Experian Marketing Solutions, Inc. v. Lehman et al
Filing
42
OPINION ; signed by Judge Robert Holmes Bell (Judge Robert Holmes Bell, kcb)
UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF MICHIGAN
SOUTHERN DIVISION
EXPERIAN MARKETING SOLUTIONS, INC.,
Plaintiff,
File No. 1:15-CV-476
v.
HON. ROBERT HOLMES BELL
JEREMY LEHMAN,
THORIUM DATA SCIENCE, LLC,
Defendants.
/
OPINION
This is an action for (1) violation of the Computer Fraud and Abuse Act (“CFAA”),
18 U.S.C. § 1030 et seq.; (2) misappropriation of trade secrets under the Michigan Uniform
Trade Secrets Act (“MUTSA”), Mich. Comp. Laws § 445.1901; (3) breach of contract; (4)
breach of fiduciary duty; and (5) tortious interference with contract.
Plaintiff Experian Marketing Solutions, Inc. (“Experian”) is a marketing-services
company based in Illinois. Defendant Jeremy Lehman is a former employee of Experian
residing in Grand Rapids, Michigan. Defendant Thorium Data Science, LLC (“Thorium”)
is an entity allegedly created by Lehman while he was employed by Experian. On June 18,
2015, the Court entered an opinion and order granting, in part, Experian’s motion for a
preliminary injunction, after determining that Experian had established a substantial
likelihood of success on its claims for misappropriation of trade secrets and breach of
contract. The facts alleged in the complaint are summarized in that opinion (ECF No. 27).
Before the Court is Defendants’ motion to dismiss the complaint for failure to state a claim
(ECF No. 19). Defendants’ motion will be granted in part and denied in part.
I.
In reviewing a Rule 12(b)(6) motion to dismiss, the Court must “‘construe the
complaint in the light most favorable to the plaintiff, accept its allegations as true, and draw
all reasonable inferences in favor of the plaintiff,’” but it “‘need not accept as true legal
conclusions or unwarranted factual inferences.’” Hunter v. Sec’y of U.S. Army, 565 F.3d
986, 992 (6th Cir. 2009) (quoting Jones v. City of Cincinnati, 521 F.3d 555, 559 (6th Cir.
2008)). A complaint must contain “a short and plain statement of the claim showing how
the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). The purpose of this statement is to
“give the defendant fair notice of what the claim is and the grounds upon which it rests.”
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007).
The complaint need not contain detailed factual allegations, but it must include more
than labels, conclusions, and formulaic recitations of the elements of a cause of action. Id.
“Threadbare recitals of the elements of a cause of action, supported by mere conclusory
statements, do not suffice.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly,
550 U.S. at 555). To survive a motion to dismiss under Rule 12(b)(6), a complaint must
allege facts that “state a claim to relief that is plausible on its face,” and that, if accepted as
2
true, are sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S.
at 555, 570.
“The plausibility standard is not akin to a ‘probability requirement,’ but it asks for
more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 556 U.S. 678.
“A claim is plausible on its face if the ‘plaintiff pleads factual content that allows the court
to draw the reasonable inference that the defendant is liable for the misconduct alleged.’”
Ctr. for Bio-Ethical Reform, Inc. v. Napolitano, 648 F.3d 365, 369 (6th Cir. 2011) (quoting
Iqbal, 556 U.S. at 677). Where a complaint pleads facts that are merely consistent with a
defendant’s liability, it “stops short of the line between possibility and plausibility of
‘entitlement to relief.’” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 557).
II.
A. General Objection
Defendants assert that the entire complaint should be dismissed because it is an
improper “shotgun” pleading containing thirty-seven pages of allegations, thirteen counts,
and seventy-one exhibits. Shotgun pleadings include those in which “it is virtually
impossible to know which allegations of fact are intended to support which claim(s) for
relief.” Anderson v. Dist. Bd. of Trustees of Cent. Fl. Cmty. Coll., 77 F.3d 364, 366 (11th
Cir. 1996). They make it difficult for the defendant “to discern what the plaintiff is claiming
and to frame a responsive pleading.” Id. Defendants assert that Experian’s complaint puts
3
Defendants and the Court in the difficult position of sifting through numerous allegations
and claims and determining which have factual support.
The Court does not find Plaintiff’s complaint to be improper as a whole. Although
it is lengthy, it is not unmanageable. In most cases, it is not difficult for the Court to discern
what is being claimed or what allegations are relevant to each claim. Moreover, although
many counts are asserted, there are only five types of claims, which are recited at the
beginning of this Opinion. The large number of counts is due, in part, to Plaintiff’s decision
to separate its breach-of-contract claim into separate counts corresponding to different
contract provisions. In this way, Plaintiff has made it easier for Defendants and the Court
to ascertain what is being claimed.
In any event, if Defendants are uncertain about a particular claim, the Federal Rules
provide a remedy; Defendants can move for a more definite statement pursuant to Rule
12(e). See Anderson, 77 F.3d at 366. Thus, the Court is not persuaded that the complaint
should be dismissed in its entirety on account of its length and complexity.
B. Count I: CFAA
Count I of the complaint asserts that Defendants violated the CFAA. Specifically,
Experian alleges that: (1) while Lehman was employed by Experian, he accessed Experian’s
confidential information for a competitive purpose (i.e., to further the work of Thorium), in
violation of his employee agreements and Experian’s code of conduct; (2) after he left
Experian, Lehman retained his company-issued computer and hard drive and accessed them
4
in violation of his employee and separation agreements and Experian’s code of conduct;
(3) Lehman deleted the data on his company-issued hard drive before returning it to
Experian, rendering the data unavailable; (4) Lehman, acting on behalf of Thorium,
instructed Experian employees Trevor Watkins and Amir Behrozi to access Experian’s
computers in order to retrieve its confidential documents and computer source code;
(5) Watkins copied Experian source code onto Thorium’s Google drive account; and
(6) Behrozi and Experian employee Sergey Vladimirov stored Experian source code and
confidential information on their computers for the benefit of Lehman and Thorium.
Experian claims that the foregoing conduct violated the following sections of the
CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), and 1030(a)(5)(A). Section 1030(a)(2)(C)
prohibits “intentionally access[ing] a computer without authorization or exceed[ing]
authorized access, and thereby obtain[ing] . . . information from a protected computer.” Id.
Section 1030(a)(4) prohibits “knowingly and with intent to defraud, access[ing] a protected
computer without authorization, or exceed[ing] authorized access, and by means of such
conduct further[ing] the intended fraud and obtain[ing] anything of value . . . .” Id. Finally,
§ 1030(a)(5)(A) prohibits “knowingly caus[ing] the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally caus[ing] damage without
authorization, to a protected computer.” Id.
The foregoing sections of the CFAA describe two types of claims: “access” claims
and “transmission” claims. Generally, an access claim involves accessing a computer
5
without authorization, or exceeding authorized access, see 18 U.S.C. §§ 1030(a)(2)(C),
1030(a)(4), whereas a transmission claim involves the transmission of a program or
command that intentionally causes “damage,” see id. at § 1030(a)(5)(A). Most of Experian’s
claims are access claims; one is a transmission claim.
1. Loss
First, Defendants argue that Experian does not state any type of CFAA claim, either
an access claim or a transmission claim, because it has not alleged a loss. Although the
CFAA is primarily a criminal statute, it provides a civil remedy for anyone who “suffers
damage or loss by reason of a violation[.]” 18 U.S.C. § 1030(g). A civil action may only be
brought if the conduct involves one of the “the factors set forth in subclauses (I), (II), (III),
(IV), or (V) of subsection (c)(4)(A)(i).” Id. The only factor that applies here is subclause
(I), which involves “loss to 1 or more persons during any 1-year period . . . aggregating at
least $5,000 in value.” Id. § 1030(c)(4)(A)(i)(I). Thus, in order to state a claim, Experian
must allege a “loss.”
The term “loss” is defined in the statute as:
. . . any reasonable cost to any victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring the data, program,
system, or information to its condition prior to the offense, and any revenue
lost, cost incurred, or other consequential damages incurred because of
interruption of service[.]
18 U.S.C. § 1030(e)(11). Citing this definition, Defendants note that Experian has not
alleged an interruption of service. Such an allegation is not necessary, however. The Sixth
6
Circuit has concluded that the definition of loss in § 1030(e)(11) is “disjunctive”; in other
words, a loss can consist of (1) “any reasonable cost” to the victim, including “responding
to an offense, conducting a damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense,” or (2) the lost revenue and other damages
resulting from an “interruption of service.”
Yoder & Frey Auctioneers, Inc. v.
EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014). The losses alleged by
Experian fall into the first category, which does not require an interruption of service.
In paragraphs 68-69, 180-181, and 236-241 of the complaint, Experian alleges that
it conducted a damage assessment of Lehman’s hard drive and other devices to attempt to
recover data deleted from that drive and to discover the extent of the information that was
accessed by Lehman or individuals working with Thorium. Experian also hired a third party
to assist with this assessment. These allegations are sufficient to state a loss.
2. Access claims
(a) Lehman’s access during his employment
In one of its access claims, Experian alleges that, while he was still employed by
Experian, Lehman accessed Experian’s information to further the work of Thorium, which
was “unauthorized” in the sense that it was prohibited by Lehman’s employee agreements
and Experian’s internal policies. Experian notes that Lehman was bound by an Experian
Information Security User Acknowledgment and Agreement (“Security Agreement”), which
provides that “use of all Experian computers, software, and devices shall be restricted to the
7
conducting of Experian business.” (Security Agreement, Ex. 3 to Compl.) The Security
Agreement also provides that Experian employees may only “[a]ccess information within the
parameters provided.” (Id.)
The CFAA does not define the phrase “without authorization,” but the Sixth Circuit
has interpreted it to mean “without sanction or permission.” Pulte Homes, Inc. v. Laborers’
Int’l Union of N. Am., 648 F.3d 295, 304 (6th Cir. 2011). In other words, “a person who uses
a computer ‘without authorization’ has no rights, limited or otherwise, to access the computer
in question.” Id. (quoting LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.
2009)) (emphasis added). Thus, “when an employer authorizes an employee to use a
company computer subject to certain limitations, the employee remains authorized to use the
computer even if the employee violates those limitations.” LVRC Holdings, 581 F.3d at
1133.
Some courts have interpreted the phrase “without authorization” more broadly and
hold that an employee’s access is unauthorized when the employee acts out of an interest that
is adverse to the employer and thereby breaches a duty of loyalty to the employer. See, e.g.,
Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). Those courts reason
that an employee who breaches a duty of loyalty is not authorized because he is no longer an
agent of the employer. See id. Under this view, the employee’s motive or purpose for
accessing a computer is relevant to determine whether the access was authorized.
8
In at least one other case, this Court has adopted the narrower interpretation. See
Dana Ltd. v. Am. Axle & Mfg. Holdings, Inc., No. 1:10-CV-450, 2012 WL 2524008, at *3
(W.D. Mich. June 29, 2012). Under this interpretation, the employee’s motive and purpose
for accessing the employer’s computer are not relevant, because the CFAA prohibits
“improper ‘access’ [to] computer information, rather than misuse or misappropriation of such
information.” Id. (citing LVRC Holdings, 581 F.3d at 1127). As the Court explained:
The plain language of the CFAA concerns access to a computer rather than the
motive for accessing the computer or the use of the information obtained. See
[Black & Decker (US), Inc. v. Smith, 568 F. Supp. 2d 929, 934–35 (W.D.
Tenn. 2008)]; see also LVRC Holdings, 581 F.3d at 1135 (“The plain language
of the statute therefore indicates that ‘authorization’ depends on actions taken
by the employer. Nothing in the CFAA suggests that a defendant’s liability for
accessing a computer without authorization turns on whether the defendant
breached a state law duty of loyalty to an employer.”). Moreover, because the
CFAA is primarily a criminal statute, the rule of lenity requires any ambiguity
to be resolved in favor of the party accused of violating the law. Black &
Decker, 568 F. Supp. 2d at 935. Federal criminal liability should not be based
on every violation of a private computer use policy. See [United States v.
Nosal, 676 F.3d 854, 859 (9th Cir. 2012)] (noting that criminalizing any
unauthorized use of information obtained from a computer would make
criminals of large groups of people who would have little reason to suspect
they are committing a federal crime). Finally, the legislative history “supports
the conclusion that Congress did not intend the CFAA to extend to situations
where the access was technically authorized but the particular use of the
information was not.” [ReMedPar, Inc. v. AllParts Medical, LLC, 683 F. Supp.
2d 605, 613 (M.D. Tenn. 2010)] (citing Black & Decker, 568 F. Supp. 2d at
935–36). See also, Nosal, 676 F.3d at 858 n.5 (“[T]he legislative history of the
CFAA discusses this anti-hacking purpose, and says nothing about exceeding
authorized use of information . . . .”). These courts also noted that the broad
interpretation “would require an analysis of an individual’s subjective intent
in accessing a computer system, whereas the text of the CFAA calls for only
an objective analysis of whether an individual had sufficient ‘authorization.’”
[Ajuba Int’l, LLC v. Saharia, 871 F. Supp. 2d 671, 687 (E.D. Mich. 2012)]
(quoting United States v. Aleynikov, 737 F. Supp. 2d 173, 193 (S.D.N.Y.
9
2010)). In addition, “an interpretation of the CFAA based upon agency
principles would greatly expand the reach of the CFAA to any employee who
accesses a company’s computer system in a manner that is adverse to her
employer’s interests” and “would convert an ordinary violation of the duty of
loyalty or of a confidentiality agreement into a federal offense.” Id. (quoting
Aleynikov, 737 F. Supp. 2d at 193).
Dana, 2012 WL 2524008, at *4.
The Court affirms and follows the foregoing analysis in Dana for purposes of this
case. Because Lehman was unquestionably authorized to access his work-issued computer
while he was employed by Experian, it does not matter whether he used it for an improper
purpose; he did not access it without authorization. This holds true even if Lehman’s
employee agreement prohibited him from using the computer for non-business purposes.
That leaves the question of whether Experian has adequately alleged that Lehman
“exceed[ed] authorized access” to his computer during his employment. See 18 U.S.C.
§ 1030(a)(2)(C). The CFAA defines “exceeds authorized access” as “access [to] a computer
with authorization and . . . us[ing] such access to obtain or alter information in the computer
that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). Experian
contends that Lehman’s access to Experian data for Thorium-related matters exceeded
authorized access because it violated the Security Agreement.
As with the phrase “without authorization,” there is a split between courts which have
adopted a “narrow” interpretation of “exceeds authorized access” (where the employee’s
purpose for accessing the employer’s information is never relevant), and those which have
adopted a broader interpretation (where the employee’s purpose for accessing information
10
is relevant, especially where the employer’s policies prohibit access for certain purposes).
The Fourth and Ninth Circuits have adopted the “narrow” approach. See WEC Carolina
Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012); United States v. Nosal,
676 F.3d 854, 863 (9th Cir. 2012) (en banc). The First, Fifth, and Eleventh Circuits have
adopted the “broad” approach. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577,
583 (1st Cir. 2001) (compiling information available on a public website and providing it to
a competitor exceeds authorized access); United States v. John, 597 F.3d 263 (5th Cir. 2010)
(accessing information on the employer’s computer for criminal purposes exceeds authorized
access); United States v. Rodriguez, 628 F.3d 1258, 1260 (11th Cir. 2010) (accessing
information for non-business reasons exceeds authorized access). The Sixth Circuit has not
taken a position on this issue.
This Court finds the narrow approach to be more persuasive. Many of the same
reasons that support a narrow reading of “without authorization” also support a narrow
reading of “exceeds authorized access.” For instance, the plain language of the statute
focuses solely on the individual’s authorization to obtain or alter information; liability does
not hinge on the individual’s purpose for obtaining access or use for the information
obtained. The statute does not prohibit conduct that “exceeds the purposes” for which access
is granted. See Aleynikov, 737 F. Supp. 2d at 193. Moreover, the individual’s use of the
information after it is obtained “is utterly distinct from whether the access was authorized in
the first place.” Id. at 192.
11
The definition of exceeds authorized access uses different language for authorization
than the phrase “without authorization,” but the difference is not significant; the terms are
synonymous. Nosal, 676 F.3d at 857. To say that a person is “not entitled” to obtain
something is equivalent to saying that he lacks authorization to do so. The relevant
distinction between the two types of unauthorized access is that one refers to unauthorized
access to a computer, whereas the other refers to unauthorized access to particular files or
information on a computer when access to the computer itself is permitted. See id. at 858.
The narrow interpretation is also supported by the purposes of the statute and the rule
of lenity. See Nosal, 676 F.3d at 858 (noting that Congress enacted the CFAA to prevent
hackers from “intentionally trespassing onto someone else’s computer files”) (quoting S.
Rep. No. 99–432, at 9 (1986) (Conf. Rep.)); see also WEC Carolina Energy Solutions, 687
F.3d at 205-06 (applying the rule of lenity); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d
962, 965-67 (D. Ariz. 2008) (same).
The Court’s interpretation is fatal to Experian’s claim regarding Lehman’s access
during his employment. To determine whether a person has exceeded authorized access, the
Court examines whether that person had “any right” to obtain or alter the particular files or
information at issue. Experian’s assertion that Lehman was not authorized to obtain
information on his computer for conducting non-Experian business implies that he was
authorized to obtain it for Experian-related purposes. If so, then he did not exceed authorized
access under the CFAA.
12
Experian cites a recent case from the Eastern District of Michigan in which the court
held that the employer’s policies were relevant to determining whether an employee had
exceeded authorized access to company files. Am. Furukawa, Inc. v. Hossain, __ F. Supp.
3d __, No. 14–cv–13633, 2015 WL 2124794, at *15 (E.D. Mich. May 6, 2015). That case
is distinguishable from this one, however. The defendant in that case allegedly violated his
employer’s policies by downloading files to an external hard drive without permission, even
though he was authorized to access those files. Id. at *10. The court concluded that these
facts stated a CFAA claim because “someone exceeds authorized access by obtaining
information in a prohibited manner, even if the accesser might be entitled to obtain the same
information under other circumstances.” Id. at *14. Unlike that case, Experian has not
alleged that Lehman obtained information in a prohibited manner. Instead, it alleges that he
accessed and obtained information for an improper purpose, i.e., to benefit Thorium. The
Court agrees with the courts of appeal in the Fourth and Ninth Circuits that accessing
information for an improper purpose is not a violation of the CFAA.
Moreover, the analysis in American Furukawa is not persuasive as applied to this
case. To reach its conclusion, the court noted the Sixth Circuit’s statement in Pulte Homes
that, “Under [the] definition [in § 1030(e)(6)], ‘an individual who is authorized to use a
computer for certain purposes but goes beyond those limitations . . . has “exceed[ed]
authorized access.”’” Pulte Homes, 648 F.3d at 304 (quoting LVRC Holdings, 581 F.3d at
1133). This statement certainly suggests that using a computer for an improper purpose
13
would exceed authorized access, but it is dictum. The Sixth Circuit did not rely on this
interpretation of “exceeds authorized access” to resolve that case; instead, it dismissed the
CFAA claim because the plaintiff failed to allege access “without authorization.” Id.
Indeed, the court’s entire discussion of “exceeds authorized access” consists of only this one
statement, which was offered solely for the purpose of contrasting the court’s definition of
access without authorization. See id.
Reliance on this statement in Pulte Homes is also problematic because it lacks context.
The statement originates from the Ninth Circuit’s opinion in LVRC Holdings, which provides
a more developed interpretation of exceeds authorized access later in that opinion.
According to the Ninth Circuit, “a person who exceeds authorized access . . . has permission
to access the computer, but accesses information on the computer that the person is not
entitled to access.” LVRC Holdings, 581 F.3d at 1133 (citation and quotation marks
omitted). This is consistent with what the Court stated above. Thus, the Court does not read
the Sixth Circuit’s statement in Pulte Homes as providing a binding or definitive
interpretation of “exceeds authorized access.”
Next, the court in American Furukawa observed that, in Pulte Homes, “[t]he Sixth
Circuit never indicated that limitations on employee access and use of employer computers
were foreclosed by the CFAA.” 2015 WL 2124794, at *3. This is true, but it does not
resolve the question of how to interpret and apply the statute. The court then characterized
Dana, Nosal, and like-minded cases as holding “that there can be no liability for an
14
individual who violates a computer use policy.” Id. This is an overstatement. Dana and
Nosal hold that access for an improper purpose or use is not a violation of the CFAA, even
if such purposes or uses are prohibited by a computer use policy (assuming that access for
other purposes or uses is permitted). They do not foreclose the possibility that other kinds
of restrictions in a computer use policy might be relevant. For instance, a policy might
identify specific information or files that an employee is never authorized to access. Or, a
policy could state that all authorization to access the company’s computers ceases in certain
circumstances, such as a leave of absence or the termination of employment. A violation of
either of these policies would arguably be a violation of the CFAA. Such policies are not at
issue in this case, however. In short, the Court is not persuaded by the analysis in American
Furukawa. Lehman’s access to his work-issued computer during his employment does not
state a claim.
(b) Lehman’s access to his devices post-employment.
Experian also claims that Lehman is liable under the CFAA for accessing his workissued computer and hard drive after his employment ended. Lehman’s employee agreement
required him to return his laptop upon termination of his employment, but he did not do so.
This claim fails because, as Defendants indicate, Experian does not allege that Lehman
“obtained” any information or anything of value.
See 18 U.S.C. §§ 1030(a)(2)(C),
1030(a)(4). Experian contends that it is reasonable to infer that Lehman accessed his hard
drive because he deleted the data on his hard drive before sending it to Experian. Under the
15
CFAA, however, unauthorized access to a computer is not sufficient to state a claim.
Experian must also allege that Lehman obtained information or something of value. See id.
The closest that Experian comes to making any allegation that Lehman obtained
information on his computer is its assertion that, “[o]n information and belief,” “Lehman
copied the contents of the hard drive to another device before wiping the hard drive and
returning it to Experian.” (Compl. ¶ 179, ECF No. 1.) There are no allegations to support
this assertion. Indeed, Experian concedes that it “does not know what Lehman did with
information stored or contained on [his] computer” during the period of time that he retained
it following his termination from the company. (Pl.’s Resp. to Mot. to Dismiss 8, ECF No.
23.) “The mere fact that [a party] believes something to be true does not create a plausible
inference that it is true.” In re Darvocet, Darvon, & Propoxyphene Prods. Liability Litig.,
756 F.3d 917, 931 (6th Cir. 2014); see also 16630 Southfield Ltd. Partnership v. Flagstar
Bank, FSB, 727 F.3d 502, 506 (6th Cir. 2013) (rejecting allegations based solely on
“information and belief”). Therefore, insofar as Experian’s CFAA claim rests on Lehman’s
access to his computer after his employment ended, its allegations are not sufficient to state
a plausible claim.
(c) Instructing Experian employees to obtain information
Experian also contends that Defendants violated the CFAA when Lehman, acting on
behalf of Thorium, instructed Experian employees Watkins and Behrozi to access Experian’s
confidential information on Experian’s computers.
16
Experian contends that these
circumstances are “analogous to a traditional ‘hacker’ CFAA case,” because Lehman was
using Experian employees “as his tool, like a hacker or trespasser, to breach into [Experian’s]
networks to gain unauthorized access[.]” (Pl.’s Resp. to Mot. to Dismiss 9, ECF No. 23.)
The CFAA permits a civil action against “the violator.” 18 U.S.C. § 1030(g). One
of the necessary elements of an “access” violation is access to a computer. When instructing
Experian’s employees to obtain information, Defendants did not access Experian’s
computers; rather, Experian’s own employees accessed the computers (presumably, with
authorization from Experian). Experian offers no legal authority for the proposition that an
entity or individual can violate the CFAA by obtaining information from a person who has
authorization to access a protected computer. See Dresser-Rand Co. v. Jones, 957 F. Supp.
2d 610, 615 (M.D. Pa. 2013) (finding “no legal basis in the CFAA or otherwise to justify
imputing liability from the individuals who access a computer without authorization to others
who may eventually benefit from their actions”); accord Koninklijke Philips NV v. Elec-Tech
Int’l Co., No. 14-cv-02737-BLF, 2015 WL 1289984, at *4 (N.D. Cal. Mar. 20, 2015)
(holding that “CFAA violations require a person to engage in the hacking, not merely benefit
from its results”). Experian cites American Family Mutual Insurance Co. v. Rickman, 554
F. Supp. 2d 766 (N.D. Ohio 2008), but that case provides no support for its position. See id.
at 772-73 (dismissing the CFAA claim for failure to allege a loss covered by the statute).
17
(d) Copying/retention of information by Watkins, Behrozi &
Vladimirov
Experian also contends that Defendants are liable because Watkins copied Experian’s
source code to Thorium’s Google drive, and Behrozi and Vladimirov stored source code and
confidential information on their computers for the benefit of Defendants. This claim fails
for similar reasons as the claim above. Defendants are not liable merely because they
benefitted from the actions of others.
Absent allegations that Defendants accessed
Experian’s computers without authorization, or exceeded their authorized access, Plaintiff
does not state an access claim against them under the CFAA. For the foregoing reasons,
therefore, Plaintiff’s complaint fails to state an “access” claim under the CFAA.
2. Transmission claim
Experian also claims that Lehman violated 18 U.S.C. §1030(a)(5)(A) when he deleted
all the information on his company-issued hard drive after he left the company. To state a
transmission claim, Experian must allege that Defendant “knowingly cause[d] the
transmission of a program, information, code, or command, and as a result of such conduct,
intentionally cause[d] damage without authorization, to a protected computer.” Id.
Defendants contend that Plaintiff has not sufficiently alleged damage.
Under the CFAA, “any impairment to the integrity or availability of data, a program,
a system, or information” qualifies as “damage.” Id. § 1030(e)(8). Defendants assert that
Experian has not alleged that Lehman’s conduct deprived it of the use of any of its
information. To the contrary, the complaint specifically alleges that Lehman “permanently
18
deleted” files and other data on his hard drive, and when Experian’s consultant attempted to
recover data from those files, it discovered that Lehman had caused “impairment to the
integrity or availability of data in the files.” (Compl. ¶¶ 236, 240.)
Defendants assert that Experian cannot claim damages because the files on Lehman’s
computer were available to it through other means. Some courts, including this one, have
held that “deletion of files alone does not constitute damage if the deleted data is still
available to the plaintiff through other means.” Dana, 2012 WL 2524008, at *5 (citing
Cheney v. IPD Analytics, LLC, No. 08–23188–CIV, 2009 WL 3806171, at *6 (S.D. Fla. Aug.
20, 2009)). In support of its assertion, Defendants cite several paragraphs of the complaint
that are irrelevant because they do not necessarily refer to the data on Lehman’s hard drive.
(See Compl. ¶¶ 129, 232.)
Defendants also cite an exhibit to the complaint, in which Lehman asserts in an email
to Experian’s counsel that Experian did not lose any data because Experian created a “clone”
of his laptop before he left the company. (See Ex. 54 to Compl.) Although the Court is
permitted to consider exhibits attached to the complaint in a motion to dismiss, see Bassett
v. Nat’l Collegiate Athletic Assoc., 528 F.3d 426, 430 (6th Cir. 2008), Lehman’s self-serving
statement in an email to Plaintiff does not establish that the information on his hard drive was
otherwise available to Experian. Consequently, at this stage of the proceedings, the Court
finds that Experian’s allegations suffice to state a transmission claim.
19
C. Count II: Misappropriation of Trade Secrets
Defendants contend that Experian fails to state a misappropriation claim. The Court
addressed the substance of Defendants’ objections in its June 18, 2015 opinion regarding the
preliminary injunction. In short, Experian’s allegations suffice to state a claim.
D. Counts III-XI: Breach of Contract
In connection with his employment, Lehman entered into an Employee Agreement
Regarding Confidential Information, Intellectual Property, Non-Competition and NonSolicitation (“Employee Agreement”) (Ex. 1 to Compl.). In April 2014, after Experian
notified Lehman that he would be terminated, they entered into a Settlement and General
Release (“Settlement Agreement”) (Ex. 4 to Compl.). In Counts III-VI of the complaint,
Experian alleges that Lehman breached the confidentiality, non-solicitation, non-competition,
and return-of-property provisions of the Employee Agreement both during and following the
his employment with Experian. In Counts VII-X of the complaint, Experian alleges that
Lehman breached the confidentiality, non-solicitation, non-competition, and return-ofproperty provisions of the Settlement Agreement. In Count XI, Experian alleges that
Lehman breached a provision in the Settlement Agreement requiring him not to act in a
manner detrimental to the business or reputation of Experian.
Defendants assert that the breach-of-contract claims should be dismissed for several
reasons: (1) Experian has not alleged damages; (2) the restrictive covenants are not
enforceable; and (3) all claims arising under the Employee Agreement should be dismissed
20
because that agreement was superceded by the Settlement Agreement. The first two reasons
were rejected by the Court in its June 18, 2015 opinion regarding the preliminary injunction.
As for the third reason, Defendants note that the Employee Agreement has been
merged into, and superceded by, the Settlement Agreement, which contains the following
provision:
This Agreement constitutes a single, integrated, written contract expressing the
entire understanding between the parties with respect to the subject matter
hereto. No covenants, agreements, representations or warranties of any kind
whatsoever, whether oral, written or implied, have been made by any party
hereto, except as specifically set forth in this Agreement or as expressly
incorporated into this Agreement. All prior discussions, agreements,
understandings and negotiations have been and are merged and integrated into,
and are superseded by, this Agreement.
(Settlement Agreement ¶ 20.) Read in isolation, this provision would appear to render the
Employee Agreement obsolete. But the Settlement Agreement also states the following:
Lehman acknowledges and fully understands that he is obligated to comply
with the terms of the restrictive covenants in the Employee Agreement
Regarding Confidential Information, Intellectual Property, Non-Competition
and Non-Solicitation, which he signed on July 11, 2011, at the commencement
of his employment with Experian. A copy of the Employee Agreement is
attached hereto and is incorporated into this Settlement Agreement and
General Release as if specifically set forth herein.
(Settlement Agreement ¶ 3 (emphasis added).) According to this provision, the Employee
Agreement did not disappear entirely. Rather, its terms were incorporated into the Settlement
Agreement.
Experian asserts that the Settlement Agreement “reaffirms” the Employee Agreement,
but that is not quite accurate. Read together with the merger clause, paragraph 3 of the
21
Settlement Agreement means that there is one “single, integrated, written contract” between
the parties which contains the terms of the Settlement Agreement as well as the terms in the
Employee Agreement. Thus, the Employee Agreement ceased to exist as a standalone
agreement, but its terms have continued on as part of the Settlement Agreement.
Defendants assert that Plaintiff’s contractual claims, if any, are now limited to claims
under the Settlement Agreement. That may be true, but it does not mean that the claims
arising under the Employee Agreement (Counts III-VI) should be dismissed for failure to
state a claim. The covenants on which those counts are based remain in force as part of the
Settlement Agreement. Thus, the Court rejects Defendants’ argument that they should be
dismissed due to the merger clause.
Defendants’ argument implies that the claims arising under the Employee Agreement
(Counts III-VI) should be dismissed because they are duplicative of similar claims arising
under the Settlement Agreement (Counts VII-X). Indeed, there is a significant overlap
between these two groups of claims. For instance, Count IV asserts that Lehman breached
the non-solicitation clause in the Employee Agreement. Similarly, Count VIII asserts that
Lehman breached the non-solicitation covenant in the Settlement Agreement, as
incorporated from the Employee Agreement. Thus, Count VIII arguably covers any claim
that could be asserted under Count IV. On the other hand, it may be the case that Count IV
applies to conduct occurring before the effective date of the Settlement Agreement. The
parties do not expressly address this issue in their briefs, however. Thus, the Court will not
22
address it in this Opinion. In short, at this stage of the proceedings, the Court finds that the
breach-of-contract claims are not subject to dismissal for failure to state a claim.
E. Count XII: Breach of Fiduciary Duty
Count XII of the complaint asserts that Lehman breached his fiduciary duties toward
Experian during his employment. See In re Hanson, 225 B.R. 366, 375 (Bankr. W.D. Mich.
1998) (applying Michigan law and holding that “[t]he common law imposes a duty of loyalty
on employees, forbidding them from taking action contrary to the interests of their
employers”); Restatement (Second) of Agency § 387 (1958) (stating that “[u]nless otherwise
agreed, an agent is subject to a duty to his principal to act solely for the benefit of the
principal in all matters connected with his agency”).
Defendants assert that this claim is preempted by MUTSA to the extent that it relies
upon Lehman’s alleged misappropriation or trade secrets.
See Mich. Comp. Laws
§ 445.1908(1) (“[T]his act displaces conflicting tort, restitutionary, and other law of this state
providing civil remedies for misappropriation of a trade secret.”). Nevertheless, Experian
contends that Lehman breached a duty of loyalty when he engaged in other conduct that is
not related to Experian’s confidential information of trade secrets. According to Experian,
Lehman competed with Experian and/or acted contrary to Experian’s interests during his
employment by: incorporating Thorium; creating a website for Thorium; holding meetings
with other Experian employees about work for Thorium; soliciting Experian employees to
work for Thorium; attending a conference in Las Vegas for the sole purpose of promoting
23
Thorium; and advising Experian employees to submit expense reports to Experian for
attending the conference. Claims based on these activities are not preempted by MUTSA.
Defendants also contend that Plaintiff has not properly alleged damages to state a
claim for breach of a fiduciary duty. Experian does not allege that it lost any revenue,
customers, or employees as a direct result of Lehman’s conduct. However, Experian asserts
that, at a minimum, its damages include the loss of time that Lehman and other Experian
employees spent working for the benefit of Thorium, including attending Thorium meetings
and the conference in Las Vegas during work hours, as well as the travel and lodging
expenses that Experian paid to its employees to attend the conference. Although the Court
questions whether Lehman can be liable for breach of a fiduciary duty based on the conduct
of other Experian employees, the Court is satisfied that the allegations concerning Lehman’s
own conduct suffice to state a claim. Thus, Plaintiff’s motion to dismiss Count XII will be
denied.
F. Count XIII: Tortious Interference with Contract
In Count XIII, Experian contends that Defendants tortiously interfered with its
employee contracts. The elements of such a claim are: “(1) the existence of a contract, (2)
a breach of the contract, and (3) an unjustified instigation of the breach by the defendant.”
Health Call of Detroit v. Atrium Home & Health Care Servs., Inc., 706 N.W.2d 843, 849
(Mich. Ct. App. 2005). Experian alleges that it had “business relationships with its
employees” and an “expectation” that these relationships would continue and would not be
24
“unjustifiably” disrupted. (Compl. ¶ 341, ECF No. 1.) Experian employees Ghahary,
Vladimirov and Frisch allegedly signed agreements with Experian “to protect and to maintain
as confidential [Experian’s] confidential and proprietary information and trade secrets.”
(Compl. ¶ 342.) Experian contends that Lehman was aware of these contracts and business
relationships and that Defendants “interfered” with them. (Id. at ¶ 344.) Experian also
alleges that it has been “injured” by Defendants’ actions. (Id. at ¶ 346.)
Defendants assert that the foregoing allegations do not state a claim because they do
not identify a breach of a contract, let alone a breach caused by Defendants. In response,
Experian contends that Defendants interfered with a “business relationship or expectancy,”
which is a claim distinct from tortious interference with contract. Health Call of Detroit, 706
N.W.2d at 848.
The elements of tortious interference with a business relationship or
expectancy are (1) the existence of a valid business relationship or expectancy
that is not necessarily predicated on an enforceable contract, (2) knowledge of
the relationship or expectancy on the part of the defendant interferer, (3) an
intentional interference by the defendant inducing or causing a breach or
termination of the relationship or expectancy, and (4) resulting damage to the
party whose relationship or expectancy was disrupted.
Id. at 849.
Here, as in Health Call of Detroit, Plaintiff’s claim is titled a claim for interference
with contract, but its allegations blend this type of claim with a claim for interference with
a business relationship. See id. Indeed, in one instance, Experian mixes both theories in the
same sentence, alleging that Defendants interfered with Experian’s “employee agreements,”
25
even though it was aware of Experian’s “relationships and expectancies” with respect to
Experian’s employees. (Compl. ¶ 344.) Blending two different theories is not cause for
dismissal in itself, but it points to a larger problem with the allegations in Count XIII, which
is that the factual basis for this claim is entirely unclear. Is it based on Experian’s employee
contracts, its employee relationships, or both? Which contracts or relationships are at issue?
Moreover, in what manner did Defendants interfere with these contracts or relationships and
what injury did Plaintiff suffer? The Court cannot readily answer these questions by reading
the complaint. Experian apparently expects Defendants to root through the lengthy
allegations of the complaint and try to guess the basis for each element of its claim.
Experian’s contention that its employees signed agreements to maintain the
confidentiality of its information arguably suggests that its claim is based on the fact that
Experian employees disclosed confidential information. As the Court indicated in its June
18, 2015 opinion, however, it is not clear how Defendants instigated such conduct.
Moreover, Defendants contend that such a claim would be preempted by MUTSA. Experian
completely ignores this argument in its response to the motion to dismiss.
Instead, Experian contends that its claim is premised upon something else:
competitive activity by Experian employees who performed work for Thorium. Experian
asserts that Thorium was competitive with Experian, and that by working for Thorium,
Experian employees like Ghahary were violating a clause in their employee agreements
which required them not to “engage in, solicit or perform any work competitive with any
26
Experian line of business . . . .” (Pl.’s Resp. in Opp’n to Mot. to Dismiss 19, ECF No. 23
(quoting Employee Agreement ¶ 11(c), Ex. 6 to Compl., ECF No. 1-6).) The foregoing
argument does not save Plaintiff’s claim, however. Section 11(c) of the employee agreement
prohibits Experian employees from performing competitive work. It does not prohibit them
from working for an entity that might be engaged in competitive activity. Moreover,
Experian does not indicate what work by Ghahary is alleged to be competitive, or how this
conduct caused injury. Corresponding with other employees and attending meetings related
to Thorium is not work that is competitive with an Experian line of business.
Thus, the Court agrees with Defendants that the vague and skeletal allegations in
Count XIII asserting “interference” with Experian’s employee contracts or relationships and
“injury” fail to satisfy the basic pleading standards for stating a tortious-interference claim.
The Court cannot discern which of Plaintiff’s many allegations its claim is based upon and,
thus, the complaint does not provide “fair notice” to Defendant. See Twombly, 550 U.S. at
555. Consequently, Count XIII will be dismissed without prejudice to the filing of an
amended complaint.
III.
In summary, Defendants’ motion to dismiss will be granted in part and denied in part.
Count I of the complaint will be dismissed for failure to state a claim to the extent that it is
based upon improper access to Experian’s computers, or exceeding authorized access to
those computers. In addition, Count XIII will be dismissed for failure to state a claim. In
27
all other respects, the motion will be denied. Plaintiff may file an amended complaint within
30 days of this Opinion to address the deficiencies in its allegations. An order will be entered
that is consistent with this Opinion.
Dated: September 29, 2015
/s/ Robert Holmes Bell
ROBERT HOLMES BELL
UNITED STATES DISTRICT JUDGE
28
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?