Conlan Abu et al v. Dickson et al
Filing
64
OPINION AND ORDER DENYING PLAINTIFFS' 48 MOTION FOR SUMMARY JUDGMENT AND GRANTING DEFENDANTS' 55 MOTION FOR SUMMARY JUDGMENT Signed by District Judge Linda V. Parker. (AFla)
<![CDATA[
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3310 Filed 05/25/23 Page 1 of 28
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF MICHIGAN
SOUTHERN DIVISION
CONLAN ABU and
RYAN MOORE,
Plaintiffs,
v.
Civil Case No. 20-10747
Honorable Linda V. Parker
STANLEY B. DICKSON and
DICKSON & ASSOCIATES, PC,
Defendants.
______________________________/
OPINION AND ORDER DENYING PLAINTIFFS’ MOTION FOR
SUMMARY JUDGMENT (ECF NO. 48) AND GRANTING DEFENDANTS’
MOTION FOR SUMMARY JUDGMENT (ECF NO. 55)
This case arises from the retrieval of Plaintiff Ryan Moore’s email
communications by non-party John Massey at the direction of Defendant Stanley
B. Dickson. The retrieval occurred during state court litigation concerning an
agreement by which Plaintiff Conlan Abu purchased certain restaurant assets from
The Epicurean Group. Plaintiff Ryan Moore is a 50% owner of Conlan Abu.
Dickson owned The Epicurean Group, and he is majority owner of Defendant
Dickson & Associates, P.C.
After discovering that the emails had been accessed by Defendants,
Plaintiffs initiated this action alleging violations of federal law. Following
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3311 Filed 05/25/23 Page 2 of 28
previous dispositive motion rulings, what remains are Plaintiffs’ claims alleging
violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and
the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2713.
The matter is presently before the Court on the parties’ cross-motions for
summary judgment, filed pursuant to Federal Rule of Civil Procedure 56. (ECF
Nos. 48, 55.) The motions have been fully briefed. Finding the facts and legal
arguments adequately presented in the parties’ briefs, the Court is dispensing with
oral argument pursuant to Eastern District of Michigan Local Rule 7.1(f).
I.
Summary Judgment Standard
Summary judgment pursuant to Rule 56 is appropriate “if the movant shows
that there is no genuine dispute as to any material fact and the movant is entitled to
judgment as a matter of law.” Fed. R. Civ. P. 56(a). The central inquiry is
“whether the evidence presents a sufficient disagreement to require submission to a
jury or whether it is so one-sided that one party must prevail as a matter of law.”
Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 251-52 (1986). After adequate time
for discovery and upon motion, Rule 56 mandates summary judgment against a
party who fails to establish the existence of an element essential to that party’s case
and on which that party bears the burden of proof at trial. Celotex Corp. v. Catrett,
477 U.S. 317, 322 (1986).
2
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3312 Filed 05/25/23 Page 3 of 28
The movant has the initial burden of showing “the absence of a genuine
issue of material fact.” Id. at 323. Once the movant meets this burden, the
“nonmoving party must come forward with specific facts showing that there is a
genuine issue for trial.” Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475
U.S. 574, 587 (1986) (internal quotation marks and citation omitted). To
demonstrate a genuine issue, the nonmoving party must present sufficient evidence
upon which a jury could reasonably find for that party; a “scintilla of evidence” is
insufficient. See Liberty Lobby, 477 U.S. at 252. The court must accept as true the
non-movant’s evidence and draw “all justifiable inferences” in the non-movant’s
favor. See Liberty Lobby, 477 U.S. at 255.
II.
Factual Background
On January 1, 2019, Conlan Abu and The Epicurean Group closed on an
Asset Purchase Agreement (“APA”) pursuant to which The Epicurean Group sold
certain restaurant assets to Conlan Abu. (See ECF No. 48-2.) According to the
APA, on the closing date, The Epicurean Group was to inter alia “sell, assign,
convey, transfer, set over, and deliver (by appropriate instrument of transfer)” to
Conlan Abu “all of the assets, rights, and interests of every conceivable kind or
character whatsoever, whether tangible or intangible, that . . . are owned by Seller
or in which Seller has an interest of any kind in relation to the business.” (Id. at Pg
ID 1481, ¶ 1.1.) The assets included “computer programs, software programs,
3
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3313 Filed 05/25/23 Page 4 of 28
software and technical libraries . . . license agreements, and all other intellectual
and/or proprietary information and property and applications for or licenses of used
in connection with the Business, including Internet address(es) for the
Business . . ..” (Id. ¶ 1.1(B).) Also included were “[a]ll contracts and service
agreements.” (Id. ¶ 1.1(F).) The APA defines the “Business” as “certain
restaurant businesses and the assets used in connection with such businesses under
various entities and names as listed in Exhibit A . . ..” (Id. at Pg ID 1873.) “The
Epicurean Group” is included. (Id. at Pg ID 1893, Ex. A.)
After the closing date, The Epicurean Group breached the APA and Conlan
Abu, Moore, and Moore’s father sued Dickson, The Epicurean Group, and related
entities in the Circuit Court for Oakland County, Michigan (“state court
litigation”). 1 (See ECF Nos. 55-2, 48-8.) Sometime after the closing date but
before the state court litigation, Plaintiffs began operating The Epicurean Group
and utilized e-mail accounts with the “theepicureangroup.com” domain (hereafter
“the Domain”), such as Moore’s address: rmoore@theepicureangroup.com. The
accounts were hosted by Microsoft 365.
Dickson & Associates first purchased the Domain through GoDaddy.com on
March 27, 2017. (ECF No. 55-3.) Dickson & Associates paid the two-year
In the state court litigation, a jury found in favor of the plaintiffs (Conlan Abu,
Moore, and Moore’s father) on their breach of contract claim against Dickson, and
awarded damages of $1,100,600.00. (See ECF No. 48-8.)
1
4
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3314 Filed 05/25/23 Page 5 of 28
renewal fees for the Domain, including in March 2018 and 2020. (ECF No. 55-5.)
After obtaining the Domain, Dickson & Associates, through its affiliated internet
technology (“IT”) company Propel Technologies (“Propel”), purchased Microsoft
Office 365 licenses for business products (e.g., Outlook, Word, Excel) to be used
by its employees. (ECF No. 55-6.) Massey, the IT administrator for the entities
owned by Dickson, administered the Microsoft Office 365 accounts through
Propel’s “tenant account,” which is the master account of an organization that
houses the users in a company and the information about them (e.g., passwords,
user profile data, and permissions). (ECF No. 9-4 at Pg ID 193, ¶¶ 1, 3.)
Defendants registered the tenant account under the name “Trowbridge House”
(hereafter “Trowbridge Tenant”). (See ECF No. 55-8.)
After the APA’s closing date, former employees of The Epicurean Group
continued to use their @theepicureangroup.com Microsoft Office 365 accounts.
Moore requested that Dickson & Associates create accounts for himself and
employees brought in following the purchase. (ECF Nos. 55-9, 55-10, 55-11.)
Dickson & Associates—more specifically its IT Administrator Massey—continued
to act as the administrator for the accounts throughout Plaintiffs’ operation of The
Epicurean Group, until Massey deactivated the accounts belonging to members of
The Epicurean Group on September 1, 2019. (ECF No. 9-4 at Pg ID 193, ¶ 6; ECF
no. 55-12 at Pg ID 2669; ECF No. 55-16.) Massey assisted Moore on multiple
5
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3315 Filed 05/25/23 Page 6 of 28
occasions with the accounts, including cancelling accounts for terminated
employees, creating accounts for new hires, and resetting passwords. (ECF No. 94 at Pg ID 193, ¶ 7.)
In late August 2019, during the state court litigation, Dickson instructed
Massey to retrieve emails between Moore’s @theepicureangroup.com address and
various other individuals. (ECF No. 9-4 at Pg ID 194, ¶ 9.) Massey’s search also
collected emails from Moore’s personal email addresses. (ECF No. 48-3 at Pg ID
1526-29; ECF No. 48-12; ECF No. 48-13.) Massey accessed the emails through
the Trowbridge Tenant, using his credentials as the administrator for the accounts.
(See ECF No. 9-4 at Pg ID 194, ¶¶ 10-13; ECF No. 55-7 at Pg 2620-22; ECF No.
48-3 at Pg ID 1517-24.) The defendants in the state court action produced some of
these emails in response to the plaintiffs’ discovery requests. On March 6, 2022,
the plaintiffs deposed Massey in the state court litigation to uncover details
concerning his access to the emails. (See ECF No. 27-5.)
Plaintiffs claim that they incurred $8,855.50 in “investigation costs” related
to this “intrusion.” (ECF No. 48-15.) The costs reflect time spent by the attorneys
representing the plaintiffs in the state court litigation (i.e., the same attorneys
representing Plaintiffs here) from February 7 to March 8, 2020—shortly before the
present lawsuit was filed. (Id.) The description of this time includes: 2.3 hours
“investigat[ing] hacking of email accounts”; multiple hours “investigat[ing]
6
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3316 Filed 05/25/23 Page 7 of 28
potential computer fraud” and “computer claims”; 3.5 hours “[prepar[ing] for
Massey deposition re computer fraud investigation”; and another 3.5 hours to
“travel and attend Massey deposition[.]” (Id.)
III.
Applicable Law & Analysis
A.
CFAA
Congress enacted the CFAA to deter computer crimes. A.V. ex rel
Vanderhye v. iParadigms, LLC, 562 F.3d 630, 645 (4th Cir. 2009) (explaining that
the statute is “primarily a criminal statute designed to combat hacking”); Estes v.
Forwarding Worldwide LLC v. Cuellar, 239 F. Supp. 3d 918, 922 (E.D. Va. 2019).
However, the statute also provides a civil right of action for “[a]ny person who
suffers damage or loss by reason of a violation of [the statute]” provided “the
conduct involves 1 of the factors set forth in [18 U.S.C. § 1030(c)(4)(A)(i)(I), (II),
(III), (IV), or (V)].” 18 U.S.C. § 1030(g). The CFAA prohibits seven types of
conduct with respect to unauthorized access of computers. Id. § 1030(a)(1)-(7).
Plaintiffs allege that Defendants violated the statute by “intentionally access[ing] a
computer without authorization or exceed[ing] authorized access . . . thereby
obtain[ing] . . . information from any protected computer.” Id. § 1030(a)(2)(C).
To prevail on this claim, Plaintiffs must show that Defendants “accessed a
‘protected computer’ either ‘without authorization’ or in a manner that ‘exceeds
authorized access.’” Am. Furukawa, Inc. v. Hossain, 103 F. Supp. 3d 864, 870
7
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3317 Filed 05/25/23 Page 8 of 28
(E.D. Mich. 2015) (quoting 18 U.S.C. § 1030) (internal footnotes omitted).
Plaintiffs also must show that they suffered “damage” or “loss” as a result of the
violation. Id. The parties address the various elements in their summary judgment
filings, disputing whether the facts support or do not support them. The Court
finds it necessary to address only the damage or loss element.
1.
Loss 2
As indicated, a civil action for a violation of the CFAA may be brought only
if the conduct involves at least one of several factors. 18 U.S.C. § 1030(g). The
only factor possible here is a violation causing “loss to 1 or more persons during
any 1-year period . . . aggregating at least $5,000 in value[.] 3 Id.
§ 1030(c)(4)(A)(i)(I).
The CFAA allows for a civil action by a person who “suffers damage or loss by
reason of a violation[.]” 18 U.S.C. § 1030(g). “Damages” is defined as “any
impairment to the integrity or availability of data, a program, a system, or
information.” 18 U.S.C. § 1030(e)(8). The facts here do not show any damage
incurred by Plaintiffs.
2
3
The remaining factors are violations that cause:
(II) the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
8
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3318 Filed 05/25/23 Page 9 of 28
The CFAA defines “loss” as “any reasonable cost to any victim, including
the cost of responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its condition prior to the
offense, and any revenue lost, cost incurred, or other consequential damages
incurred because of interruption of service[.]” Id. § 1030(e)(11). The definition is
read in the disjunctive such that the costs in the first clause do not need to be
related to the “interruption of service” referred to in the second clause. Yoder &
Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir.
2014) (citing Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 563 (2d Cir.
2006)). Lost revenue and other consequential damages, however, cannot be
claimed without an interruption in service. Id. (citing Nexans Wires, 166 F. App’x
at 563).
Nevertheless, not every expense is considered a “reasonable cost to the
victim” for purposes of the first clause. See Bd. of Trs. of Pierce Twp., Ohio v.
Hartman, No. 1:08-cv-037, 2009 WL 10679053, at *2 (S.D. Ohio Mar. 17, 2009)
(quoting Resdev, LLC v. Lot Builders Ass’n, No. 6:04-cv-1374, 2005 WL 1924743,
at *4 (M.D. Fla. Aug. 10, 2005)) (“[T]he CFAA plainly enumerates a narrow
(V) damage affecting a computer used by or for an entity of the
United States Government in furtherance of the administration of
justice, national defense, or national security[.]
18 U.S.C. § 1030(c)(4)(A)(i).
9
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3319 Filed 05/25/23 Page 10 of 28
grouping of ‘loss’ distinct from—and thus excluding—the far greater range of
losses that could flow from a violation of the CFAA.”). Instead, courts hold that
the first clause covers “only . . . the remedial expenses borne by victims.” Id.
(citing Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 722 (N.D. Ohio
2008) (citing In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 521
(S.D.N.Y. 2001))). The expenses must be related to investigating or remedying
damage to a computer or computer system. ReMedPar, Inc. v AllParts Med., LLC,
683 F. Supp. 2d 605, 614-15 (M.D. Tenn. 2010) (citing cases); Am. Family Mut.
Ins., 554 F. Supp. 2d at 772 (quoting L-3 Commc’ns Westwood Corp. v.
Robicharux, No. 06-0279, 2007 WL 756528, at *3 (E.D. La. Mar. 8, 2007))
(explaining that “[l]osses are ‘compensable when they result from damage to a
computer system or the inoperability of the accessed system’”). Stated differently,
the costs must be “related to analyzing or restoring the system to its previous
condition.” ReMedPar, 683 F. Supp. 2d at 614 (holding that loss under the CFAA
does not include the damage to the plaintiff’s business due to trade-secret
information being accessed or the costs to investigate the defendants’ conduct,
seeking redress for those acts, or locating and retaining replacement employees).
This means that they are “necessary to assess the damage caused [to a computer]
and to restore the plaintiff’s computer system.” Hartman, 2009 WL 10679053, at
*2 (citing Tyco Int’l (US) Inc. v. Does, No. 01 CIV 3856, 2003 WL 23374767, at
10
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3320 Filed 05/25/23 Page 11 of 28
*3 (S.D.N.Y. Aug. 29, 2003)); Tyco Int’l, 2003 WL 23374767, at *3 (holding that
investigator’s fees are not compensable under the CFAA when they were not
“necessary to assess the damage caused to the plaintiff’s computer system or to
rescue the system in the wake of a spamming attack”).
Expenses incurred investigating the identity of a computer hacker therefore
are not losses recoverable under the CFAA when used to determine from whom
relief should be sought, as compared to remedying or discovering the extent of the
harm to the computer or computer system. Compare Tyco, 2003 WL 23374767, at
*1, 3 (holding that the costs of investigation to identify the spammer in order to sue
that individual are not losses recoverable under the statute) with SuccessFactors,
Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 980-81 (N.D. Cal. 2008) (expenses
incurred to discover who obtained protected information and what information was
obtained found recoverable as they were “essential to remedying or discovering the
extent of the harm”); see also Turner W. Branch, P.A. v. Osborn, No. 13-00110,
2014 WL 12593991, at *17-18 (D.N.M. Mar. 26, 2014) (concluding that the
plaintiff’s alleged expenses did not qualify as a “loss” under the CFAA because
they arose “from attorneys investigating Plaintiff’s CFAA claims and prosecuting
th[e] case and not from damage to the computer, remedying damage to the
computer, incurring other remedial costs of investigating the computer for damage,
or incurring lost revenue because the computer cannot function while or until
11
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3321 Filed 05/25/23 Page 12 of 28
repairs are made”); Millennium TGA, Inc. v. Leon, No. 12-cv-01360, 2013 WL
5719079, at *18 (E.D.N.Y. Oct. 18, 2013) (expenses paid to investigator to locate
and collect information about the hacker as opposed to discovering and repairing
any damage are not recoverable under the CFAA). Litigation costs are generally
not compensable “because they are not related to investigating or remedying
damage to the computer.” Brooks v. AM Resorts, LLC, 954 F. Supp. 2d 331, 338
(E.D. Pa. 2013) (citing Healthcare Advocs., Inc. v. Harding, Earley, Follmer &
Frailey, 497 F. Supp. 2d 627, 647-48 (E.D. Pa. 2007); Wilson v. Moreau, 440 F.
Supp. 2d 81, 110 (D.R.I. 2006)); see also Hartman, 2009 WL 10679053, at *2; cf.
Integrity Applied Science, Inc. v. Clearpoint Chems. LLC, No. 1:18-cv-02235,
2020 WL 12584444, at *2 (D. Colo. Apr. 20, 2022) (finding the cost of securing an
injunction recoverable because the injunction was necessary to stop the offender
from accessing the plaintiff’s computer systems). Thus in Brooks, the court held
that “costs associated with hiring courts reporters and videographers and obtaining
deposition transcripts” and the “fees paid to an expert to assist in litigation do not
fall with the CFAA’s definition of ‘loss.’” 954 F. Supp. 2d at 338 (citations
omitted). Expenses to secure expert testimony or discovery in anticipation of a
CFAA lawsuit also are not recoverable. Calendar Rsch. LLC v. StubHub, Inc., No.
2:17-cv-04062, 2020 WL 4390391, at *26 (C.D. Cal. May 13, 2020) (citations
omitted). In Wilson, the district court found that the costs of litigation could not be
12
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3322 Filed 05/25/23 Page 13 of 28
counted towards the $5,000 statutory threshold where the plaintiffs had “suffered
no economic harm,” “their ability to conduct their business was not . . . impaired,”
and “[n]o remedial measures were required to repair their computer capabilities.”
440 F. Supp. 2d at 110; see also Above & Beyond – Bus. Tools & Servs. for
Entrepreneurs, Inc. v. Wilson, No. 21-7339, 2022 WL 1774276, at *7 (D.N.J. Sept.
1, 2022) (finding attorney’s fees and costs of damage assessment through a
consultant insufficient to meet $5,000 threshold where the plaintiff alleged no
impairment or damage to its computer or computer system to which those expenses
were related).
The expenses Plaintiffs claim here (see ECF No. 48-15 at Pg ID 1747) do
not count towards the CFAA’s loss threshold. Plaintiffs do not identify costs
associated with assessing or remedying damage to a computer or computer system
arising from Defendants’ acquisition of the subject emails. Nor do Plaintiffs allege
an impairment to their business or computer capabilities as a result of the alleged
CFAA violation. They fail to show that the identified “investigation costs” were
expended to assess and remedy any damage as opposed to litigating their claims
against Defendants. For these reasons, this case is distinguishable from the two
Plaintiffs rely upon to support their claimed loss: Facebook, Inc. v. Power
Ventures, Inc., 252 F. Supp. 3d 765 (N.D. Cal. 2017); NCMIC Finance
Corporation v. Artino, 638 F. Supp. 2d 1042 (S.D. Iowa 2009).
13
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3323 Filed 05/25/23 Page 14 of 28
In Facebook, expenses were incurred “for technical measures to block [the
defendant] from accessing Facebook servers and expenses for negotiating with [the
defendant] to voluntarily stop its activities and destroy the data.” 252 F. Supp. 3d
at 778. The case is therefore similar to SuccessFactors and Integrity Applied
Science cited earlier, where costs were expended to stop the offender’s continued
violations. None of the expenses claimed by Plaintiffs here were incurred for such
a purpose. Massey’s search which accessed Plaintiffs’ emails was complete by the
time Plaintiffs’ “investigation costs” were expended.
In NCMIC Finance, the defendant obtained the plaintiff’s customer
spreadsheet which included social security numbers and credit information. 638 F.
Supp. 2d at 1064. The plaintiff incurred investigative costs to assess the extent to
which the defendant disclosed the social security numbers and credit information
to third parties. Id. The plaintiff also incurred expenses for legal research and
assistance to determine whether it had an obligation under federal or state law to
report the disclosure of this information or notify the victims. Id. at 1065. Finally,
the plaintiff had to purchase identify-theft-prevention services for those individuals
whose social security information the defendant obtained. Id. at 1064. These
costs, unlike any claimed here, were vital to assessing the extent of the harm
caused by the defendant’s conduct and remedying that harm.
14
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3324 Filed 05/25/23 Page 15 of 28
Plaintiffs do not allege any harm arising from Defendants’ asserted violation
of the CFAA other than the violation itself. They did not incur expenses to
respond directly to Defendants’ conduct (e.g., to assess and remedy any damage
incurred). Instead, they incurred fees “toward building a civil case against
[Defendants.]” See United States v. Nosal, No. CR-08-0237, 2014 WL 121519, at
6 (N.D. Cal. Jan. 13, 2014) (finding that costs incurred “[d]etermining who
breached the system security and the manner and extent of the intrusion” are
remedial steps considered “loss” for purposes of the CFAA but “[c]osts incurred
for the purpose of building or supporting the victim’s civil case” are not).
As Plaintiffs fail to satisfy the CFAA’s $5,000 threshold requirement where
they have the burden of doing so, Defendants are entitled to summary judgment in
their favor with respect to this claim.
B.
SCA
Like the CFAA, the SCA is a federal criminal statute, 18 U.S.C. § 2701(a),
which also provides a private right of action to any “person aggrieved by any
violation of the Act . . . in which the conduct constituting the violation is engaged
in with a knowing or intentional state of mind[,]” id. § 2707(a). The SCA imposes
liability upon a person who:
(1) intentionally accesses without authorization a facility through
which an electronic communication service is provided; or
15
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3325 Filed 05/25/23 Page 16 of 28
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire
or electronic communication while it is in electronic storage[.]
Id. This provision does not apply to inter alia “the person or entity providing a
wire or electronic communications service[.]” Id. § 2701(c).
In a civil action, the SCA allows for the following relief:
(1) such preliminary and other equitable or declaratory relief as
may be appropriate;
(2) damages under subsection (c); and
(3) a reasonable attorney’s fee and other litigation costs reasonably
incurred.
Id. § 2707(b). With respect to “damages,” the statute provides, in relevant part:
“The court may assess as damages in a civil action under this section the sum of
the actual damages suffered by the plaintiff and any profits made by the violator as
a result of the violation, but in no case shall a person entitled to recover receive
less than the sum of $1,000.” Id. § 2707(c).
As with the CFAA, the parties assert several arguments in their papers for
why they are entitled to summary judgment with respect to Plaintiffs’ claim under
the SCA. The Court begins again with damages. However, unlike Plaintiffs’
CFAA claim, the lack of damages does not doom this claim.
16
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3326 Filed 05/25/23 Page 17 of 28
1.
Damages
“Damages,” for purposes of the SCA, do not include “attorney’s fee[s] and
other litigation costs” as Congress put these forms of relief in separate categories.
Puerto Rico Tel. Co. v. Ayala Rivera, No. 15-1837, 2018 WL 1705301, at *2
(D.P.R. Mar. 29, 2018) (holding that the plaintiff’s attorneys’ fees and litigation
costs are separate from actual damages for purposes of the SCA); see also City of
Sandusky, Ohio v. Coregis Ins. Co., 192 F. App’x 355, 359 (6th Cir. 2006)
(quoting Sullivan Cnty., Tenn. v. Home Indem. Co., 925 F.2d 152, 153 (6th Cir.
1991)) (finding that attorney’s fees and costs awarded pursuant to the federal civil
rights statute, 42 U.S.C. § 1988, are not damages, explaining that “Congress is free
to put attorney fees in either category [costs versus damages] . . . but when an act
of Congress unambiguously assigns such fees to one category, the courts are not
free to pretend that Congress has assigned them to the other”). As discussed
above, the investigation costs itemized by Plaintiffs constitute attorney’s fees and
litigation costs, only. Plaintiffs nevertheless argue that “the SCA does not require
actual damages as it provides for statutory damages of no ‘less than the sum of
$1,000.’” (ECF No. 59 at Pg ID 3184 (quoting 18 U.S.C. § 2707(c)).)
The Circuit Courts of Appeals that have addressed whether statutory
damages are recoverable under the SCA absent proof of actual damages have held
that they are not. Domain Prot., LLC v. Sea Wasp, LLC, 23 F.4th 529, 537-38 (5th
17
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3327 Filed 05/25/23 Page 18 of 28
Cir. 2022); Seal v. Peacock, 32 F.4th 1011, 1021-27 (10th Cir. 2022); Vista Mktg.,
LLC v. Burkett, 812 F.3d 954, 965-75 (11th Cir. 2016); Van Alstyne v. Elec.
Scriptorium Ltd., 560 F.3d 199, 205 (4th Cir. 2009); Hovanec v. Miller, 831 F.
App’x 683, 685 (5th Cir. 2020). Those courts relied on the Supreme Court’s
decision in Doe v. Chao, 540 U.S. 614 (2004), where the Court analyzed the
“substantively identical” damages provision in the Privacy Act of 1974, 5 U.S.C.
§ 552a(g)(4), and held that plaintiffs must show they sustained actual damages
before they can recover the statutorily guaranteed minimum of $1,000. Chao, 540
U.S. at 620. A number of district courts also have applied the Supreme Court’s
analysis in Chao to the SCA or otherwise found that the $1,000 in the SCA’s relief
provision is not a separate statutory damage but a floor for an award of actual
damages. See, e.g., Seale, 32 F.4th at 1023 n. 8 (collecting cases); Boane v. Boane,
No. 11-cv-2565, 2022 WL 331015, at *3 (W.D. Tenn. Feb. 3, 2022). On the other
hand, a number of district courts disagree, reasoning that they are “different
statutes, with different purposes, and they penalize different behavior.” See Seale,
32 F.4th at 1024 n. 9 (collecting cases).
The Sixth Circuit has not addressed the issue. The only district court within
the Circuit that has indicated that statutory damages are available even in the
absence of actual damages said so in dicta. Cardinal Health 414, Inc. v. Adams,
582 F. Supp. 2d 967, 975-76 (M.D. Tenn. 2008). This Court is persuaded by the
18
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3328 Filed 05/25/23 Page 19 of 28
decisions of the Circuit Courts that have resolved the issue and adopts the
reasoning from those decisions here.
Unlike the CFAA, however, Plaintiffs’ lack of actual damages does not
doom their SCA claim. Plaintiffs neglect to point this out. But courts uniformly
hold that, even absent actual damages, a prevailing plaintiff may recover punitive
damages and/or attorney’s fees. See, e.g., Seale, 32 F.4th at 1028-29 (“Unlike
statutory damages, the text of the SCA does not connect an award of punitive
damages with a showing of actual damages”); Van Alstyne, 560 F.3d at 209
(same); Vista Mrktg., 812 F.3d at 978 (explaining that “liability under the SCA is a
concept distinct from whether a person is ‘entitled to recover’ actual damages or a
violator’s profits” and thus a plaintiff may still recover punitive damages and/or
attorney’s fees and costs). Thus, the Court turns to the other elements of the claim.
2.
Elements
A person violates the SCA by: (i) “intentionally access[ing] without
authorization” or “intentionally exceed[ing] an authorization to access” (ii) “a
facility through which an electronic communication service is provided” and (iii)
“obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic
communication while it is in electronic storage in such system[.]” 18 U.S.C.
§ 2701(a) (emphasis added). As the italicization above reflects, for purposes of the
SCA, the access at issue is to “a facility.” Thus, the relevant question is, did the
19
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3329 Filed 05/25/23 Page 20 of 28
defendant have authority to access the facility in question or exceed the
authorization the defendant possessed.
The SCA does not define “facility,” although it does define “electronic
communication service” as “any service which provides to users thereof the ability
to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). It is
clear from the language of the statute, see 18 U.S.C. § 27027(a), that a facility is
distinct from the electronic communication service and the wire or electronic
communications sent or received through that service. “[T]elephone companies,
[i]nternet or e-mail service providers, and bulletin board services” are commonly
recognized facilities within the statute. In re Google Inc. Cookie Placement
Consumer Privacy Litig., 806 F.3d 125, 146 (3d Cir. 2015) (first brackets added)
(citing cases). Most courts hold that personal devices, such as computers, are not. 4
See, e.g., In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1058 (N.D. Cal.
2012); see also Morgan v. Preston, No. 3:13-00403, 2013 WL 5963563, at *5 & n.
3 (M.D. Tenn. Nov. 7, 2013) (holding that the plaintiff’s personal computer was
not covered by the SCA and collecting cases reflecting “the overwhelming body of
law” supporting that conclusion).
Therefore, to the extent Plaintiffs assert that Defendants’ accessed Plaintiffs’
computers, without authorization, this would not support their SCA claim.
4
20
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3330 Filed 05/25/23 Page 21 of 28
Plaintiffs maintain that Defendants lacked authorization or exceeded their
authorization to access Plaintiffs’ email accounts because, pursuant to the APA,
Defendants were obligated to transfer “all of the rights” to the Microsoft Office
365 accounts and the Domain to Conlan Abu. (See ECF No. 48 at Pg ID 1473.)
However, the question is not necessarily who owns the Microsoft Office 365
accounts or the Domain because someone other than, or in addition to, the owner
may have been authorized to access the accounts. Plaintiffs also seem to confuse
what the person had to lack the authority to access for purposes of the SCA
because, as emphasized above, it is the authorization to access the facility (i.e., the
Microsoft Office 365 accounts or its products) that is relevant, not the emails
associated with those accounts. See Cornerstone Consultants, Inc. v. Prod. Input
Sols., LLC, 789 F. Supp. 2d 1029, 1052 (N.D. Iowa 2011) (quoting 18 U.S.C.
§ 2701(a)(1)) (rejecting the plaintiff’s argument that “access to more emails . . .
exceeded expected norms of intended use . . . because the question is not whether
access to particular e-mails was authorized or in excess of authorization, but
whether access to ‘a facility through which an electronic communication service is
provided’ was unauthorized or was in excess of authorization”).
There is no dispute that Massey was the administrator of the Microsoft
Office 365 accounts which housed the @theepicureangroup.com emails accessed
during the state court litigation. Whether or not the rights or licenses to the
21
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3331 Filed 05/25/23 Page 22 of 28
accounts, including the administrative rights, should have been transferred to
Conlan Abu pursuant to the APA is a red herring. The record evidence reflects
that they were not. 5 What is relevant is that Massey undisputedly still held the
administrative rights to the accounts. Massey has indicated that he was never
asked to give up his administrative privileges. (ECF No. 9-4 at Pg ID 1934, ¶ 8.)
There also is no dispute that Massey served as the administrator with Plaintiffs’
knowledge and apparent consent. In fact, Moore and his employees asked Massey,
in his role as the account administrator, to activate and terminate accounts, reset
passwords, and set up email forwarding and sharing. 6
It is Plaintiffs’ burden to prove the elements of their SCA claim, including
that Defendants acted without or exceeded their authorization. See Cornerstone
Consultants, 789 F. Supp. 2d at 1047-08 (citations omitted) (finding that the
Until the Microsoft Office 365 licenses were transferred to Conlan Abu,
Defendants retained ownership of the related accounts. The failure to execute the
transfer might state a breach of the APA but that was the subject of the state court
litigation. In any event, as discussed above, who owned the licenses does not
necessarily determine who was authorized to administer the related accounts.
5
Quoting Massey’s declaration, Plaintiffs assert that he “admittedly, was only
authorized to help with the ‘the termination of employees, new hires, creation of
new accounts, and resetting passwords.’” (ECF No. 59 at Pg ID 3172 (quoting
ECF No. 9-4 at Pg ID 193, ¶ 7).) However, the word “only” does not appear in
Massey’s statement and his declaration in no way suggests that these were the only
functions he was authorized to perform. Instead, Massey simply was providing
examples of the assistance he provided to Plaintiffs in connection with the
Microsoft Office 365 accounts.
6
22
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3332 Filed 05/25/23 Page 23 of 28
without or exceeds authorization in § 2701(a) and the with authorization in the
exception in § 2701(c) are “an integral part of the definition of the claim or
offense”); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d at 507-508
(same); CreditMax Holdings, LLC v. Kass, No. 11-81056-CIV, 2013 WL
12080227, at *2 (S.D. Fla. Jan. 25, 2013) (collecting cases holding that
authorization is an element of an SCA claim, rather than an affirmative defense,
and thus the plaintiff bears the burden of proof on this issue); Shefts v. Petrakis,
No. 10-cv-1104, 2011 WL 5930469, at *7 n. 10 (C.D. Ill. Nov. 29, 2011) (citing In
re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d at 507) (explaining that it is the
“[p]laintiff’s burden to prove that the access was unauthorized, as the ‘without
authorization’ and ‘exceeds an authorization’ terms are part of the definition of the
wrongdoing itself, and authorized conduct is specifically listed as an exception”).
However, Plaintiffs offer no evidence suggesting that the administrator of the
Microsoft Office 365 accounts lacked the authority to access user data within those
accounts, including emails. Plaintiffs only assert that Defendants were never given
authorization to access any emails. (See, e.g., ECF No. 59 at Pg ID 3183.)
However, first, as indicated above, it is the authority to access the facility
that is relevant not specifically the emails. Second, if an administrator is
automatically authorized to access every aspect of the account, including email
data, no separate or specific authorization as to that information needs to be
23
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3333 Filed 05/25/23 Page 24 of 28
evidenced. Defendants’ evidence reflects that administrators are authorized to
access users’ email and other data. Microsoft’s Privacy Statement in fact provides
the following notice to end users:
If you use a Microsoft product or use an email address to access
Microsoft products and that product or email address was provided
by an organization you are affiliated with, such as an employer or
school, that organization can:
Control and administer your Microsoft product and product
account, including controlling privacy-related settings of the
product or product account.
Access and process your data, including the interaction data,
diagnostic data, and the contents of your communications and files
associated with your Microsoft product and product accounts.
(ECF No. 55-26 at Pg ID 2801-02 (emphasis added).)
Massey also testified that, as administrator, he was able to access the
@theepicureangroup.com emails. (See ECF No. 48-3 at Pg ID 1517-23.)
Plaintiffs argue that “ability” cannot be confused with “authorization” (see, e.g.,
ECF No. 48 at Pg ID 1473); however, the Court is not convinced that there is a
distinction, at least when referring to computer-related access. As anyone who
uses a computer knows—particularly a computer connected to the server of a
business or organization or issued by a business or organization—a user’s
“permissions” dictate what the user can and cannot do. The courts define
“authorization” to mean “‘permission or power granted by an authority.’” LVRC
Holding LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (quoting Random
24
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3334 Filed 05/25/23 Page 25 of 28
House Unabridged Dictionary 139 (2001)) (defining term for purposes of the
CFAA); Central Bank & Trust v. Smith, 215 F. Supp. 3d 1226, 1236 (D. Wy.
2016) (finding that the definition in the SCA compares to that in the CFAA);
Sartori v. Schrodt, No. 19-15114, 2021 WL 6060975, at *3 (11th Cir. Dec. 20,
2021) (citation and internal quotation marks omitted) (defining “authorization” for
purposes of the CFAA and SCA as “the state of being authorized” and “authorize
to mean to endorse, empower, justify, or permit by or as if by some recognized or
proper authority”). Massey’s testimony reflects that an administrator of a
Microsoft Office 365 account has the “permissions” to access the emails within the
account. (See, e.g., ECF No. 48-3 at Pg ID 1515 (referring to Dickson’s
“permissions” with respect to the account when asked about Dickson’s
“authorization” to view emails connected to the account).)
Massey also accessed emails from Moore’s non-@theepicurean.com
accounts. However, the evidence reflects that he did so by searching the
Trowbridge Tenant. 7 (ECF No. 55-7 at Pg ID 2621-22; ECF No. 9-4 at Pg ID 194
¶¶ 10-12.) Again, the focus of an SCA claim is the facility, not the
communications, accessed. Defendants have shown that the emails from Moore’s
non-@theepicureangroup.com addresses were attached to calendar items
Plaintiffs appear to concede this, as they describe that Massey’s searches of the
account “also pulled independent emails” from other accounts. (See ECF No. 59 at
Pg ID 3174.)
7
25
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3335 Filed 05/25/23 Page 26 of 28
associated with the Microsoft Office 365 products housed within the Trowbridge
Tenant. (See ECF No. 55-19 at Pg ID 2697-02.) Plaintiffs fail to provide contrary
evidence.
In short, it is Plaintiffs’ burden to present evidence showing that Massey
lacked the authority or exceeded his authority to access the Microsoft Office 365
accounts housing the @theepicureangroup.com emails. Plaintiffs fail to meet that
burden. But even if Plaintiffs succeeded in showing that Massey lacked
authorization or exceeded his authorization, they do not show that he did so
“intentionally.”
To prove their SCA claim, Plaintiffs must show that Defendants had “a
highly culpable state of mind[.]” Cardinal Health 414, 582 F. Supp. 2d at 976
(internal citation omitted). The defendant must have had knowledge that his or her
conduct was unlawful. Pure Power Boot Camp, Inc. v. Warrior Fitness Boot
Camp, LLC, 813 F. Supp. 2d 489, 556 (S.D.N.Y. 2011). Courts have found the
intent element satisfied where the defendant “repeatedly, intentionally, and
knowingly logged onto the e-mail account of [another individual] using [that
individual]’s user name and password.” Id. at 977. Similarly, in Miller v. Meyers,
766 F. Supp. 2d 919 (W.D. Ark. 2011), the plaintiff’s ex-husband was found to
have acted with the requisite state of mind when he used a keylogger program to
26
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3336 Filed 05/25/23 Page 27 of 28
obtain the plaintiff’s passwords and then used those passwords to access her email.
Id. at 923.
Plaintiffs assert that, like the defendant in Cardinal Health, “Defendants
logged onto Moore’s email account without permission and reviewed his emails[.]”
(ECF No. 59 at Pg ID 3187.) But there is no evidence that this is how the emails
were accessed. Defendants did not log directly into Moore’s email account.
Instead, as previously discussed, Massey accessed the emails through the tools
available to the administrator of the Trowbridge Tenant, where the Microsoft
Office 365 accounts resided, and the record evidence reflects only that he believed
he had the permission to do so as administrator of the account. (ECF No. 55-7 at
Pg ID 2623-24.)
For these reasons, the Court concludes that Defendants are entitled to
summary judgment as to the SCA claim, as well.
IV.
Conclusion
Proof of actual damages is necessary to prevail on a claim under the CFAA.
Plaintiffs show only litigation fees and costs resulting from Defendants’ alleged
violation of the statute, which do not qualify as damages. Defendants, therefore,
are entitled to summary judgment with respect to this claim.
The $1,000 referred to in the relief provision of the SCA is not a statutory
damage available in the absence of actual damages. In other words, Plaintiffs’
27
Case 2:20-cv-10747-LVP-APP ECF No. 64, PageID.3337 Filed 05/25/23 Page 28 of 28
failure to show actual damages means they also are not entitled to statutory
damages of $1,000. Plaintiffs still could recover punitive damages, reasonable
attorney’s fees, and other litigation costs reasonably incurred if they establish the
elements of their SCA claim, including that the violation is willful or intentional.
For the reasons discussed above, however, Plaintiffs fail to present facts to support
all of those elements.
Accordingly,
IT IS ORDERED that Plaintiffs’ motion for summary judgment (ECF No.
48) is DENIED.
IT IS FURTHER ORDERED that Defendants’ second motion for
summary judgment (ECF No. 55) is GRANTED.
s/ Linda V. Parker
LINDA V. PARKER
U.S. DISTRICT JUDGE
Dated: May 25, 2023
28
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
