” the employee “to access [the plaintiff's] computer system beyond his
authorization for [the defendant’s] benefit.” No. 04 C 7071, 2005 WL 2369815, at *3, *7
(N.D. Ill. Sept. 27, 2005). For its part, Schlumberger alleges that ArkLaTex is vicariously
liable for McReynolds’ acts because it "knowingly participated in McReynolds' violation of
the Computer Fraud Abuse Act by either directly encouraging or ratifying his efforts to
access and misappropriate [Schlumberger's] confidential and proprietary information for
use by ArkLaTex in competing against [Schlumberger]." Record Document 1, p. 5-6.
under the CFAA. Some district courts have held that because the CFAA’s private right
of action is analogous to a tort action, Congress “legislated against a legal background
of ordinary tort-related vicarious liability rules and consequently intends its legislation to
incorporate those rules.” QVC, Inc. v. Resultly, LLC, Civil Action No. 14-6714, 2016 WL
521197, at *8 (E.D. Pa. Feb. 10, 2016) (quoting Meyer v. Holley, 537 U.S. 280, 285
(2003)); see also Charles Schwab & Co. v. Carter, No. 04 C 7071, 2005 WL 2369815, at
*5-7 (N.D. Ill. Sept. 27, 2005) (holding that the CFAA allows for vicarious liability
because it is analogous to a tort action and because “imposing vicarious liability would
further the CFAA's purpose.”). Other district courts, noting that the CFAA is principally
a criminal statute and creates a private right of action only “against the violator,” have
held that the CFAA does not permit any form of vicarious liability. Doe v.
Dartmouth-Hitchcock Med. Ctr., No. CIV. 00-100-M, 2001 WL 873063, at *5 (D.N.H.
July 19, 2001). The Defendants, however, have not put this issue before the Court.
The only basis that the Defendants assert for dismissing Schlumberger’s claim against
ArkLaTex is that the complaint “provides no substantive factual allegations” and is
therefore too conclusory to survive Twombly. The Defendants have not argued that the
CFAA, as a matter of law, does not permit vicarious liability. Thus, the Court assumes,
without deciding, thatthe CFAA permits vicarious liability in order to address the
Defendants’ arguments that Schlumberger has not plead sufficient facts to state such a
claim.
Page 12 of 14
The Defendants argue that Schwab is distinguishable from Schlumberger’s complaint
because unlike the complaint in Schwab, Schlumberger’s complaint provides no facts to
explain how ArkLaTex directed McReynolds to extract proprietary information from
Schlumberger, how ArkLaTex received that information, or even the name of a single
person at ArkLaTex who communicated with McReynolds in furtherance of his alleged CFAA
violation. The Court agrees. Schlumberger does not provide a single specific fact from
which the Court could reasonably infer that ArkLaTex affirmatively encouraged McReynolds
to extract proprietary information from Schlumberger. The best basis that Schlumberger
provides in its complaint for the allegation that ArkLaTex either directly encouraged or
ratified McReynolds’ conduct is that McReynolds became ArkLaTex’s employee shortly
after he ended his employment with Schlumberger. This is insufficient to create a plausible
claim that ArkLaTex affirmatively urged McReynolds to extract proprietary data from
Schlumberger. But again the remedy for this defect is not dismissal under Rule 12(b)(6)
but a more definite statement pursuant to Rule 12(e).
The Court therefore orders
Schlumberger to amend its complaint to provide more specificity on how ArkLaTex
affirmatively encouraged McReynolds to extract proprietary data from Schlumberger.
Page 13 of 14
IV.
Conclusion
For the foregoing reasons,
IT IS ORDERED that the Motion for Partial Dismissal, filed by the Defendants,
Record Document 9, is GRANTED IN PART and DENIED IN PART. The motion is
granted insofar as it seeks a more definite statement under Rule 12(e) and denied insofar
as it seeks to dismiss the Plaintiff's claims under the CFAA pursuant to Rule 12(b)(6).
IT IS FURTHER ORDERED that the Plaintiff file ·an amended complaint in
accordance with this opinion by Monday, September 19, 2016. Pursuant to Rule 12(e),
failure of the Plaintiff to file an amended complaint by the deadline above will result inthe
Court sua sponte-dismissing the Plaintiff's CFAA claims with prejudice under Rule 12(b)(6).
-THUS.DONE AND SIGNED in Shreveport, Louisiana, on this 1st day of September,
2016.
Page 14 of 14
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?